Mandriva Linux Security Advisory : icedtea-web (MDVSA-2012:122)
High Nessus Plugin ID 61972
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities has been discovered and corrected in icedtea-web :
An uninitialized pointer use flaw was found in IcedTea-Web web browser plugin. A malicious web page could use this flaw make IcedTea-Web browser plugin pass invalid pointer to a web browser. Depending on the browser used, it may cause the browser to crash or possibly execute arbitrary code (CVE-2012-3422).
It was discovered that the IcedTea-Web web browser plugin incorrectly assumed that all strings provided by browser are NUL terminated, which is not guaranteed by the NPAPI (Netscape Plugin Application Programming Interface). When used in a browser that does not NUL terminate NPVariant NPStrings, this could lead to buffer over-read or over-write, resulting in possible information leak, crash, or code execution (CVE-2012-3423).
The updated packages have been upgraded to the 1.1.6 version which is not affected by these issues.
SolutionUpdate the affected icedtea-web and / or icedtea-web-javadoc packages.