Package : icedtea-web
Date : August 2, 2012
Affected: 2011., Enterprise Server 5.0
Multiple vulnerabilities has been discovered and corrected in
An uninitialized pointer use flaw was found in IcedTea-Web web
browser plugin. A malicious web page could use this flaw make
IcedTea-Web browser plugin pass invalid pointer to a web browser.
Depending on the browser used, it may cause the browser to crash or
possibly execute arbitrary code (CVE-2012-3422).
It was discovered that the IcedTea-Web web browser plugin incorrectly
assumed that all strings provided by browser are NUL terminated,
which is not guaranteed by the NPAPI (Netscape Plugin Application
Programming Interface). When used in a browser that does not NUL
terminate NPVariant NPStrings, this could lead to buffer over-read
or over-write, resulting in possible information leak, crash, or code
The updated packages have been upgraded to the 1.1.6 version which
is not affected by these issues.