CVE-2014-8873

Name	CVE-2014-8873
Description	A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 includes a MIME type registration that is added to /etc/mailcap by mime-support, which allows remote attackers to execute arbitrary code via a JAR file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-3235-1, DSA-3316-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openjdk-8 (PTS)	sid	8u432-b06-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
openjdk-6	source	squeeze	(not affected)
openjdk-6	source	wheezy	(not affected)
openjdk-6	source	(unstable)	(unfixed)	high
openjdk-7	source	squeeze	(not affected)
openjdk-7	source	wheezy	7u79-2.5.6-1~deb7u1		DSA-3316-1
openjdk-7	source	jessie	7u79-2.5.6-1~deb8u1		DSA-3316-1
openjdk-7	source	(unstable)	7u79-2.5.5-1	high
openjdk-8	source	(unstable)	8u45-b14-1	high

Notes

[wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on wheezy)
[squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on this squeeze)
[wheezy] - openjdk-6 <not-affected> (MIME type setting is harmless on wheezy)
[squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on squeeze)
Starting with mime-support 3.53, MimeType entries in desktop
files end up in /etc/mailcap, which introduces the user-initiated
code execution.