CVE-2008-5352
Description
Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in unpack200 in Sun JDK/JRE 6u10 and earlier, and 5.0u16 and earlier, allows untrusted applets to gain privileges via a crafted Pack200 JAR file.
Vulnerability
Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier. A specially crafted Pack200 compressed JAR file triggers a heap-based buffer overflow.
Exploitation
An attacker can deliver a malicious Pack200 compressed JAR file to an untrusted application or applet. No authentication is required; the applet runs in the browser or the application is untrusted. The overflow occurs during unpacking.
Impact
Successful exploitation allows an untrusted application or applet to gain privileges, potentially leading to arbitrary code execution with the privileges of the user running the JRE.
Mitigation
Sun released updates to fix this issue. Red Hat provided updated packages (e.g., RHSA-2009-0015, RHSA-2009-0016, RHSA-2009-0466) [3]. Users should upgrade to JDK/JRE 6 Update 11 or later, or 5.0 Update 17 or later. If unable to patch, disable Java applets or restrict untrusted applications.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
41cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_14:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_15:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:*:update_10:*:*:*:*:*:*range: <=6
- cpe:2.3:a:sun:jdk:*:update_16:*:*:*:*:*:*range: <=5.0
cpe:2.3:a:sun:jre:5.0:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:sun:jre:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_14:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_15:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:*:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:*:update_10:*:*:*:*:*:*range: <=6
- cpe:2.3:a:sun:jre:*:update_16:*:*:*:*:*:*range: <=5.0
- Range: <=6 Update 10 (JDK and JRE 6), <=5.0 Update 16 (JDK and JRE 5.0)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
27- sunsolve.sun.com/search/document.donvdPatchVendor Advisory
- www.us-cert.gov/cas/techalerts/TA08-340A.htmlnvdUS Government Resource
- labs.idefense.com/intelligence/vulnerabilities/display.phpnvd
- lists.opensuse.org/opensuse-security-announce/2009-01/msg00009.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.htmlnvd
- osvdb.org/50501nvd
- rhn.redhat.com/errata/RHSA-2008-1018.htmlnvd
- rhn.redhat.com/errata/RHSA-2008-1025.htmlnvd
- secunia.com/advisories/32991nvd
- secunia.com/advisories/33015nvd
- secunia.com/advisories/33528nvd
- secunia.com/advisories/33709nvd
- secunia.com/advisories/33710nvd
- secunia.com/advisories/34259nvd
- secunia.com/advisories/34972nvd
- secunia.com/advisories/37386nvd
- security.gentoo.org/glsa/glsa-200911-02.xmlnvd
- support.avaya.com/elmodocs2/security/ASA-2009-012.htmnvd
- support.nortel.com/go/main.jspnvd
- www.redhat.com/support/errata/RHSA-2009-0015.htmlnvd
- www.redhat.com/support/errata/RHSA-2009-0016.htmlnvd
- www.securityfocus.com/bid/32608nvd
- www.securitytracker.com/idnvd
- www.vupen.com/english/advisories/2008/3339nvd
- www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdfnvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6383nvd
- rhn.redhat.com/errata/RHSA-2009-0466.htmlnvd
News mentions
0No linked articles in our index yet.