Bug 1233667 (CVE-2015-5234)
| Summary: | CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned applets | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | aazores, aph, carnil, dbhole, jvanek, omajid, security-response-team, slong | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | icedtea-web 1.5.3, icedtea-web 1.6.1 | Doc Type: | Bug Fix | ||||
| Doc Text: |
It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-05-11 06:37:57 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1259311 | ||||||
| Bug Blocks: | 1233713 | ||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2015-06-19 12:10:21 UTC
Created attachment 1043118 [details]
patch for insertionof invald regex by malicious url
The fix for above bug (And it is anbug) is here.
If you agree that it have no security impact, I will post it (or any reviewer of this thread can) to distrop-pkg-dev oncew I'm back from vacation.
The fix is needed for 1.5 1.6 and 1.7
Notes
- the table validator in itweb-settings still correctly compalins about invalid table and points out error
- the invlaid regex is jsut skipped as not matchin
- unit tests should be added(but I really need to hurry now to cacth my ferry)
Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1259311] Patch for removal of line endings pushed to head: http://icedtea.classpath.org/hg/icedtea-web/rev/53500e3de1bc patch for correct escaping of url regexes also pushed to head http://icedtea.classpath.org/hg/icedtea-web/rev/c9befa549f63 All rebukes to those two patches mentioned in this bug were fixed and additional tests for them added Versioned .appletTrustSetting patch pushed to head http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab actOnVersionLoad() can throw exception (at least Integer.valueOf(versionS)), not sure if that can cause any issues - was fixed, ty actOnVersionLoad() hard-codes current version number rather than using currentVersion. - was not fixed is intentional Backup file extension is just .X, where X is number, so really a .0 for this upgrade. That makes it look like man page file. - added -backup suffix The lenght check was fixed in http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab Fixed in two steps - records containing line break are never saved to affected config file - possible already corrupted settings are discarded to backup and not used after update Partially related is push ensuring more proper url escaping. all related changes pushed to 1.6 branch all related changes pushed to 1.5 branch Patches for this issue were included in upstream versions 1.6.1 and 1.5.3. This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1: https://rhn.redhat.com/errata/RHBA-2015-2457.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html |