Bug 1233697 (CVE-2015-5235)
Summary: | CVE-2015-5235 icedtea-web: applet origin spoofing | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aazores, aph, carnil, dbhole, jvanek, omajid, security-response-team, slong |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | icedtea-web 1.5.3, icedtea-web 1.6.1 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-11 06:37:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1259311 | ||
Bug Blocks: | 1233713 |
Description
Tomas Hoger
2015-06-19 12:27:11 UTC
This is nice example, where http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library will help a lot. Dialogue informing user about laoded reources (similar to https://bugzilla.redhat.com/attachment.cgi?id=1064644) improved and enabled for unsigned apps. Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/531034ce3e30 (In reply to jiri vanek from comment #12) > Created attachment 1042634 [details] > patch with improved tests > > fix is same, just added three more tests for surrounding cases. Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/ee5e2cb91774 Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1259311] Versioned .appletTrustSetting patch pushed to head http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab Short summary: The issue is fixed via two steps: - First, when applet is saved for whole codebase, also docbase is include So Instead of rcord like metadata|docbase |codebase |another data . ..| .* | some.url/.*|... we save something like . ..|doc.url/.* | some.url/.*|... - Second, all resources going out of codebase AND docbase are reported to user As partially related changeset, possibly already infected records are moved to backup and not used by updated versions all related changes pushed to 1.6 branch all related changes pushed to 1.5 branch Patches for this issue were included in upstream versions 1.6.1 and 1.5.3. This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1: https://rhn.redhat.com/errata/RHBA-2015-2457.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html |