Bug 436293 (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190)

Summary: CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190)
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, kseifried
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 01:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 436304, 436305, 439176, 439177, 444749, 455574, 455726    
Bug Blocks:    

Description Marc Schoenefeld 2008-03-06 12:42:23 UTC 
Three buffer overflow security vulnerabilities in Java Web Start may
independently allow an untrusted Java Web Start application that is downloaded
from a website to elevate its privileges. For example, an untrusted Java Web
Start application may grant itself permissions to read and write local files or
execute local applications that are accessible to the user running the untrusted
application.

A vulnerability in Java Web Start may allow an untrusted Java Web Start
application to elevate its privileges. For example, an application may grant
itself permissions to read and write local files or execute local applications
that are accessible to the user running the untrusted application.

A vulnerability in Java Web Start may allow an untrusted Java Web Start
application to create files on the system that the untrusted application runs on
and leverage these files to run local applications with the privileges of the
user running the untrusted Java Web Start application.
Comment 2 Marc Schoenefeld 2008-03-13 09:13:21 UTC 
CVE-2008-1188: 

http://www.securityfocus.com/archive/1/489466/30/0/threaded

-- Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Sun Java Web Start. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists in the useEncodingDecl() function used while
checking xml based JNLP files for UTF8 characters. When a user downloads
a malicious JNLP file, the data immediately preceding the opening of the
xml tag is read into a static buffer. If an overly long key name in the
xml header is included, a stack based buffer overflow occurs, resulting
in an exploitable condition.
Comment 3 Marc Schoenefeld 2008-03-13 09:16:17 UTC 
More on CVE-2008-1188: 

http://www.securityfocus.com/archive/1/489467/30/0/threaded

The specific flaw exists in the useEncodingDecl() function used while
parsing the xml header character encoding attribute. When a user
downloads a malicious JNLP file, the charset value is read into a static
buffer. If an overly charset name in the xml header is included, a stack
based buffer overflow occurs, resulting in an exploitable condition.
Comment 5 Mark J. Cox 2008-04-01 12:06:59 UTC 
Note that CVE-2008-1191 did not affect JDK5 and therefore should not be listed
in the advisory or the bug as it was not affected.