Bug 672262 (CVE-2011-0025)

Summary: CVE-2011-0025 IcedTea jarfile signature verification bypass
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahughes, aph, bressers, dbhole, jlieskov, omajid, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=important,source=redhat,public=20110201,reported=20110120,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,cwe=CWE-347
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Comment 4 Marc Schoenefeld 2011-02-01 09:21:39 EST
Omair Majid discovered that there are more problems with jar verification that
Ville Skyttä found (bug #671269). Essentially, there was no multiple signer
handling at all. This means it would be possible (with the current code) to make netx display either the wrong cert, or even no cert at all with a carefully crafted jnlp app. This means that in certain cases the user is not even notified and untrusted code is run with the full privileges of the user.
Comment 5 Vincent Danen 2011-02-04 15:57:00 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0025 to
the following vulnerability:

Name: CVE-2011-0025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
Assigned: 20101207
Reference: http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515
Reference: http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/
Reference: http://www.ubuntu.com/usn/USN-1055-1
Reference: http://www.securityfocus.com/bid/46110
Reference: http://secunia.com/advisories/43135

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does
not properly verify signatures for JAR files that (1) are "partially
signed" or (2) signed by multiple entities, which allows remote
attackers to trick users into executing code that appears to come from
a trusted source.