Bug 869040 (CVE-2012-4540)

Summary: CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: dbhole, jvanek, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20121107,reported=20121022,source=upstream,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-6/icedtea-web=affected,fedora-all/icedtea-web=affected,cwe=CWE-122[auto]
Fixed In Version: icedtea-web 1.1.7, icedtea-web 1.2.2, icedtea-web 1.3.1, icedtea-web 1.4.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-12 11:56:54 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 871101, 871102    
Bug Blocks: 869043    
Attachments:
Description Flags
proposed patch
none
Update patch from Deepak Bhole
none
Final patch from Deepak Bhole
none
Final patch from Deepak Bhole none

Description Vincent Danen 2012-10-22 16:49:38 EDT
A flaw was reported in IcedTea-web plugin where certain events attached to an applet, when triggered, could lead to a heap-based buffer overflow, resulting in possible information leak, crash, or code execution.
Comment 1 Vincent Danen 2012-10-22 17:00:47 EDT
This has been assigned CVE-2012-4540.
Comment 3 Vincent Danen 2012-10-22 17:08:13 EDT
Created attachment 631741 [details]
proposed patch
Comment 4 Tomas Hoger 2012-10-29 10:39:08 EDT
Created attachment 635041 [details]
Update patch from Deepak Bhole
Comment 5 Tomas Hoger 2012-10-29 11:03:32 EDT
(In reply to comment #0)
> A flaw was reported in IcedTea-web plugin where certain events attached to
> an applet, when triggered, could lead to a heap-based buffer overflow,
> resulting in possible information leak, crash, or code execution.

The problem is in the IcedTeaScriptableJavaObject::invoke function:

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/11c61503e614/plugin/icedteanp/IcedTeaScriptablePluginObject.cc#l592

If method invocation ends with an exception, icedtea-web plugin allocates memory for an error message to be passed to the browser.  When doing so, it does not allocate space for the tailing '\0' string terminator.  This can lead to a one byte buffer overflow (assuming sizeof(char) == 1).  The data written past the end of the buffer is not attacker controlled and it always '\0'.
Comment 7 Tomas Hoger 2012-11-02 04:42:58 EDT
Created attachment 636971 [details]
Final patch from Deepak Bhole
Comment 8 Tomas Hoger 2012-11-02 04:45:54 EDT
Created attachment 636984 [details]
Final patch from Deepak Bhole

Add correct patch.  The one in comment #7 is the same as the one in comment #4.
Comment 9 Tomas Hoger 2012-11-02 06:09:50 EDT
Acknowledgment:

Red Hat would like to thank Arthur Gerkis for reporting this issue.
Comment 10 Tomas Hoger 2012-11-07 13:39:25 EST
Fixed now upstream in 1.1.7, 1.2.2 and 1.3.1:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html

Upstream commit (1.3 branch):

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe
Comment 11 errata-xmlrpc 2012-11-07 13:56:16 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1434 https://rhn.redhat.com/errata/RHSA-2012-1434.html
Comment 12 jiri vanek 2013-09-16 08:33:09 EDT
Upstream have forwarded the patch both to head and 1.4.

http://icedtea.classpath.org/hg/icedtea-web/rev/dbd98f24eebb
http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a

thanx for letting us know.
Comment 13 Tomas Hoger 2013-09-16 09:52:02 EDT
(In reply to jiri vanek from comment #12)
> Upstream have forwarded the patch both to head and 1.4.

To give this a little more context, the fix of this issue did not get applied to icedtea-web at the time 1.1, 1.2 and 1.3 branches were fixed.  Therefore, 1.4 released few month later is also affected.  A new CVE id CVE-2013-4349 was assigned for the issue - see bug 1007960.