Andrea Palazzo reported the following problem affecting IcedTea-Web: """ Permanent Trusted Applet Injection Due to a lack of validation in the process of parsing non-standard uri schemes, it is possible to inject arbitrary trusted applets into the .appletTrustSettings configuration file. An attacker could exploit this flaw to permanently authorize the execution of unsigned applets in the context of a victim browser from arbitrary domains. It should be noted that the exploit is triggered even if the victim hits the "cancel" button when the authorization view is prompted. """ Acknowledgement: Name: Andrea Palazzo (Truel IT)
Created attachment 1043118 [details] patch for insertionof invald regex by malicious url The fix for above bug (And it is anbug) is here. If you agree that it have no security impact, I will post it (or any reviewer of this thread can) to distrop-pkg-dev oncew I'm back from vacation. The fix is needed for 1.5 1.6 and 1.7 Notes - the table validator in itweb-settings still correctly compalins about invalid table and points out error - the invlaid regex is jsut skipped as not matchin - unit tests should be added(but I really need to hurry now to cacth my ferry)
Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1259311]
Patch for removal of line endings pushed to head: http://icedtea.classpath.org/hg/icedtea-web/rev/53500e3de1bc patch for correct escaping of url regexes also pushed to head http://icedtea.classpath.org/hg/icedtea-web/rev/c9befa549f63 All rebukes to those two patches mentioned in this bug were fixed and additional tests for them added
Versioned .appletTrustSetting patch pushed to head http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab actOnVersionLoad() can throw exception (at least Integer.valueOf(versionS)), not sure if that can cause any issues - was fixed, ty actOnVersionLoad() hard-codes current version number rather than using currentVersion. - was not fixed is intentional Backup file extension is just .X, where X is number, so really a .0 for this upgrade. That makes it look like man page file. - added -backup suffix The lenght check was fixed in http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab
Fixed in two steps - records containing line break are never saved to affected config file - possible already corrupted settings are discarded to backup and not used after update Partially related is push ensuring more proper url escaping.
all related changes pushed to 1.6 branch
all related changes pushed to 1.5 branch
Patches for this issue were included in upstream versions 1.6.1 and 1.5.3.
This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1: https://rhn.redhat.com/errata/RHBA-2015-2457.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html