Bug 1233667 (CVE-2015-5234) - CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned applets
Summary: CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned app...
Alias: CVE-2015-5234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1259311
Blocks: 1233713
TreeView+ depends on / blocked
Reported: 2015-06-19 12:10 UTC by Tomas Hoger
Modified: 2021-02-17 05:12 UTC (History)
8 users (show)

Fixed In Version: icedtea-web 1.5.3, icedtea-web 1.6.1
Doc Type: Bug Fix
Doc Text:
It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval.
Clone Of:
Last Closed: 2016-05-11 06:37:57 UTC

Attachments (Terms of Use)
patch for insertionof invald regex by malicious url (3.80 KB, patch)
2015-06-25 13:54 UTC, jiri vanek
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0778 0 normal SHIPPED_LIVE Moderate: icedtea-web security, bug fix, and enhancement update 2016-05-10 22:35:24 UTC

Description Tomas Hoger 2015-06-19 12:10:21 UTC
Andrea Palazzo reported the following problem affecting IcedTea-Web:

Permanent Trusted Applet Injection

Due to a lack of validation in the process of parsing non-standard uri schemes, it is possible to inject arbitrary trusted applets into the 
.appletTrustSettings configuration file.

An attacker could exploit this flaw to permanently authorize the execution of unsigned applets in the context of a victim browser from arbitrary domains.  It should be noted that the exploit is triggered even if the victim hits the "cancel" button when the authorization view is prompted.


Name: Andrea Palazzo (Truel IT)

Comment 15 jiri vanek 2015-06-25 13:54:28 UTC
Created attachment 1043118 [details]
patch for insertionof invald regex by malicious url

The fix for above bug (And it is anbug) is here.
If you agree that it have no security impact, I will post it (or any reviewer of this thread can)  to distrop-pkg-dev  oncew I'm back from vacation.
The fix is needed for 1.5 1.6 and 1.7
  - the table validator in itweb-settings still correctly compalins about invalid table and points out error
  - the invlaid regex is jsut skipped as not matchin
  - unit tests should be added(but I really need to hurry now to cacth my ferry)

Comment 28 Tomas Hoger 2015-09-02 11:58:53 UTC
Created icedtea-web tracking bugs for this issue:

Affects: fedora-all [bug 1259311]

Comment 29 jiri vanek 2015-09-02 17:04:35 UTC
Patch  for removal of line endings pushed to head:
patch for correct escaping of url regexes also pushed to head

All rebukes to those two patches mentioned in this bug were fixed and additional tests for them added

Comment 30 jiri vanek 2015-09-03 13:11:39 UTC
Versioned .appletTrustSetting patch pushed to head

 actOnVersionLoad() can throw exception (at least Integer.valueOf(versionS)), not sure if that can cause any issues - was fixed, ty
 actOnVersionLoad() hard-codes current version number rather than using currentVersion. - was not fixed is intentional
 Backup file extension is just .X, where X is number, so really a .0 for this upgrade.  That makes it look like man page file. - added -backup suffix
 The lenght check was fixed in   http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab

Comment 31 jiri vanek 2015-09-03 13:32:15 UTC
Fixed in two steps
 - records containing line break are never saved to affected config file
 - possible already corrupted settings are discarded to backup and not used after update

Partially related is push ensuring more proper  url escaping.

Comment 32 jiri vanek 2015-09-08 12:14:23 UTC
all related changes pushed to 1.6 branch

Comment 33 jiri vanek 2015-09-08 15:21:36 UTC
all related changes pushed to 1.5 branch

Comment 34 Tomas Hoger 2015-12-14 20:52:47 UTC
Patches for this issue were included in upstream versions 1.6.1 and 1.5.3.

Comment 35 Tomas Hoger 2015-12-15 09:25:07 UTC
This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1:


Comment 36 errata-xmlrpc 2016-05-10 20:14:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html

Note You need to log in before you can comment on or make changes to this bug.