Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1233667 - (CVE-2015-5234) CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned applets
CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned app...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150902,repor...
: Security
Depends On: 1259311
Blocks: 1233713
  Show dependency treegraph
 
Reported: 2015-06-19 08:10 EDT by Tomas Hoger
Modified: 2016-05-11 02:37 EDT (History)
8 users (show)

See Also:
Fixed In Version: icedtea-web 1.5.3, icedtea-web 1.6.1
Doc Type: Bug Fix
Doc Text:
It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-11 02:37:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for insertionof invald regex by malicious url (3.80 KB, patch)
2015-06-25 09:54 EDT, jiri vanek
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0778 normal SHIPPED_LIVE Moderate: icedtea-web security, bug fix, and enhancement update 2016-05-10 18:35:24 EDT

  None (edit)
Description Tomas Hoger 2015-06-19 08:10:21 EDT
Andrea Palazzo reported the following problem affecting IcedTea-Web:

"""
Permanent Trusted Applet Injection

Due to a lack of validation in the process of parsing non-standard uri schemes, it is possible to inject arbitrary trusted applets into the 
.appletTrustSettings configuration file.

An attacker could exploit this flaw to permanently authorize the execution of unsigned applets in the context of a victim browser from arbitrary domains.  It should be noted that the exploit is triggered even if the victim hits the "cancel" button when the authorization view is prompted.
"""

Acknowledgement:

Name: Andrea Palazzo (Truel IT)
Comment 15 jiri vanek 2015-06-25 09:54:28 EDT
Created attachment 1043118 [details]
patch for insertionof invald regex by malicious url

The fix for above bug (And it is anbug) is here.
If you agree that it have no security impact, I will post it (or any reviewer of this thread can)  to distrop-pkg-dev  oncew I'm back from vacation.
The fix is needed for 1.5 1.6 and 1.7
Notes
  - the table validator in itweb-settings still correctly compalins about invalid table and points out error
  - the invlaid regex is jsut skipped as not matchin
  - unit tests should be added(but I really need to hurry now to cacth my ferry)
Comment 28 Tomas Hoger 2015-09-02 07:58:53 EDT
Created icedtea-web tracking bugs for this issue:

Affects: fedora-all [bug 1259311]
Comment 29 jiri vanek 2015-09-02 13:04:35 EDT
Patch  for removal of line endings pushed to head:
http://icedtea.classpath.org/hg/icedtea-web/rev/53500e3de1bc
patch for correct escaping of url regexes also pushed to head
http://icedtea.classpath.org/hg/icedtea-web/rev/c9befa549f63

All rebukes to those two patches mentioned in this bug were fixed and additional tests for them added
Comment 30 jiri vanek 2015-09-03 09:11:39 EDT
Versioned .appletTrustSetting patch pushed to head
http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab

 actOnVersionLoad() can throw exception (at least Integer.valueOf(versionS)), not sure if that can cause any issues - was fixed, ty
 actOnVersionLoad() hard-codes current version number rather than using currentVersion. - was not fixed is intentional
 Backup file extension is just .X, where X is number, so really a .0 for this upgrade.  That makes it look like man page file. - added -backup suffix
 The lenght check was fixed in   http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab
Comment 31 jiri vanek 2015-09-03 09:32:15 EDT
Fixed in two steps
 - records containing line break are never saved to affected config file
 - possible already corrupted settings are discarded to backup and not used after update


Partially related is push ensuring more proper  url escaping.
Comment 32 jiri vanek 2015-09-08 08:14:23 EDT
all related changes pushed to 1.6 branch
Comment 33 jiri vanek 2015-09-08 11:21:36 EDT
all related changes pushed to 1.5 branch
Comment 34 Tomas Hoger 2015-12-14 15:52:47 EST
Patches for this issue were included in upstream versions 1.6.1 and 1.5.3.
Comment 35 Tomas Hoger 2015-12-15 04:25:07 EST
This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1:

https://rhn.redhat.com/errata/RHBA-2015-2457.html
Comment 36 errata-xmlrpc 2016-05-10 16:14:30 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html

Note You need to log in before you can comment on or make changes to this bug.