Andrea Palazzo reported the following problem affecting IcedTea-Web: """ When requesting authorization to run an unsigned applet, a warning message is prompted, indicating the domain from which the applet's code is being requested. It is possible to tamper with this value just supplying an arbitrary value as codebase. This issue could be exploited to abuse the eventual presence of whitelisted domains in the victim config (something like A 1434665367633 .* \Qhttp://trusted-site/\E) to gain unauthorized execution or to trick the user into allowing an application leveraging on the trust he could have for a well known domain. """ Acknowledgement: Name: Andrea Palazzo (Truel IT)
This is nice example, where http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library will help a lot.
Dialogue informing user about laoded reources (similar to https://bugzilla.redhat.com/attachment.cgi?id=1064644) improved and enabled for unsigned apps. Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/531034ce3e30
(In reply to jiri vanek from comment #12) > Created attachment 1042634 [details] > patch with improved tests > > fix is same, just added three more tests for surrounding cases. Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/ee5e2cb91774
Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1259311]
Versioned .appletTrustSetting patch pushed to head http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab
Short summary: The issue is fixed via two steps: - First, when applet is saved for whole codebase, also docbase is include So Instead of rcord like metadata|docbase |codebase |another data . ..| .* | some.url/.*|... we save something like . ..|doc.url/.* | some.url/.*|... - Second, all resources going out of codebase AND docbase are reported to user
As partially related changeset, possibly already infected records are moved to backup and not used by updated versions
all related changes pushed to 1.6 branch
all related changes pushed to 1.5 branch
Patches for this issue were included in upstream versions 1.6.1 and 1.5.3.
This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1: https://rhn.redhat.com/errata/RHBA-2015-2457.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html