Bug 672262 - (CVE-2011-0025) CVE-2011-0025 IcedTea jarfile signature verification bypass
CVE-2011-0025 IcedTea jarfile signature verification bypass
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2011-01-24 10:58 EST by Marc Schoenefeld
Modified: 2015-08-19 05:03 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 4 Marc Schoenefeld 2011-02-01 09:21:39 EST
Omair Majid discovered that there are more problems with jar verification that
Ville Skyttä found (bug #671269). Essentially, there was no multiple signer
handling at all. This means it would be possible (with the current code) to make netx display either the wrong cert, or even no cert at all with a carefully crafted jnlp app. This means that in certain cases the user is not even notified and untrusted code is run with the full privileges of the user.
Comment 5 Vincent Danen 2011-02-04 15:57:00 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0025 to
the following vulnerability:

Name: CVE-2011-0025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
Assigned: 20101207
Reference: http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515
Reference: http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/
Reference: http://www.ubuntu.com/usn/USN-1055-1
Reference: http://www.securityfocus.com/bid/46110
Reference: http://secunia.com/advisories/43135

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does
not properly verify signatures for JAR files that (1) are "partially
signed" or (2) signed by multiple entities, which allows remote
attackers to trick users into executing code that appears to come from
a trusted source.

Note You need to log in before you can comment on or make changes to this bug.