Bug 869040 (CVE-2012-4540) - CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow
Summary: CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one hea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4540
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 871101 871102
Blocks: 869043
TreeView+ depends on / blocked
 
Reported: 2012-10-22 20:49 UTC by Vincent Danen
Modified: 2019-09-29 12:56 UTC (History)
3 users (show)

Fixed In Version: icedtea-web 1.1.7, icedtea-web 1.2.2, icedtea-web 1.3.1, icedtea-web 1.4.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-12 16:56:54 UTC


Attachments (Terms of Use)
proposed patch (690 bytes, patch)
2012-10-22 21:08 UTC, Vincent Danen
no flags Details | Diff
Update patch from Deepak Bhole (689 bytes, patch)
2012-10-29 14:39 UTC, Tomas Hoger
no flags Details | Diff
Final patch from Deepak Bhole (689 bytes, patch)
2012-11-02 08:42 UTC, Tomas Hoger
no flags Details | Diff
Final patch from Deepak Bhole (1.64 KB, patch)
2012-11-02 08:45 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1434 normal SHIPPED_LIVE Critical: icedtea-web security update 2012-11-07 23:52:36 UTC
Mozilla Foundation 756792 None None None 2012-10-23 14:38:02 UTC

Description Vincent Danen 2012-10-22 20:49:38 UTC
A flaw was reported in IcedTea-web plugin where certain events attached to an applet, when triggered, could lead to a heap-based buffer overflow, resulting in possible information leak, crash, or code execution.

Comment 1 Vincent Danen 2012-10-22 21:00:47 UTC
This has been assigned CVE-2012-4540.

Comment 3 Vincent Danen 2012-10-22 21:08:13 UTC
Created attachment 631741 [details]
proposed patch

Comment 4 Tomas Hoger 2012-10-29 14:39:08 UTC
Created attachment 635041 [details]
Update patch from Deepak Bhole

Comment 5 Tomas Hoger 2012-10-29 15:03:32 UTC
(In reply to comment #0)
> A flaw was reported in IcedTea-web plugin where certain events attached to
> an applet, when triggered, could lead to a heap-based buffer overflow,
> resulting in possible information leak, crash, or code execution.

The problem is in the IcedTeaScriptableJavaObject::invoke function:

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/11c61503e614/plugin/icedteanp/IcedTeaScriptablePluginObject.cc#l592

If method invocation ends with an exception, icedtea-web plugin allocates memory for an error message to be passed to the browser.  When doing so, it does not allocate space for the tailing '\0' string terminator.  This can lead to a one byte buffer overflow (assuming sizeof(char) == 1).  The data written past the end of the buffer is not attacker controlled and it always '\0'.

Comment 7 Tomas Hoger 2012-11-02 08:42:58 UTC
Created attachment 636971 [details]
Final patch from Deepak Bhole

Comment 8 Tomas Hoger 2012-11-02 08:45:54 UTC
Created attachment 636984 [details]
Final patch from Deepak Bhole

Add correct patch.  The one in comment #7 is the same as the one in comment #4.

Comment 9 Tomas Hoger 2012-11-02 10:09:50 UTC
Acknowledgment:

Red Hat would like to thank Arthur Gerkis for reporting this issue.

Comment 10 Tomas Hoger 2012-11-07 18:39:25 UTC
Fixed now upstream in 1.1.7, 1.2.2 and 1.3.1:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html

Upstream commit (1.3 branch):

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe

Comment 11 errata-xmlrpc 2012-11-07 18:56:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1434 https://rhn.redhat.com/errata/RHSA-2012-1434.html

Comment 12 jiri vanek 2013-09-16 12:33:09 UTC
Upstream have forwarded the patch both to head and 1.4.

http://icedtea.classpath.org/hg/icedtea-web/rev/dbd98f24eebb
http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a

thanx for letting us know.

Comment 13 Tomas Hoger 2013-09-16 13:52:02 UTC
(In reply to jiri vanek from comment #12)
> Upstream have forwarded the patch both to head and 1.4.

To give this a little more context, the fix of this issue did not get applied to icedtea-web at the time 1.1, 1.2 and 1.3 branches were fixed.  Therefore, 1.4 released few month later is also affected.  A new CVE id CVE-2013-4349 was assigned for the issue - see bug 1007960.


Note You need to log in before you can comment on or make changes to this bug.