Bug 869040 - (CVE-2012-4540) CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow
CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one hea...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20121107,repor...
: Security
Depends On: 871101 871102
Blocks: 869043
  Show dependency treegraph
 
Reported: 2012-10-22 16:49 EDT by Vincent Danen
Modified: 2016-03-04 07:35 EST (History)
3 users (show)

See Also:
Fixed In Version: icedtea-web 1.1.7, icedtea-web 1.2.2, icedtea-web 1.3.1, icedtea-web 1.4.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-12 11:56:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch (690 bytes, patch)
2012-10-22 17:08 EDT, Vincent Danen
no flags Details | Diff
Update patch from Deepak Bhole (689 bytes, patch)
2012-10-29 10:39 EDT, Tomas Hoger
no flags Details | Diff
Final patch from Deepak Bhole (689 bytes, patch)
2012-11-02 04:42 EDT, Tomas Hoger
no flags Details | Diff
Final patch from Deepak Bhole (1.64 KB, patch)
2012-11-02 04:45 EDT, Tomas Hoger
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 756792 None None None 2012-10-23 10:38:02 EDT

  None (edit)
Description Vincent Danen 2012-10-22 16:49:38 EDT
A flaw was reported in IcedTea-web plugin where certain events attached to an applet, when triggered, could lead to a heap-based buffer overflow, resulting in possible information leak, crash, or code execution.
Comment 1 Vincent Danen 2012-10-22 17:00:47 EDT
This has been assigned CVE-2012-4540.
Comment 3 Vincent Danen 2012-10-22 17:08:13 EDT
Created attachment 631741 [details]
proposed patch
Comment 4 Tomas Hoger 2012-10-29 10:39:08 EDT
Created attachment 635041 [details]
Update patch from Deepak Bhole
Comment 5 Tomas Hoger 2012-10-29 11:03:32 EDT
(In reply to comment #0)
> A flaw was reported in IcedTea-web plugin where certain events attached to
> an applet, when triggered, could lead to a heap-based buffer overflow,
> resulting in possible information leak, crash, or code execution.

The problem is in the IcedTeaScriptableJavaObject::invoke function:

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/11c61503e614/plugin/icedteanp/IcedTeaScriptablePluginObject.cc#l592

If method invocation ends with an exception, icedtea-web plugin allocates memory for an error message to be passed to the browser.  When doing so, it does not allocate space for the tailing '\0' string terminator.  This can lead to a one byte buffer overflow (assuming sizeof(char) == 1).  The data written past the end of the buffer is not attacker controlled and it always '\0'.
Comment 7 Tomas Hoger 2012-11-02 04:42:58 EDT
Created attachment 636971 [details]
Final patch from Deepak Bhole
Comment 8 Tomas Hoger 2012-11-02 04:45:54 EDT
Created attachment 636984 [details]
Final patch from Deepak Bhole

Add correct patch.  The one in comment #7 is the same as the one in comment #4.
Comment 9 Tomas Hoger 2012-11-02 06:09:50 EDT
Acknowledgment:

Red Hat would like to thank Arthur Gerkis for reporting this issue.
Comment 10 Tomas Hoger 2012-11-07 13:39:25 EST
Fixed now upstream in 1.1.7, 1.2.2 and 1.3.1:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html

Upstream commit (1.3 branch):

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe
Comment 11 errata-xmlrpc 2012-11-07 13:56:16 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1434 https://rhn.redhat.com/errata/RHSA-2012-1434.html
Comment 12 jiri vanek 2013-09-16 08:33:09 EDT
Upstream have forwarded the patch both to head and 1.4.

http://icedtea.classpath.org/hg/icedtea-web/rev/dbd98f24eebb
http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a

thanx for letting us know.
Comment 13 Tomas Hoger 2013-09-16 09:52:02 EDT
(In reply to jiri vanek from comment #12)
> Upstream have forwarded the patch both to head and 1.4.

To give this a little more context, the fix of this issue did not get applied to icedtea-web at the time 1.1, 1.2 and 1.3 branches were fixed.  Therefore, 1.4 released few month later is also affected.  A new CVE id CVE-2013-4349 was assigned for the issue - see bug 1007960.

Note You need to log in before you can comment on or make changes to this bug.