A flaw was reported in IcedTea-web plugin where certain events attached to an applet, when triggered, could lead to a heap-based buffer overflow, resulting in possible information leak, crash, or code execution.
This has been assigned CVE-2012-4540.
Created attachment 631741 [details] proposed patch
Created attachment 635041 [details] Update patch from Deepak Bhole
(In reply to comment #0) > A flaw was reported in IcedTea-web plugin where certain events attached to > an applet, when triggered, could lead to a heap-based buffer overflow, > resulting in possible information leak, crash, or code execution. The problem is in the IcedTeaScriptableJavaObject::invoke function: http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/11c61503e614/plugin/icedteanp/IcedTeaScriptablePluginObject.cc#l592 If method invocation ends with an exception, icedtea-web plugin allocates memory for an error message to be passed to the browser. When doing so, it does not allocate space for the tailing '\0' string terminator. This can lead to a one byte buffer overflow (assuming sizeof(char) == 1). The data written past the end of the buffer is not attacker controlled and it always '\0'.
Created attachment 636971 [details] Final patch from Deepak Bhole
Created attachment 636984 [details] Final patch from Deepak Bhole Add correct patch. The one in comment #7 is the same as the one in comment #4.
Acknowledgment: Red Hat would like to thank Arthur Gerkis for reporting this issue.
Fixed now upstream in 1.1.7, 1.2.2 and 1.3.1: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html Upstream commit (1.3 branch): http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1434 https://rhn.redhat.com/errata/RHSA-2012-1434.html
Upstream have forwarded the patch both to head and 1.4. http://icedtea.classpath.org/hg/icedtea-web/rev/dbd98f24eebb http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a thanx for letting us know.
(In reply to jiri vanek from comment #12) > Upstream have forwarded the patch both to head and 1.4. To give this a little more context, the fix of this issue did not get applied to icedtea-web at the time 1.1, 1.2 and 1.3 branches were fixed. Therefore, 1.4 released few month later is also affected. A new CVE id CVE-2013-4349 was assigned for the issue - see bug 1007960.