869040 – (CVE-2012-4540) CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow

Bug 869040 (CVE-2012-4540) - CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow

Summary: CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one hea...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-4540
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	871101 871102
Blocks:	869043
TreeView+	depends on / blocked

Reported:	2012-10-22 20:49 UTC by Vincent Danen
Modified:	2023-05-12 23:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:	icedtea-web 1.1.7, icedtea-web 1.2.2, icedtea-web 1.3.1, icedtea-web 1.4.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-12 16:56:54 UTC
Embargoed:

Attachments	(Terms of Use)
proposed patch (690 bytes, patch) 2012-10-22 21:08 UTC, Vincent Danen	no flags	Details \| Diff
Update patch from Deepak Bhole (689 bytes, patch) 2012-10-29 14:39 UTC, Tomas Hoger	no flags	Details \| Diff
Final patch from Deepak Bhole (689 bytes, patch) 2012-11-02 08:42 UTC, Tomas Hoger	no flags	Details \| Diff
Final patch from Deepak Bhole (1.64 KB, patch) 2012-11-02 08:45 UTC, Tomas Hoger	no flags	Details \| Diff
Show Obsolete (3) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	756792	0	None	None	None	2012-10-23 14:38:02 UTC
Red Hat Product Errata	RHSA-2012:1434	0	normal	SHIPPED_LIVE	Critical: icedtea-web security update	2012-11-07 23:52:36 UTC

Description Vincent Danen 2012-10-22 20:49:38 UTC

A flaw was reported in IcedTea-web plugin where certain events attached to an applet, when triggered, could lead to a heap-based buffer overflow, resulting in possible information leak, crash, or code execution.

Comment 1 Vincent Danen 2012-10-22 21:00:47 UTC

This has been assigned CVE-2012-4540.

Comment 3 Vincent Danen 2012-10-22 21:08:13 UTC

Created attachment 631741 [details]
proposed patch

Comment 4 Tomas Hoger 2012-10-29 14:39:08 UTC

Created attachment 635041 [details]
Update patch from Deepak Bhole

Comment 5 Tomas Hoger 2012-10-29 15:03:32 UTC

(In reply to comment #0)
> A flaw was reported in IcedTea-web plugin where certain events attached to
> an applet, when triggered, could lead to a heap-based buffer overflow,
> resulting in possible information leak, crash, or code execution.

The problem is in the IcedTeaScriptableJavaObject::invoke function:

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/file/11c61503e614/plugin/icedteanp/IcedTeaScriptablePluginObject.cc#l592

If method invocation ends with an exception, icedtea-web plugin allocates memory for an error message to be passed to the browser.  When doing so, it does not allocate space for the tailing '\0' string terminator.  This can lead to a one byte buffer overflow (assuming sizeof(char) == 1).  The data written past the end of the buffer is not attacker controlled and it always '\0'.

Comment 7 Tomas Hoger 2012-11-02 08:42:58 UTC

Created attachment 636971 [details]
Final patch from Deepak Bhole

Comment 8 Tomas Hoger 2012-11-02 08:45:54 UTC

Created attachment 636984 [details]
Final patch from Deepak Bhole

Add correct patch.  The one in comment #7 is the same as the one in comment #4.

Comment 9 Tomas Hoger 2012-11-02 10:09:50 UTC

Acknowledgment:

Red Hat would like to thank Arthur Gerkis for reporting this issue.

Comment 10 Tomas Hoger 2012-11-07 18:39:25 UTC

Fixed now upstream in 1.1.7, 1.2.2 and 1.3.1:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html

Upstream commit (1.3 branch):

http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe

Comment 11 errata-xmlrpc 2012-11-07 18:56:16 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1434 https://rhn.redhat.com/errata/RHSA-2012-1434.html

Comment 12 jiri vanek 2013-09-16 12:33:09 UTC

Upstream have forwarded the patch both to head and 1.4.

http://icedtea.classpath.org/hg/icedtea-web/rev/dbd98f24eebb
http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a

thanx for letting us know.

Comment 13 Tomas Hoger 2013-09-16 13:52:02 UTC

(In reply to jiri vanek from comment #12)
> Upstream have forwarded the patch both to head and 1.4.

To give this a little more context, the fix of this issue did not get applied to icedtea-web at the time 1.1, 1.2 and 1.3 branches were fixed.  Therefore, 1.4 released few month later is also affected.  A new CVE id CVE-2013-4349 was assigned for the issue - see bug 1007960.

Note You need to log in before you can comment on or make changes to this bug.