Bug 672262 (CVE-2011-0025) - CVE-2011-0025 IcedTea jarfile signature verification bypass
Summary: CVE-2011-0025 IcedTea jarfile signature verification bypass
Alias: CVE-2011-0025
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2011-01-24 15:58 UTC by Marc Schoenefeld
Modified: 2021-10-19 21:47 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2021-10-19 21:47:20 UTC

Attachments (Terms of Use)

Comment 4 Marc Schoenefeld 2011-02-01 14:21:39 UTC
Omair Majid discovered that there are more problems with jar verification that
Ville Skyttä found (bug #671269). Essentially, there was no multiple signer
handling at all. This means it would be possible (with the current code) to make netx display either the wrong cert, or even no cert at all with a carefully crafted jnlp app. This means that in certain cases the user is not even notified and untrusted code is run with the full privileges of the user.

Comment 5 Vincent Danen 2011-02-04 20:57:00 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0025 to
the following vulnerability:

Name: CVE-2011-0025
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
Assigned: 20101207
Reference: http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515
Reference: http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/
Reference: http://www.ubuntu.com/usn/USN-1055-1
Reference: http://www.securityfocus.com/bid/46110
Reference: http://secunia.com/advisories/43135

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does
not properly verify signatures for JAR files that (1) are "partially
signed" or (2) signed by multiple entities, which allows remote
attackers to trick users into executing code that appears to come from
a trusted source.

Note You need to log in before you can comment on or make changes to this bug.