The implementation considers jar archives fully signed even when unsigned class files are residing in the META-INF directory. An mitm attacker could inject extra code to the jar archive and get it invoked by specifying it via the main-class attribute of application-desc: <application-desc main-class="META-INF.Test" /> The dash is not among the allowed characters in Java identifiers, so this cannot be produced via a legit compiler, but the bytecode verifier accepts crafted class files with dash in the package name happily.
Acknowledgments: Name: Imre Rad
Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1734805]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2004 https://access.redhat.com/errata/RHSA-2019:2004
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2003 https://access.redhat.com/errata/RHSA-2019:2003
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10181
Upstream fixes : * 1.7 branch : CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/f9c2cf7fd24415ba2bb2619b69259035338ee5b6 CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/26305807b41a5b4e9813db42531acd754899207f CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd * 1.8 branch : CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/7958049eedc213be1ad4ae80ee312b167ddb320f CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/686213a6d68c21879d92cea3699b279c8f2662fa CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e