Bug 704309

Summary: VUL-0: icedtea/icedtea-web two issues
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.3:42295 maint:released:11.4:42295
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 704419    
Bug Blocks:    
Attachments: yet again updated patches

Description Ludwig Nussel 2011-07-07 06:19:37 UTC 
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

------------------------------------------------------------------------------
From: Tomas Hoger <thoger@redhat.com>

Hi!

Omair Majid (Red Hat) discovered two flaws in the JNLP implementation
used in icedtea and icedtea-web.

CVE-2011-2513 - information disclosure.  An unsigned Web Start
application or applet could determine the path to the cache directory
used to store downloaded class and jar files
(/home/<username>/.netx/cache/) by querying class loader properties.
This discloses user's name and home directory path.

CVE-2011-2514 - security warning dialog manipulation.  An unsigned Web
Start application could manipulate content of the security warning
dialog message to show different file name in prompts as "The
application has requested (read|write) access to {0}. Do you want to
allow this action?".  This may trick user to grant access to some file,
while thinking they are granting access to a different file.

The second flaw is only relevant to icedtea-web, as JNLP code in
icedtea has a prompt "The application has requested (read|write)
access to a file on the machine.", which does not specify file name
user is asked to grant access to (sic).
Comment 3 Michal Vyskocil 2011-07-07 14:08:07 UTC 
I will add the fix fox bnc#704419 as well.
Comment 8 Sebastian Krahmer 2011-07-13 06:14:08 UTC 
On Mon, 11 Jul 2011 10:26:28 +0200 Tomas Hoger wrote:

> > CVE-2011-2513 - information disclosure.  An unsigned Web Start
> > application or applet could determine the path to the cache
> > directory used to store downloaded class and jar files
> > (/home/<username>/.netx/cache/) by querying class loader properties.
> > This discloses user's name and home directory path.
>
> Previously posted patches for this issue were discovered to trigger
> NullPointerException in some cases.  Attached are updated patches.

It seems additional problems were discovered with the patch.
Developers are investigating the issue, but are not expecting to be
able to release new version tomorrow.  You may wish to hold on your
patches and not release before upstream does.  I'll post updated patches
and new target date when they are available.

- --
Tomas Hoger / Red Hat Security Response Team
Comment 9 Michal Vyskocil 2011-07-13 07:34:41 UTC 
OK, let's wait.
Comment 10 Sebastian Krahmer 2011-07-19 13:23:21 UTC 
Created attachment 440855 [details]
yet again updated patches

.
Comment 11 Sebastian Krahmer 2011-07-19 13:24:18 UTC 
From the mail:


Attached are updated patches.  New IcedTea-web and IcedTea upstream
releases are planned for tomorrow.  Consider public when upstream
releases are out.

--
Tomas Hoger / Red Hat Security Response Team
Comment 12 Swamp Workflow Management 2011-07-19 13:37:26 UTC 
The SWAMPID for this issue is 42264.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 13 Sebastian Krahmer 2011-07-20 15:22:32 UTC 
This came via OSS-sec, so the issue has gone public.

Hi!

New IcedTea6 and IcedTea-Web releases fix two issues affecting browser
plugin and javaws:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html

--
Tomas Hoger / Red Hat Security Response Team
Comment 14 Michal Vyskocil 2011-07-21 08:05:15 UTC 
packages has been submitted:

 * 11.4 - 76590
 * 11.3 - 76591
 * 11.2 - 76593
 * 11.1 - 76592
 * factory - 76595
Comment 15 Bernhard Wiedemann 2011-07-21 09:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (704309) was mentioned in
https://build.opensuse.org/request/show/76590 11.4 / icedtea-web
https://build.opensuse.org/request/show/76591 11.3 / icedtea-web
https://build.opensuse.org/request/show/76592 Evergreen:11.1 / icedtea-web
https://build.opensuse.org/request/show/76593 Evergreen:11.2 / icedtea-web
https://build.opensuse.org/request/show/76595 Factory / icedtea-web
Comment 16 Thomas Biege 2011-07-21 09:09:33 UTC 
public now
Comment 17 Thomas Biege 2011-07-21 09:26:27 UTC 
patchinfo submitted, will closing this
Comment 18 Swamp Workflow Management 2011-07-25 07:10:12 UTC 
Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)