Bug 704309 - VUL-0: icedtea/icedtea-web two issues
VUL-0: icedtea/icedtea-web two issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:42295 maint:relea...
:
Depends on: 704419
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-07 06:19 UTC by Ludwig Nussel
Modified: 2011-07-25 07:14 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
yet again updated patches (4.86 KB, application/x-gzip)
2011-07-19 13:23 UTC, Sebastian Krahmer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-07-07 06:19:37 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

------------------------------------------------------------------------------
From: Tomas Hoger <thoger@redhat.com>

Hi!

Omair Majid (Red Hat) discovered two flaws in the JNLP implementation
used in icedtea and icedtea-web.

CVE-2011-2513 - information disclosure.  An unsigned Web Start
application or applet could determine the path to the cache directory
used to store downloaded class and jar files
(/home/<username>/.netx/cache/) by querying class loader properties.
This discloses user's name and home directory path.

CVE-2011-2514 - security warning dialog manipulation.  An unsigned Web
Start application could manipulate content of the security warning
dialog message to show different file name in prompts as "The
application has requested (read|write) access to {0}. Do you want to
allow this action?".  This may trick user to grant access to some file,
while thinking they are granting access to a different file.

The second flaw is only relevant to icedtea-web, as JNLP code in
icedtea has a prompt "The application has requested (read|write)
access to a file on the machine.", which does not specify file name
user is asked to grant access to (sic).
Comment 3 Michal Vyskocil 2011-07-07 14:08:07 UTC
I will add the fix fox bnc#704419 as well.
Comment 8 Sebastian Krahmer 2011-07-13 06:14:08 UTC
On Mon, 11 Jul 2011 10:26:28 +0200 Tomas Hoger wrote:

> > CVE-2011-2513 - information disclosure.  An unsigned Web Start
> > application or applet could determine the path to the cache
> > directory used to store downloaded class and jar files
> > (/home/<username>/.netx/cache/) by querying class loader properties.
> > This discloses user's name and home directory path.
>
> Previously posted patches for this issue were discovered to trigger
> NullPointerException in some cases.  Attached are updated patches.

It seems additional problems were discovered with the patch.
Developers are investigating the issue, but are not expecting to be
able to release new version tomorrow.  You may wish to hold on your
patches and not release before upstream does.  I'll post updated patches
and new target date when they are available.

- --
Tomas Hoger / Red Hat Security Response Team
Comment 9 Michal Vyskocil 2011-07-13 07:34:41 UTC
OK, let's wait.
Comment 10 Sebastian Krahmer 2011-07-19 13:23:21 UTC
Created attachment 440855 [details]
yet again updated patches

.
Comment 11 Sebastian Krahmer 2011-07-19 13:24:18 UTC
From the mail:


Attached are updated patches.  New IcedTea-web and IcedTea upstream
releases are planned for tomorrow.  Consider public when upstream
releases are out.

--
Tomas Hoger / Red Hat Security Response Team
Comment 12 Swamp Workflow Management 2011-07-19 13:37:26 UTC
The SWAMPID for this issue is 42264.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 13 Sebastian Krahmer 2011-07-20 15:22:32 UTC
This came via OSS-sec, so the issue has gone public.

Hi!

New IcedTea6 and IcedTea-Web releases fix two issues affecting browser
plugin and javaws:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html

--
Tomas Hoger / Red Hat Security Response Team
Comment 14 Michal Vyskocil 2011-07-21 08:05:15 UTC
packages has been submitted:

 * 11.4 - 76590
 * 11.3 - 76591
 * 11.2 - 76593
 * 11.1 - 76592
 * factory - 76595
Comment 15 Bernhard Wiedemann 2011-07-21 09:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (704309) was mentioned in
https://build.opensuse.org/request/show/76590 11.4 / icedtea-web
https://build.opensuse.org/request/show/76591 11.3 / icedtea-web
https://build.opensuse.org/request/show/76592 Evergreen:11.1 / icedtea-web
https://build.opensuse.org/request/show/76593 Evergreen:11.2 / icedtea-web
https://build.opensuse.org/request/show/76595 Factory / icedtea-web
Comment 16 Thomas Biege 2011-07-21 09:09:33 UTC
public now
Comment 17 Thomas Biege 2011-07-21 09:26:27 UTC
patchinfo submitted, will closing this
Comment 18 Swamp Workflow Management 2011-07-25 07:10:12 UTC
Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)