Bugzilla – Bug 704309
VUL-0: icedtea/icedtea-web two issues
Last modified: 2011-07-25 07:14:52 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. ------------------------------------------------------------------------------ From: Tomas Hoger <thoger@redhat.com> Hi! Omair Majid (Red Hat) discovered two flaws in the JNLP implementation used in icedtea and icedtea-web. CVE-2011-2513 - information disclosure. An unsigned Web Start application or applet could determine the path to the cache directory used to store downloaded class and jar files (/home/<username>/.netx/cache/) by querying class loader properties. This discloses user's name and home directory path. CVE-2011-2514 - security warning dialog manipulation. An unsigned Web Start application could manipulate content of the security warning dialog message to show different file name in prompts as "The application has requested (read|write) access to {0}. Do you want to allow this action?". This may trick user to grant access to some file, while thinking they are granting access to a different file. The second flaw is only relevant to icedtea-web, as JNLP code in icedtea has a prompt "The application has requested (read|write) access to a file on the machine.", which does not specify file name user is asked to grant access to (sic).
I will add the fix fox bnc#704419 as well.
On Mon, 11 Jul 2011 10:26:28 +0200 Tomas Hoger wrote: > > CVE-2011-2513 - information disclosure. An unsigned Web Start > > application or applet could determine the path to the cache > > directory used to store downloaded class and jar files > > (/home/<username>/.netx/cache/) by querying class loader properties. > > This discloses user's name and home directory path. > > Previously posted patches for this issue were discovered to trigger > NullPointerException in some cases. Attached are updated patches. It seems additional problems were discovered with the patch. Developers are investigating the issue, but are not expecting to be able to release new version tomorrow. You may wish to hold on your patches and not release before upstream does. I'll post updated patches and new target date when they are available. - -- Tomas Hoger / Red Hat Security Response Team
OK, let's wait.
Created attachment 440855 [details] yet again updated patches .
From the mail: Attached are updated patches. New IcedTea-web and IcedTea upstream releases are planned for tomorrow. Consider public when upstream releases are out. -- Tomas Hoger / Red Hat Security Response Team
The SWAMPID for this issue is 42264. This issue was rated as moderate. Please submit fixed packages until 2011-08-02. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This came via OSS-sec, so the issue has gone public. Hi! New IcedTea6 and IcedTea-Web releases fix two issues affecting browser plugin and javaws: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html -- Tomas Hoger / Red Hat Security Response Team
packages has been submitted: * 11.4 - 76590 * 11.3 - 76591 * 11.2 - 76593 * 11.1 - 76592 * factory - 76595
This is an autogenerated message for OBS integration: This bug (704309) was mentioned in https://build.opensuse.org/request/show/76590 11.4 / icedtea-web https://build.opensuse.org/request/show/76591 11.3 / icedtea-web https://build.opensuse.org/request/show/76592 Evergreen:11.1 / icedtea-web https://build.opensuse.org/request/show/76593 Evergreen:11.2 / icedtea-web https://build.opensuse.org/request/show/76595 Factory / icedtea-web
public now
patchinfo submitted, will closing this
Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc Products: openSUSE 11.3 (i586, x86_64) openSUSE 11.4 (i586, x86_64)