Closed Bug 756792 Opened 12 years ago Closed 12 years ago

Heap-buffer-overflow due to IcedTea plugin

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
14 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: ax330d, Unassigned)

Details

(Keywords: sec-vector)

Attachments

(4 files, 1 obsolete file)

test-case (.zip) triggering the crash
764 bytes, application/java-archive
Details
ASan log (symbolized)
2.04 KB, text/plain
Details
ASan log (non-symbolized, just to see the paths)
2.26 KB, text/plain
Details
Final fix for this issue
1.64 KB, patch
Details | Diff | Splinter Review 
ASan reported heap-buffer-overflow after triggering event attached to applet loaded with IcedTea plugin.
 
Environment information:
java version "1.6.0_23"
OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)

Tested only on Linux x64, 14 and 15 branch.
Attached file ASan log (symbolized) 

    
    

    
  
Why don't we have symbols for the plugin? Isn't it an open-source plugin?

What file format is the testcase?

    
  
Component: Untriaged → Plug-ins
Product: Firefox → Core
QA Contact: untriaged → plugins

    
    

    
  
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> 
> What file format is the testcase?

Not sure what do you mean - isn't test-case working for you? There should be two files in zip archive - run.html and TestApplet.class, one have to open run.html.

    
    

    
  
Comment on attachment 625421 [details]
test-case (.zip) triggering the crash

Bugzilla doesn't show file names, so I had no way of knowing that it was a zip

        Attachment #625421 -
        Attachment description: test-case triggering the crash → test-case (.zip) triggering the crash

        Attachment #625421 -
        Attachment mime type: application/octet-stream → application/zip

        Attachment #625421 -
        Attachment mime type: application/zip → application/java-archive

    
    

    
  
Could be an off-by-one in IcedTea itself... who maintains that?

    
    

    
  
Jorge, do you know who maintains IcedTea?
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
According to bug 739955 comment #65, it is Deepak Bhole (dbhole@redhat.com).

    
    

    
  
Adding Deepak since no one else did.
Keywords: sec-vector

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch to fix this issue (obsolete)
        — Splinter Review
      

    


  
Thank you for adding me to cc: Al. I have investigated the issue and found the underlying cause. Since the reproducer is already posted here, I see no reason not to post the proposed fix as well. With attached patch, the heap overflow is curtailed and ASAN shows no errors.

I will talk to our security team to do a proper release as appropriate and will post the details here once I have them.

    
    

    
  


  
Hi. I am attaching the latest (and final) proposed fix for this issue. Tomas Hoger from our security team found a couple of other potential problem areas and while investigating, we also found some memory leaks. This patch addresses all issues.

We have assigned a CVE for this (CVE-2012-4540) and the unembargo date is tentatively set for November 7th 2012.

        Attachment #672849 -
        Attachment is obsolete: true

    
    

    
  
Do we need to check this in somewhere?

    
    

    
  
No, this is a bug/fix in the icetea java plugin and is not a bug in any Mozilla product. Marking INVALID for now, and we can clear the security flag once the embargo is lifted.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID

    
    

    
  
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #13)
> No, this is a bug/fix in the icetea java plugin and is not a bug in any
> Mozilla product. Marking INVALID for now, and we can clear the security flag
> once the embargo is lifted.

Thanks. 

I posted the patch here just as an FYI. Mozilla product code is not affected in any way.

    
    

    
  
Is it ok to make this bug report public now?
Flags: needinfo?(dbhole)

    
    

    
  
Yes, the fix has been publicly released for a while now and there is no harm in opening this bug.
Flags: needinfo?(dbhole)

    
  
Group: core-security

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: