Closed
Bug 756792
Opened 12 years ago
Closed 12 years ago
Heap-buffer-overflow due to IcedTea plugin
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ax330d, Unassigned)
Details
(Keywords: sec-vector)
Attachments
(4 files, 1 obsolete file)
ASan reported heap-buffer-overflow after triggering event attached to applet loaded with IcedTea plugin. Environment information: java version "1.6.0_23" OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode) Tested only on Linux x64, 14 and 15 branch.
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Comment 3•12 years ago
|
||
Why don't we have symbols for the plugin? Isn't it an open-source plugin? What file format is the testcase?
Updated•12 years ago
|
Component: Untriaged → Plug-ins
Product: Firefox → Core
QA Contact: untriaged → plugins
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #3) > > What file format is the testcase? Not sure what do you mean - isn't test-case working for you? There should be two files in zip archive - run.html and TestApplet.class, one have to open run.html.
Comment 5•12 years ago
|
||
Comment on attachment 625421 [details]
test-case (.zip) triggering the crash
Bugzilla doesn't show file names, so I had no way of knowing that it was a zip
Attachment #625421 -
Attachment description: test-case triggering the crash → test-case (.zip) triggering the crash
Attachment #625421 -
Attachment mime type: application/octet-stream → application/zip
Updated•12 years ago
|
Attachment #625421 -
Attachment mime type: application/zip → application/java-archive
Comment 6•12 years ago
|
||
Could be an off-by-one in IcedTea itself... who maintains that?
Comment 7•12 years ago
|
||
Jorge, do you know who maintains IcedTea?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 8•12 years ago
|
||
According to bug 739955 comment #65, it is Deepak Bhole (dbhole@redhat.com).
Comment 9•12 years ago
|
||
Adding Deepak since no one else did.
Updated•12 years ago
|
Keywords: sec-vector
Comment 10•12 years ago
|
||
Thank you for adding me to cc: Al. I have investigated the issue and found the underlying cause. Since the reproducer is already posted here, I see no reason not to post the proposed fix as well. With attached patch, the heap overflow is curtailed and ASAN shows no errors. I will talk to our security team to do a proper release as appropriate and will post the details here once I have them.
Comment 11•12 years ago
|
||
Hi. I am attaching the latest (and final) proposed fix for this issue. Tomas Hoger from our security team found a couple of other potential problem areas and while investigating, we also found some memory leaks. This patch addresses all issues. We have assigned a CVE for this (CVE-2012-4540) and the unembargo date is tentatively set for November 7th 2012.
Attachment #672849 -
Attachment is obsolete: true
Comment 12•12 years ago
|
||
Do we need to check this in somewhere?
Comment 13•12 years ago
|
||
No, this is a bug/fix in the icetea java plugin and is not a bug in any Mozilla product. Marking INVALID for now, and we can clear the security flag once the embargo is lifted.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Comment 14•12 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #13) > No, this is a bug/fix in the icetea java plugin and is not a bug in any > Mozilla product. Marking INVALID for now, and we can clear the security flag > once the embargo is lifted. Thanks. I posted the patch here just as an FYI. Mozilla product code is not affected in any way.
Comment 15•12 years ago
|
||
Fixed in IcedTea-Web 1.1.7, 1.2.2 and 1.3.1: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
Comment 17•11 years ago
|
||
Yes, the fix has been publicly released for a while now and there is no harm in opening this bug.
Flags: needinfo?(dbhole)
Updated•11 years ago
|
Group: core-security
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•