764 bytes, application/java-archive
2.04 KB, text/plain
2.26 KB, text/plain
1.64 KB, patch
|Details | Diff | Splinter Review|
Created attachment 625421 [details] test-case (.zip) triggering the crash ASan reported heap-buffer-overflow after triggering event attached to applet loaded with IcedTea plugin. Environment information: java version "1.6.0_23" OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu126.96.36.199) OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode) Tested only on Linux x64, 14 and 15 branch.
Why don't we have symbols for the plugin? Isn't it an open-source plugin? What file format is the testcase?
(In reply to Benjamin Smedberg [:bsmedberg] from comment #3) > > What file format is the testcase? Not sure what do you mean - isn't test-case working for you? There should be two files in zip archive - run.html and TestApplet.class, one have to open run.html.
Comment on attachment 625421 [details] test-case (.zip) triggering the crash Bugzilla doesn't show file names, so I had no way of knowing that it was a zip
Could be an off-by-one in IcedTea itself... who maintains that?
Jorge, do you know who maintains IcedTea?
Adding Deepak since no one else did.
Created attachment 672849 [details] [diff] [review] Patch to fix this issue Thank you for adding me to cc: Al. I have investigated the issue and found the underlying cause. Since the reproducer is already posted here, I see no reason not to post the proposed fix as well. With attached patch, the heap overflow is curtailed and ASAN shows no errors. I will talk to our security team to do a proper release as appropriate and will post the details here once I have them.
Created attachment 677652 [details] [diff] [review] Final fix for this issue Hi. I am attaching the latest (and final) proposed fix for this issue. Tomas Hoger from our security team found a couple of other potential problem areas and while investigating, we also found some memory leaks. This patch addresses all issues. We have assigned a CVE for this (CVE-2012-4540) and the unembargo date is tentatively set for November 7th 2012.
Do we need to check this in somewhere?
No, this is a bug/fix in the icetea java plugin and is not a bug in any Mozilla product. Marking INVALID for now, and we can clear the security flag once the embargo is lifted.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #13) > No, this is a bug/fix in the icetea java plugin and is not a bug in any > Mozilla product. Marking INVALID for now, and we can clear the security flag > once the embargo is lifted. Thanks. I posted the patch here just as an FYI. Mozilla product code is not affected in any way.
Fixed in IcedTea-Web 1.1.7, 1.2.2 and 1.3.1: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
Is it ok to make this bug report public now?
Yes, the fix has been publicly released for a while now and there is no harm in opening this bug.