The default bug view has changed. See this FAQ.

Heap-buffer-overflow due to IcedTea plugin

RESOLVED INVALID

Status

()

Core
Plug-ins
RESOLVED INVALID
5 years ago
4 years ago

People

(Reporter: Arthur Gerkis, Unassigned)

Tracking

({sec-vector})

14 Branch
x86_64
Linux
sec-vector
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 625421 [details]
test-case (.zip) triggering the crash

ASan reported heap-buffer-overflow after triggering event attached to applet loaded with IcedTea plugin.
 
Environment information:
java version "1.6.0_23"
OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)

Tested only on Linux x64, 14 and 15 branch.
(Reporter)

Comment 1

5 years ago
Created attachment 625422 [details]
ASan log (symbolized)
(Reporter)

Comment 2

5 years ago
Created attachment 625423 [details]
ASan log (non-symbolized, just to see the paths)
Why don't we have symbols for the plugin? Isn't it an open-source plugin?

What file format is the testcase?
Component: Untriaged → Plug-ins
Product: Firefox → Core
QA Contact: untriaged → plugins
(Reporter)

Comment 4

5 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> 
> What file format is the testcase?

Not sure what do you mean - isn't test-case working for you? There should be two files in zip archive - run.html and TestApplet.class, one have to open run.html.
Comment on attachment 625421 [details]
test-case (.zip) triggering the crash

Bugzilla doesn't show file names, so I had no way of knowing that it was a zip
Attachment #625421 - Attachment description: test-case triggering the crash → test-case (.zip) triggering the crash
Attachment #625421 - Attachment mime type: application/octet-stream → application/zip
Attachment #625421 - Attachment mime type: application/zip → application/java-archive
Could be an off-by-one in IcedTea itself... who maintains that?
Jorge, do you know who maintains IcedTea?
Status: UNCONFIRMED → NEW
Ever confirmed: true
According to bug 739955 comment #65, it is Deepak Bhole (dbhole@redhat.com).
Adding Deepak since no one else did.
Keywords: sec-vector

Comment 10

5 years ago
Created attachment 672849 [details] [diff] [review]
Patch to fix this issue

Thank you for adding me to cc: Al. I have investigated the issue and found the underlying cause. Since the reproducer is already posted here, I see no reason not to post the proposed fix as well. With attached patch, the heap overflow is curtailed and ASAN shows no errors.

I will talk to our security team to do a proper release as appropriate and will post the details here once I have them.

Comment 11

4 years ago
Created attachment 677652 [details] [diff] [review]
Final fix for this issue

Hi. I am attaching the latest (and final) proposed fix for this issue. Tomas Hoger from our security team found a couple of other potential problem areas and while investigating, we also found some memory leaks. This patch addresses all issues.

We have assigned a CVE for this (CVE-2012-4540) and the unembargo date is tentatively set for November 7th 2012.
Attachment #672849 - Attachment is obsolete: true
Do we need to check this in somewhere?
No, this is a bug/fix in the icetea java plugin and is not a bug in any Mozilla product. Marking INVALID for now, and we can clear the security flag once the embargo is lifted.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID

Comment 14

4 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #13)
> No, this is a bug/fix in the icetea java plugin and is not a bug in any
> Mozilla product. Marking INVALID for now, and we can clear the security flag
> once the embargo is lifted.

Thanks. 

I posted the patch here just as an FYI. Mozilla product code is not affected in any way.

Comment 15

4 years ago
Fixed in IcedTea-Web 1.1.7, 1.2.2 and 1.3.1:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html

Comment 16

4 years ago
Is it ok to make this bug report public now?
Flags: needinfo?(dbhole)

Comment 17

4 years ago
Yes, the fix has been publicly released for a while now and there is no harm in opening this bug.
Flags: needinfo?(dbhole)

Updated

4 years ago
Group: core-security
You need to log in before you can comment on or make changes to this bug.