Bug 9779

Summary: icedtea-web new security issues CVE-2013-1926 and CVE-2013-1927
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/547754/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: icedtea-web-1.3.1-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-04-17 20:40:03 CEST 
RedHat has issued an advisory today (April 17):
https://rhn.redhat.com/errata/RHSA-2013-0753.html

Updated packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated icedtea-web packages fix security vulnerabilities:

It was discovered that the IcedTea-Web plug-in incorrectly used the same
class loader instance for applets with the same value of the codebase
attribute, even when they originated from different domains. A malicious
applet could use this flaw to gain information about and possibly
manipulate applets from different domains currently running in the browser
(CVE-2013-1926).

The IcedTea-Web plug-in did not properly check the format of the downloaded
Java Archive (JAR) files. This could cause the plug-in to execute code
hidden in a file in a different format, possibly allowing attackers to
execute code in the context of web sites that allow uploads of specific
file types, known as a GIFAR attack (CVE-2013-1927).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022790.html
https://rhn.redhat.com/errata/RHSA-2013-0753.html
========================

Updated packages in core/updates_testing:
========================
icedtea-web-1.3.2-1.mga2
icedtea-web-javadoc-1.3.2-1.mga2

from icedtea-web-1.3.2-1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-04-17 23:19:52 CEST 
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
icedtea-web-1.3.2-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated icedtea-web packages fix security vulnerabilities:

It was discovered that the IcedTea-Web plug-in incorrectly used the same
class loader instance for applets with the same value of the codebase
attribute, even when they originated from different domains. A malicious
applet could use this flaw to gain information about and possibly
manipulate applets from different domains currently running in the browser
(CVE-2013-1926).

The IcedTea-Web plug-in did not properly check the format of the downloaded
Java Archive (JAR) files. This could cause the plug-in to execute code
hidden in a file in a different format, possibly allowing attackers to
execute code in the context of web sites that allow uploads of specific
file types, known as a GIFAR attack (CVE-2013-1927).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022790.html
https://rhn.redhat.com/errata/RHSA-2013-0753.html

https://bugs.mageia.org/show_bug.cgi?id=9779

Keywords: (none) => validated_update
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Thomas Backlund 2013-04-18 00:34:44 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-04-18 21:09:36 CEST

URL: (none) => http://lwn.net/Vulnerabilities/547754/