Bug 25228 - icedtea-web new security issues CVE-2019-1018[125]
Summary: icedtea-web new security issues CVE-2019-1018[125]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-05 21:27 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
6 users (show)

See Also:
Source RPM: icedtea-web-1.8-2.mga7.src.rpm
CVE: CVE-2019-10181, CVE-2019-10182, CVE-2019-10185
Status comment:


Attachments

Description David Walser 2019-08-05 21:27:51 CEST
RedHat has issued an advisory on July 31:
https://access.redhat.com/errata/RHSA-2019:2003

The issue was also announced on oss-security:
https://www.openwall.com/lists/oss-security/2019/07/31/2

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-05 21:28:03 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Nicolas Salguero 2019-08-26 15:39:43 CEST
Hi,

Done for Cauldron and Mga7.  For Mga6, the patches do not apply.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 2 David Walser 2019-08-26 18:31:11 CEST
It probably doesn't make a difference, since RedHat has 1.7.x, but here's the commit with their patches:
https://git.centos.org/rpms/icedtea-web/c/fc1eb6ada20c59d4b9260c89b1cfc51924c2b965?branch=c7

If those don't work for 1.6.2, maybe we can update it for Mageia 6?
Comment 3 David Walser 2019-08-26 18:31:58 CEST
Package list for Mageia 7 update:
icedtea-web-1.8-2.1.mga7
icedtea-web-javadoc-1.8-2.1.mga7
icedtea-web-devel-1.8-2.1.mga7

from icedtea-web-1.8-2.1.mga7.src.rpm

Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 4 Nicolas Salguero 2019-08-29 16:01:20 CEST
Suggested advisory:
========================

The updated packages fix security issues:

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. (CVE-2019-10181)

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. (CVE-2019-10182)

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. (CVE-2019-10185)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10185
https://access.redhat.com/errata/RHSA-2019:2003
https://www.openwall.com/lists/oss-security/2019/07/31/2
========================

Updated packages in 6/core/updates_testing:
========================
icedtea-web-1.7.2-1.mga6
icedtea-web-javadoc-1.7.2-1.mga6
icedtea-web-devel-1.7.2-1.mga6

from SRPMS:
icedtea-web-1.7.2-1.mga6.src.rpm

Updated packages in 7/core/updates_testing:
========================
icedtea-web-1.8-2.1.mga7
icedtea-web-javadoc-1.8-2.1.mga7
icedtea-web-devel-1.8-2.1.mga7

from SRPMS:
icedtea-web-1.8-2.1.mga7.src.rpm

CVE: (none) => CVE-2019-10181, CVE-2019-10182, CVE-2019-10185
Status: NEW => ASSIGNED
Assignee: java => qa-bugs

Nicolas Salguero 2019-08-29 16:01:47 CEST

Source RPM: icedtea-web-1.8.2-1.mga8.src.rpm => icedtea-web-1.8-2.mga7.src.rpm

Comment 5 Nicolas Salguero 2019-08-29 16:15:12 CEST
There is a problem for Mageia 6

Assignee: qa-bugs => nicolas.salguero

Comment 6 Nicolas Salguero 2019-08-30 11:23:11 CEST
Problem solved with icedtea-web-1.7.2-4.mga6.  So:

Suggested advisory:
========================

The updated packages fix security issues:

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. (CVE-2019-10181)

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. (CVE-2019-10182)

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. (CVE-2019-10185)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10185
https://access.redhat.com/errata/RHSA-2019:2003
https://www.openwall.com/lists/oss-security/2019/07/31/2
========================

Updated packages in 6/core/updates_testing:
========================
icedtea-web-1.7.2-4.mga6
icedtea-web-javadoc-1.7.2-4.mga6
icedtea-web-devel-1.7.2-4.mga6

from SRPMS:
icedtea-web-1.7.2-4.mga6.src.rpm

Updated packages in 7/core/updates_testing:
========================
icedtea-web-1.8-2.1.mga7
icedtea-web-javadoc-1.8-2.1.mga7
icedtea-web-devel-1.8-2.1.mga7

from SRPMS:
icedtea-web-1.8-2.1.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs

Comment 7 Brian Rockwell 2019-09-02 05:10:25 CEST
This is running cinnamon.  I need a Plasma person to try Konqueror which is listed as still able to run icedtea.

Installed icedtea-web-1.8.2.1 as part of my java testing on MGA7.

Sincere Firefox no longer enables it I had to pick on other browsers.

Midori - worked in several cases
Epiphany - worked in anothe case, but not in the Midori one.

Makes me want to drink Mi......

Seems to be working considering limited browser support.

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
CC: (none) => brtians1

Comment 8 Herman Viaene 2019-09-02 11:18:15 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues.
Found link to test in bug 16755, used konqueror to different sites listed on https://javatester.org/othertesters.html
All seemed to work OK.
I am not sure whether this is a onclusive test ????

CC: (none) => herman.viaene

Comment 9 Brian Rockwell 2019-09-02 17:01:35 CEST
MGA6 - 32 bit

It installed clean.

I'm unable to confirm whether it works or not with Midori.  I think it is mostly a browser issue, but my testing indicated it might work, that's the best I can say.

Tentative ok.

I think this tool is pretty much dead.
Comment 10 Brian Rockwell 2019-09-05 17:38:01 CEST
[brian@localhost ~]$ java -version
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-b10)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)
[brian@localhost ~]$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[brian@localhost ~]$ 


I tried a few, but his is an interesting test.  It does work.


http://josm.openstreetmap.de/download/josm.jnlp

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK

Brian Rockwell 2019-09-05 17:42:45 CEST

Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK

Comment 11 Thomas Andrews 2019-09-06 03:13:19 CEST
Validating. Suggested advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-09-06 17:46:07 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 12 Mageia Robot 2019-09-06 23:11:07 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0242.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.