openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #09583
Bug#723118: icedtea-web: Proposed diff for NMU version 1.4-3.1
Dear maintainer,
Attached is the proposed debdiff prepared for a possible NMU for
icedtea-web (versioned as 1.4-3.1), but I have not yet uploaded it to
any delayed queue.
Regards,
Salvatore
diff -Nru icedtea-web-1.4/debian/changelog icedtea-web-1.4/debian/changelog
--- icedtea-web-1.4/debian/changelog 2013-07-04 11:48:29.000000000 +0200
+++ icedtea-web-1.4/debian/changelog 2013-09-28 10:00:29.000000000 +0200
@@ -1,3 +1,13 @@
+icedtea-web (1.4-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add CVE-2013-4349.diff patch.
+ CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one
+ heap-based buffer overflow after triggering event attached to applets.
+ (Closes: #723118)
+
+ -- Salvatore Bonaccorso <carnil@xxxxxxxxxx> Sat, 28 Sep 2013 10:00:03 +0200
+
icedtea-web (1.4-3) unstable; urgency=low
* Update from the 1.4 branch:
diff -Nru icedtea-web-1.4/debian/patches/CVE-2013-4349.diff icedtea-web-1.4/debian/patches/CVE-2013-4349.diff
--- icedtea-web-1.4/debian/patches/CVE-2013-4349.diff 1970-01-01 01:00:00.000000000 +0100
+++ icedtea-web-1.4/debian/patches/CVE-2013-4349.diff 2013-09-28 10:00:29.000000000 +0200
@@ -0,0 +1,57 @@
+Description: Fix Heap-buffer-overflow
+ CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one
+ heap-based buffer overflow after triggering event attached to applet,
+ possibly allowing arbitrary code execution.
+ .
+ This corresponds to CVE-2012-4540 which was not fixed in 1.4 branch.
+ .
+ Removed unnecessary heap allocations.
+Origin: upstream, http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a
+Bug-Debian: http://bugs.debian.org/723118
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1007960
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@xxxxxxxxxx>
+Last-Update: 2013-09-28
+Applied-Upstream: 1.4.1
+
+--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc
++++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc
+@@ -591,10 +591,7 @@
+
+ if (java_result->error_occurred)
+ {
+- // error message must be allocated on heap
+- char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char));
+- strcpy(error_msg, java_result->error_msg->c_str());
+- browser_functions.setexception(npobj, error_msg);
++ browser_functions.setexception(npobj, java_result->error_msg->c_str());
+ return false;
+ }
+
+@@ -853,11 +850,7 @@
+ createJavaObjectFromVariant(instance, args[i], &id);
+ if (id == "0")
+ {
+- // error message must be allocated on heap
+- char* error_msg = (char*) malloc(1024*sizeof(char));
+- strcpy(error_msg, "Unable to create argument on Java side");
+-
+- browser_functions.setexception(npobj, error_msg);
++ browser_functions.setexception(npobj, "Unable to create argument on Java side");
+ return false;
+ }
+
+@@ -871,12 +864,7 @@
+
+ if (java_result->error_occurred)
+ {
+- // error message must be allocated on heap
+- int length = java_result->error_msg->length();
+- char* error_msg = (char*) malloc((length+1)*sizeof(char));
+- strcpy(error_msg, java_result->error_msg->c_str());
+-
+- browser_functions.setexception(npobj, error_msg);
++ browser_functions.setexception(npobj, java_result->error_msg->c_str());
+ return false;
+ }
+
diff -Nru icedtea-web-1.4/debian/patches/series icedtea-web-1.4/debian/patches/series
--- icedtea-web-1.4/debian/patches/series 2013-07-04 11:53:43.000000000 +0200
+++ icedtea-web-1.4/debian/patches/series 2013-09-28 10:00:29.000000000 +0200
@@ -3,3 +3,4 @@
gcc-option-order.diff
use-ldflags.diff
#hg-updates.diff
+CVE-2013-4349.diff
