← Back to team overview

openjdk team mailing list archive

Bug#723118: icedtea-web: Proposed diff for NMU version 1.4-3.1

 

Dear maintainer,

Attached is the proposed debdiff prepared for a possible NMU for
icedtea-web (versioned as 1.4-3.1), but I have not yet uploaded it to
any delayed queue.

Regards,
Salvatore
diff -Nru icedtea-web-1.4/debian/changelog icedtea-web-1.4/debian/changelog
--- icedtea-web-1.4/debian/changelog	2013-07-04 11:48:29.000000000 +0200
+++ icedtea-web-1.4/debian/changelog	2013-09-28 10:00:29.000000000 +0200
@@ -1,3 +1,13 @@
+icedtea-web (1.4-3.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Add CVE-2013-4349.diff patch.
+    CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one
+    heap-based buffer overflow after triggering event attached to applets.
+    (Closes: #723118)
+
+ -- Salvatore Bonaccorso <carnil@xxxxxxxxxx>  Sat, 28 Sep 2013 10:00:03 +0200
+
 icedtea-web (1.4-3) unstable; urgency=low
 
   * Update from the 1.4 branch:
diff -Nru icedtea-web-1.4/debian/patches/CVE-2013-4349.diff icedtea-web-1.4/debian/patches/CVE-2013-4349.diff
--- icedtea-web-1.4/debian/patches/CVE-2013-4349.diff	1970-01-01 01:00:00.000000000 +0100
+++ icedtea-web-1.4/debian/patches/CVE-2013-4349.diff	2013-09-28 10:00:29.000000000 +0200
@@ -0,0 +1,57 @@
+Description: Fix Heap-buffer-overflow
+ CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one
+ heap-based buffer overflow after triggering event attached to applet,
+ possibly allowing arbitrary code execution.
+ .
+ This corresponds to CVE-2012-4540 which was not fixed in 1.4 branch.
+ .
+ Removed unnecessary heap allocations.
+Origin: upstream, http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a
+Bug-Debian: http://bugs.debian.org/723118
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1007960
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@xxxxxxxxxx>
+Last-Update: 2013-09-28
+Applied-Upstream: 1.4.1
+
+--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc
++++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc
+@@ -591,10 +591,7 @@
+ 
+     if (java_result->error_occurred)
+     {
+-        // error message must be allocated on heap
+-        char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char));
+-        strcpy(error_msg, java_result->error_msg->c_str());
+-        browser_functions.setexception(npobj, error_msg);
++        browser_functions.setexception(npobj, java_result->error_msg->c_str());
+         return false;
+     }
+ 
+@@ -853,11 +850,7 @@
+         createJavaObjectFromVariant(instance, args[i], &id);
+         if (id == "0")
+         {
+-            // error message must be allocated on heap
+-            char* error_msg = (char*) malloc(1024*sizeof(char));
+-            strcpy(error_msg, "Unable to create argument on Java side");
+-
+-            browser_functions.setexception(npobj, error_msg);
++            browser_functions.setexception(npobj, "Unable to create argument on Java side");
+             return false;
+         }
+ 
+@@ -871,12 +864,7 @@
+ 
+     if (java_result->error_occurred)
+     {
+-        // error message must be allocated on heap
+-        int length = java_result->error_msg->length();
+-        char* error_msg = (char*) malloc((length+1)*sizeof(char));
+-        strcpy(error_msg, java_result->error_msg->c_str());
+-
+-        browser_functions.setexception(npobj, error_msg);
++        browser_functions.setexception(npobj, java_result->error_msg->c_str());
+         return false;
+     }
+ 
diff -Nru icedtea-web-1.4/debian/patches/series icedtea-web-1.4/debian/patches/series
--- icedtea-web-1.4/debian/patches/series	2013-07-04 11:53:43.000000000 +0200
+++ icedtea-web-1.4/debian/patches/series	2013-09-28 10:00:29.000000000 +0200
@@ -3,3 +3,4 @@
 gcc-option-order.diff
 use-ldflags.diff
 #hg-updates.diff
+CVE-2013-4349.diff