Debian Bug report logs - #723118
icedtea-web: CVE-2013-4349: patch for CVE-2012-4540 not applied to 1.4 branch

version graph

Package: icedtea-web; Maintainer for icedtea-web is OpenJDK Team <openjdk@lists.launchpad.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 16 Sep 2013 16:57:14 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in versions 1.4-3~deb7u1, 1.4-3

Fixed in version icedtea-web/1.4-3.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, OpenJDK Team <openjdk@lists.launchpad.net>:
Bug#723118; Package icedtea-web. (Mon, 16 Sep 2013 16:57:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, OpenJDK Team <openjdk@lists.launchpad.net>. (Mon, 16 Sep 2013 16:57:18 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: icedtea-web: CVE-2013-4349: patch for CVE-2012-4540 not applied to 1.4 branch
Date: Mon, 16 Sep 2013 18:56:50 +0200
Package: icedtea-web
Version: 1.4-3~deb7u1
Severity: grave
Tags: security upstream patch fixed-upstream
Control: found -1 1.4-3

Hi

the following vulnerability was published for icedtea-web.

CVE-2013-4349[0]:
IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow

This previously was already fixed in 1.1, 1.2, and 1.3 IcedTea-Web
branches (this was CVE-2012-4540). But this did not get applied to
head at that time.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4349
[1] http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a

Regards,
Salvatore



Marked as found in versions 1.4-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 16 Sep 2013 16:57:18 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, OpenJDK Team <openjdk@lists.launchpad.net>:
Bug#723118; Package icedtea-web. (Sat, 28 Sep 2013 08:45:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to OpenJDK Team <openjdk@lists.launchpad.net>. (Sat, 28 Sep 2013 08:45:11 GMT) Full text and rfc822 format available.

Message #12 received at 723118@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 723118@bugs.debian.org
Subject: icedtea-web: Proposed diff for NMU version 1.4-3.1
Date: Sat, 28 Sep 2013 10:42:28 +0200
[Message part 1 (text/plain, inline)]
Dear maintainer,

Attached is the proposed debdiff prepared for a possible NMU for
icedtea-web (versioned as 1.4-3.1), but I have not yet uploaded it to
any delayed queue.

Regards,
Salvatore
[icedtea-web-1.4-3.1-nmu.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, OpenJDK Team <openjdk@lists.launchpad.net>:
Bug#723118; Package icedtea-web. (Sun, 29 Sep 2013 22:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to OpenJDK Team <openjdk@lists.launchpad.net>. (Sun, 29 Sep 2013 22:27:09 GMT) Full text and rfc822 format available.

Message #17 received at 723118@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 723118@bugs.debian.org
Cc: team@security.debian.org
Subject: icedtea-web: diff for NMU version 1.4-3.1
Date: Mon, 30 Sep 2013 00:24:49 +0200
[Message part 1 (text/plain, inline)]
tags 723118 + pending
thanks

Dear maintainer,

I've prepared an NMU for icedtea-web (versioned as 1.4-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[icedtea-web-1.4-3.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 29 Sep 2013 22:27:12 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 01 Oct 2013 22:51:09 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 01 Oct 2013 22:51:10 GMT) Full text and rfc822 format available.

Message #24 received at 723118-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 723118-close@bugs.debian.org
Subject: Bug#723118: fixed in icedtea-web 1.4-3.1
Date: Tue, 01 Oct 2013 22:48:51 +0000
Source: icedtea-web
Source-Version: 1.4-3.1

We believe that the bug you reported is fixed in the latest version of
icedtea-web, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated icedtea-web package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Sep 2013 10:00:03 +0200
Source: icedtea-web
Binary: icedtea-netx icedtea-plugin icedtea-netx-common icedtea-6-plugin icedtea-7-plugin
Architecture: source amd64 all
Version: 1.4-3.1
Distribution: unstable
Urgency: low
Maintainer: OpenJDK Team <openjdk@lists.launchpad.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 icedtea-6-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a
 icedtea-7-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a
 icedtea-netx - NetX - implementation of the Java Network Launching Protocol (JNL
 icedtea-netx-common - NetX - implementation of the Java Network Launching Protocol (JNL
 icedtea-plugin - web browser plugin to execute Java applets (dependency package)
Closes: 723118
Changes: 
 icedtea-web (1.4-3.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add CVE-2013-4349.diff patch.
     CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one
     heap-based buffer overflow after triggering event attached to applets.
     (Closes: #723118)
Checksums-Sha1: 
 6aa3941afbc2ee75f972e78abe5fcbcad398b88b 2396 icedtea-web_1.4-3.1.dsc
 43e0737bb2e121018cef0bca80b133c0002984e6 32627 icedtea-web_1.4-3.1.debian.tar.gz
 b04dd66e3b0d8217f5be3b230fe5da4a7c47735d 19740 icedtea-netx_1.4-3.1_amd64.deb
 c2068573472f51bdf283d1a7260ba7a004e3c73e 77920 icedtea-6-plugin_1.4-3.1_amd64.deb
 57390a7d5ce2311aae3ba068edcc8e133a328ae7 77908 icedtea-7-plugin_1.4-3.1_amd64.deb
 df09596493ff2e13bfd908516a723c82a1d40464 848830 icedtea-netx-common_1.4-3.1_all.deb
 5255dea2a7bacc502873365a4ff1a76a4c388e86 8234 icedtea-plugin_1.4-3.1_all.deb
Checksums-Sha256: 
 c90cdfc00edc1cc4eed7ac6c5ea4892d40b1929d2049ddbecfd50c4a98adf979 2396 icedtea-web_1.4-3.1.dsc
 7166c591bc2524286b18673f74ddc32d0128fd3d0129a86d86fe7df2e10d51b6 32627 icedtea-web_1.4-3.1.debian.tar.gz
 b87a48f42f8d56c7624e279b5e5f3739fd5d78d4125ee239cdc9700f16cbc2be 19740 icedtea-netx_1.4-3.1_amd64.deb
 f21c44f7359049b135929b985cf9631c081c438d81aa6213f027b6fe67e39a38 77920 icedtea-6-plugin_1.4-3.1_amd64.deb
 7f4568d897620cea62a822bd48c59a5eabdd8e339f4d8e5d8016a64f049b5a57 77908 icedtea-7-plugin_1.4-3.1_amd64.deb
 14a2fd19dfd4efac17fbc7765ef0ca5de9e019e5578c0cca014603800b17267a 848830 icedtea-netx-common_1.4-3.1_all.deb
 47d78f3110b4fc92b096b9a1d250873596748af5847a8e6f35ebc7212bbed57a 8234 icedtea-plugin_1.4-3.1_all.deb
Files: 
 72eeabc7d80890f7da711f0c144673b9 2396 java extra icedtea-web_1.4-3.1.dsc
 b5926a9fe9e917c5fefe475db9e7a4a1 32627 java extra icedtea-web_1.4-3.1.debian.tar.gz
 d7bb08cee39ebd404270a4003b4130cb 19740 java extra icedtea-netx_1.4-3.1_amd64.deb
 6ea398acf32e86bd3cc11a1ded62e295 77920 web extra icedtea-6-plugin_1.4-3.1_amd64.deb
 e0a6b1a9fe145c8ba942b61933e85a60 77908 web extra icedtea-7-plugin_1.4-3.1_amd64.deb
 5be1979c910f8fca02e8aa08553637ae 848830 java extra icedtea-netx-common_1.4-3.1_all.deb
 528db2e374f354ea7bb78fae46efb9f6 8234 web extra icedtea-plugin_1.4-3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSRo7GAAoJEHidbwV/2GP+EZAP/jBSUbhQ2ZKCEp2RHoelIfL5
wKFOeivNwx5l6e2jXH7GvfdqSXlJV4GIav++xcxauKxWTjXx1xANgOeodlY/wccT
qGVvn9Cyvb1OUgkXb+XqIx7ARalLBcRAxN10wL3UfAYwhZHgKYJZJFRX8qLj37R3
dvHN5eZzQKZKDylmeWSt48aTe56KU5YNtyjrR1uDsJ+comk/t/ZtLxAubNMXyy1N
i1MsNJj+UWfW1ngJZudYfpl32dbfUYSFl/DmSK3Zc5gW9D82hWhmkkkTZWn11Oy8
HctKE5MVf7WQbbf69gZkD4FQIeAPq19OEkAdmdBmyyvyVq6VE5cZXNTsXqmIiSXc
SBhUAcz0sUS5YxDm5/WZ7ylYl4mDr8EIDLPlYjDznTMZFif+KR8WBTUhnYkjiuRl
5hfeuDQdGpoI6822Rx7wR9uqV7Iov5d58hAOd0vsfRbsprYtsd2vGgC1YTkwD2/c
DecQ6SGDmTi0mf8IMke/66btZ0Kt5yB0HyZCaXDwOcM0zgq1bYgWX9ik1CLha7n4
v6NOELHhQsV9+S3OEj3f1OSkBqX0ysv4KO9nxMdjiTGq4m3au/dGG5XCpPguHJc9
OUIFbRP2TVh+A1EQ6/BVjYiTIf+ZNsPOs3aNfUYJynYaJvKV3QuPkTgp4jlI5JQs
/hpapi89WWjx1thRCj54
=t9z1
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 30 Oct 2013 07:28:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:02:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.