Ubuntu
openjdk-6 package

IcedTea6 1.8pre (6b18~pre3-0ubuntu1) buffer overflow, possible crasher

Bug #552287 reported by Chris Jones
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openjdk-6 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

See Mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=555342.

(Apologies for this report, I'm not the person who discovered this bug and am relaying the discoverer's information.)

1) Ubuntu 10.04 b1
2) IcedTea6 1.8pre (6b18~pre3-0ubuntu1)
3) No buffer overflow
4) Buffer overflow

See the steps to reproduce in the Mozilla bug; the buffer overflow is more dramatic in Firefox nightlies with out-of-process plugins because it always results in a crash in the plugin subprocesses. It will only sometimes result in a crash of the Firefox process.

It's easier to just paste a fix for this bug than describe it more. The diff is against http://icedtea.classpath.org/hg/icedtea6 revision 911fc7449289.

Marking security vulnerability for safety; I think this would be hard to exploit.

Related branches

lp:ubuntu/natty/openjdk-6
Revision history for this message
Chris Jones (jones-chris-g) wrote :
Revision history for this message
Chris Jones (jones-chris-g) wrote :

I should add that a workaround for this bug is to only run the IcedTea plugin in an environment with ICEDTEAPLUGIN_DEBUG=1.

Revision history for this message
Chris Jones (jones-chris-g) wrote :

The workaround of ICEDTEAPLUGIN_DEBUG=1 is not recommended because IcedTeaPlugin.so opens a "jdwp" debugging socket on localhost:8787, allowing less-privileged users to connect and read possibly sensitive information. Mozilla will blacklist this plugin until a fix is available.

Kees Cook (kees)
security vulnerability: yes → no
visibility: private → public
affects: ubuntu → openjdk-6 (Ubuntu)
Changed in openjdk-6 (Ubuntu):
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b18~pre4-0ubuntu2

---------------
openjdk-6 (6b18~pre4-0ubuntu2) lucid; urgency=low

  * Fix typo in NPPlugin code. LP: #552287.
 -- Matthias Klose <email address hidden> Wed, 31 Mar 2010 10:41:11 +0200

Changed in openjdk-6 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

Re: https://bugzilla.mozilla.org/show_bug.cgi?id=555342#c24

the fix is in IcedTea and uploaded to lucid.

(3) afaik FC12 does use the IcedTeaPlugin.cc, not the IcedTeaNPPlugin.cc. The former is not affected.

No release enables the IcedTeaNPPlugin.cc by default.

Revision history for this message
Chris Jones (jones-chris-g) wrote :

Thanks!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.