Dear maintainer, Attached is the proposed debdiff prepared for a possible NMU for icedtea-web (versioned as 1.4-3.1), but I have not yet uploaded it to any delayed queue.
Regards, Salvatore
diff -Nru icedtea-web-1.4/debian/changelog icedtea-web-1.4/debian/changelog --- icedtea-web-1.4/debian/changelog 2013-07-04 11:48:29.000000000 +0200 +++ icedtea-web-1.4/debian/changelog 2013-09-28 10:00:29.000000000 +0200 @@ -1,3 +1,13 @@ +icedtea-web (1.4-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Add CVE-2013-4349.diff patch. + CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one + heap-based buffer overflow after triggering event attached to applets. + (Closes: #723118) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 28 Sep 2013 10:00:03 +0200 + icedtea-web (1.4-3) unstable; urgency=low * Update from the 1.4 branch: diff -Nru icedtea-web-1.4/debian/patches/CVE-2013-4349.diff icedtea-web-1.4/debian/patches/CVE-2013-4349.diff --- icedtea-web-1.4/debian/patches/CVE-2013-4349.diff 1970-01-01 01:00:00.000000000 +0100 +++ icedtea-web-1.4/debian/patches/CVE-2013-4349.diff 2013-09-28 10:00:29.000000000 +0200 @@ -0,0 +1,57 @@ +Description: Fix Heap-buffer-overflow + CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one + heap-based buffer overflow after triggering event attached to applet, + possibly allowing arbitrary code execution. + . + This corresponds to CVE-2012-4540 which was not fixed in 1.4 branch. + . + Removed unnecessary heap allocations. +Origin: upstream, http://icedtea.classpath.org/hg/release/icedtea-web-1.4/rev/82e007d8b05a +Bug-Debian: http://bugs.debian.org/723118 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1007960 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-09-28 +Applied-Upstream: 1.4.1 + +--- a/plugin/icedteanp/IcedTeaScriptablePluginObject.cc ++++ b/plugin/icedteanp/IcedTeaScriptablePluginObject.cc +@@ -591,10 +591,7 @@ + + if (java_result->error_occurred) + { +- // error message must be allocated on heap +- char* error_msg = (char*) malloc(java_result->error_msg->length()*sizeof(char)); +- strcpy(error_msg, java_result->error_msg->c_str()); +- browser_functions.setexception(npobj, error_msg); ++ browser_functions.setexception(npobj, java_result->error_msg->c_str()); + return false; + } + +@@ -853,11 +850,7 @@ + createJavaObjectFromVariant(instance, args[i], &id); + if (id == "0") + { +- // error message must be allocated on heap +- char* error_msg = (char*) malloc(1024*sizeof(char)); +- strcpy(error_msg, "Unable to create argument on Java side"); +- +- browser_functions.setexception(npobj, error_msg); ++ browser_functions.setexception(npobj, "Unable to create argument on Java side"); + return false; + } + +@@ -871,12 +864,7 @@ + + if (java_result->error_occurred) + { +- // error message must be allocated on heap +- int length = java_result->error_msg->length(); +- char* error_msg = (char*) malloc((length+1)*sizeof(char)); +- strcpy(error_msg, java_result->error_msg->c_str()); +- +- browser_functions.setexception(npobj, error_msg); ++ browser_functions.setexception(npobj, java_result->error_msg->c_str()); + return false; + } + diff -Nru icedtea-web-1.4/debian/patches/series icedtea-web-1.4/debian/patches/series --- icedtea-web-1.4/debian/patches/series 2013-07-04 11:53:43.000000000 +0200 +++ icedtea-web-1.4/debian/patches/series 2013-09-28 10:00:29.000000000 +0200 @@ -3,3 +3,4 @@ gcc-option-order.diff use-ldflags.diff #hg-updates.diff +CVE-2013-4349.diff
