{"id":"MGASA-2019-0242","summary":"Updated icedtea-web packages fix security vulnerabilities","details":"Updated icedtea-web packages fix security vulnerabilities:\n\nIt was found that in icedtea-web up to and including 1.7.2 and 1.8.2\nexecutable code could be injected in a JAR file without compromising the\nsignature verification. An attacker could use this flaw to inject code in\na trusted JAR. The code would be executed inside the sandbox.\n(CVE-2019-10181)\n\nIt was found that icedtea-web though 1.7.2 and 1.8.2 did not properly\nsanitize paths from \u003cjar/\u003e elements in JNLP files. An attacker could trick\na victim into running a specially crafted application and use this flaw to\nupload arbitrary files to arbitrary locations in the context of the user.\n(CVE-2019-10182)\n\nIt was found that icedtea-web up to and including 1.7.2 and 1.8.2 was\nvulnerable to a zip-slip attack during auto-extraction of a JAR file.\nAn attacker could use this flaw to write files to arbitrary locations.\nThis could also be used to replace the main running application and,\npossibly, break out of the sandbox. (CVE-2019-10185)\n","modified":"2026-04-16T04:43:52.772381173Z","published":"2019-09-06T21:09:08Z","upstream":["CVE-2019-10181","CVE-2019-10182","CVE-2019-10185"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0242.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25228"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:2003"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2019/07/31/2"}],"affected":[{"package":{"name":"icedtea-web","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/icedtea-web?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.2-4.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0242.json"}},{"package":{"name":"icedtea-web","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/icedtea-web?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8-2.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0242.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}