icedtea-web: multiple issues

2015-09-14T00:00:00
ID ASA-201509-6
Type archlinux
Reporter Arch Linux
Modified 2015-09-14T00:00:00

Description

  • CVE-2015-5234 (unexpected permanent authorization of unsigned applets)

It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval.

  • CVE-2015-5235 (applet origin spoofing)

It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin.