CVE-2019-10181

Name	CVE-2019-10181
Description	It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1914-1
Debian Bugs	934319

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
icedtea-web (PTS)	buster	1.7.2-2	vulnerable
	bullseye	1.8.4-1	fixed
	bookworm, sid, trixie	1.8.8-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
icedtea-web	source	jessie	1.5.3-1+deb8u1		DLA-1914-1
icedtea-web	source	(unstable)	1.8.3-1			934319

Notes

[buster] - icedtea-web <no-dsa> (Minor issue)
[stretch] - icedtea-web <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2019/07/31/2
https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd (1.7)
https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e (1.8)