/hg/release/icedtea6-1.9: 5 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Wed Nov 24 06:57:09 PST 2010
changeset 9aa0018d8c28 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=9aa0018d8c28
author: Andrew John Hughes <ahughes at redhat.com>
date: Fri Nov 12 17:05:06 2010 +0000
RH645843, CVE-2010-3860: Don't expose system properties via public
variables.
2010-11-12 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Updated.
2010-11-11 Omair Majid <omajid at redhat.com>
RH645843, CVE-2010-3860
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
* plugin/icedteanp/java/sun/applet/PluginMain.java: Fix
exposure of system properties.
changeset 23f4ec2c7f7a in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=23f4ec2c7f7a
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 17 14:24:45 2010 +0000
PR592: Sanitize user-entered values used in desktop entries.
2010-11-12 Omair Majid <omajid at redhat.com>
PR592
* NEWS: Updated.
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java:
(getContentsAsReader()): Call sanitize on user-inputted values.
(sanitize(String)): Sanitize values used in desktop entries.
changeset 3d0ae18fb9a3 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=3d0ae18fb9a3
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 17 16:37:33 2010 +0000
Bump to 1.9.2 proper and add release date.
2010-11-17 Andrew John Hughes <ahughes at redhat.com>
* configure.ac: Bump to 1.9.2 proper.
* NEWS: Add release date.
changeset c298e3121204 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=c298e3121204
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 17 22:55:22 2010 +0000
Split the patching of the applet class files into a separate patch,
applied to all builds.
2010-11-17 Andrew John Hughes <ahughes at redhat.com>
* Makefile.am: Add applet hole patch for all builds.
* patches/applet_hole.patch: Split applet class patching into
separate file to be applied in all builds.
* patches/extensions/netx.patch: Include only the Makefile
additions to build the jaxws binary and documentation.
changeset e2b020ce5f03 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=e2b020ce5f03
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 24 14:56:41 2010 +0000
Added tag icedtea6-1.9.2 for changeset c298e3121204
diffstat:
12 files changed, 116 insertions(+), 133 deletions(-)
.hgtags | 1
ChangeLog | 40 ++++
Makefile.am | 3
NEWS | 5
configure.ac | 2
netx/net/sourceforge/jnlp/runtime/Boot.java | 4
netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java | 51 ++++-
netx/net/sourceforge/jnlp/security/SecurityUtil.java | 5
netx/net/sourceforge/jnlp/services/SingleInstanceLock.java | 2
netx/net/sourceforge/jnlp/util/XDesktopEntry.java | 24 ++
patches/extensions/netx.patch | 108 ------------
plugin/icedteanp/java/sun/applet/PluginMain.java | 4
diffs (425 lines):
diff -r 1c9dabc8729f -r e2b020ce5f03 .hgtags
--- a/.hgtags Fri Nov 12 00:28:26 2010 +0000
+++ b/.hgtags Wed Nov 24 14:56:41 2010 +0000
@@ -21,3 +21,4 @@ cb463b94b82da269ea089c481ed5e39700525a8a
cb463b94b82da269ea089c481ed5e39700525a8a icedtea6-1.9-branch
5464f814f82f7d9c8428179a71c51f11094717fd icedtea6-1.9
2fa3935ab384958d06614cec587506702bc8e658 icedtea6-1.9.1
+c298e31212047871e12f07d6900d7580f83b5831 icedtea6-1.9.2
diff -r 1c9dabc8729f -r e2b020ce5f03 ChangeLog
--- a/ChangeLog Fri Nov 12 00:28:26 2010 +0000
+++ b/ChangeLog Wed Nov 24 14:56:41 2010 +0000
@@ -1,3 +1,43 @@ 2010-11-11 Andrew John Hughes <ahughes
+2010-11-17 Andrew John Hughes <ahughes at redhat.com>
+
+ * Makefile.am:
+ Add applet hole patch for all builds.
+ * patches/applet_hole.patch:
+ Split applet class patching into separate
+ file to be applied in all builds.
+ * patches/extensions/netx.patch:
+ Include only the Makefile additions to build
+ the jaxws binary and documentation.
+
+2010-11-17 Andrew John Hughes <ahughes at redhat.com>
+
+ * configure.ac: Bump to 1.9.2 proper.
+ * NEWS: Add release date.
+
+2010-11-12 Omair Majid <omajid at redhat.com>
+
+ PR592
+ * NEWS: Updated.
+ * netx/net/sourceforge/jnlp/util/XDesktopEntry.java:
+ (getContentsAsReader()): Call sanitize on user-inputted values.
+ (sanitize(String)): Sanitize values used in desktop
+ entries.
+
+2010-11-12 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Updated.
+
+2010-11-11 Omair Majid <omajid at redhat.com>
+
+ RH645843, CVE-2010-3860
+ * netx/net/sourceforge/jnlp/runtime/Boot.java,
+ * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
+ * netx/net/sourceforge/jnlp/security/SecurityUtil.java,
+ * netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
+ * netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
+ * plugin/icedteanp/java/sun/applet/PluginMain.java:
+ Fix exposure of system properties.
+
2010-11-11 Andrew John Hughes <ahughes at redhat.com>
* configure.ac: Update to 1.9.2pre.
diff -r 1c9dabc8729f -r e2b020ce5f03 Makefile.am
--- a/Makefile.am Fri Nov 12 00:28:26 2010 +0000
+++ b/Makefile.am Wed Nov 24 14:56:41 2010 +0000
@@ -315,7 +315,8 @@ ICEDTEA_PATCHES = \
patches/openjdk/6622432-bigdecimal_performance.patch \
patches/openjdk/6850606-bigdecimal_regression.patch \
patches/openjdk/6876282-bigdecimal_divide.patch \
- patches/f14-fonts.patch
+ patches/f14-fonts.patch \
+ patches/applet_hole.patch
if WITH_ALT_HSBUILD
ICEDTEA_PATCHES += \
diff -r 1c9dabc8729f -r e2b020ce5f03 NEWS
--- a/NEWS Fri Nov 12 00:28:26 2010 +0000
+++ b/NEWS Wed Nov 24 14:56:41 2010 +0000
@@ -8,12 +8,14 @@ GX - http://bugs.gentoo.org/show_bug.cg
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.9.2 (2010-11-XX):
+New in release 1.9.2 (2010-11-24):
* Upgrade to latest revision of hs19 (b09).
* Allow the building of NetX to be disabled.
* Additional S390 size_t fixes.
* Switch to the IcedTea server for JAXP, JAF and JAXWS tarballs.
+* Security updates
+ - RH645843, CVE-2010-3860: IcedTea System property information leak via public static
* Backports
- S6622432: RFE: Performance improvements to java.math.BigDecimal
- S6850606: Regression from JDK 1.6.0_12
@@ -27,6 +29,7 @@ New in release 1.9.2 (2010-11-XX):
- RH643674: Update fontconfig files for Fedora 11, 12, 13 and 14.
* NetX
- Do not prompt user multiple times for the same certificate.
+ - PR592: NetX can create invalid desktop entry files
New in release 1.9.1 (2010-10-13):
diff -r 1c9dabc8729f -r e2b020ce5f03 configure.ac
--- a/configure.ac Fri Nov 12 00:28:26 2010 +0000
+++ b/configure.ac Wed Nov 24 14:56:41 2010 +0000
@@ -1,4 +1,4 @@ AC_INIT([icedtea6],[1.9.2pre],[distro-pk
-AC_INIT([icedtea6],[1.9.2pre],[distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6],[1.9.2],[distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 1c9dabc8729f -r e2b020ce5f03 netx/net/sourceforge/jnlp/runtime/Boot.java
--- a/netx/net/sourceforge/jnlp/runtime/Boot.java Fri Nov 12 00:28:26 2010 +0000
+++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Nov 24 14:56:41 2010 +0000
@@ -230,8 +230,8 @@ public final class Boot implements Privi
*/
private static String getAboutFile() {
- if (new File(JNLPRuntime.NETX_ABOUT_FILE).exists())
- return JNLPRuntime.NETX_ABOUT_FILE;
+ if (new File(JNLPRuntime.getAboutFile()).exists())
+ return JNLPRuntime.getAboutFile();
else
return null;
}
diff -r 1c9dabc8729f -r e2b020ce5f03 netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Fri Nov 12 00:28:26 2010 +0000
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Nov 24 14:56:41 2010 +0000
@@ -105,38 +105,38 @@ public class JNLPRuntime {
private static List<String> initialArguments;
/** Username */
- public static final String USER = System.getProperty("user.name");
+ private static final String USER = System.getProperty("user.name");
/** User's home directory */
- public static final String HOME_DIR = System.getProperty("user.home");
+ private static final String HOME_DIR = System.getProperty("user.home");
/** the ~/.netxrc file containing netx settings */
- public static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc";
+ private static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc";
/** the ~/.netx directory containing user-specific data */
- public static final String NETX_DIR = HOME_DIR + File.separator + ".netx";
+ private static final String NETX_DIR = HOME_DIR + File.separator + ".netx";
/** the ~/.netx/security directory containing security related information */
- public static final String SECURITY_DIR = NETX_DIR + File.separator + "security";
+ private static final String SECURITY_DIR = NETX_DIR + File.separator + "security";
/** the ~/.netx/security/trusted.certs file containing trusted certificates */
- public static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs";
+ private static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs";
/** the /tmp/ directory used for temporary files */
- public static final String TMP_DIR = System.getProperty("java.io.tmpdir");
+ private static final String TMP_DIR = System.getProperty("java.io.tmpdir");
/**
* the /tmp/$USER/netx/locks/ directory containing locks for single instance
* applications
*/
- public static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator
+ private static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator
+ "netx" + File.separator + "locks";
/** the java.home directory */
- public static final String JAVA_HOME_DIR = System.getProperty("java.home");
+ private static final String JAVA_HOME_DIR = System.getProperty("java.home");
/** the JNLP file to open to display the network-based about window */
- public static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib"
+ private static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib"
+ File.separator + "about.jnlp";
@@ -559,4 +559,35 @@ public class JNLPRuntime {
return initialArguments;
}
+ /** Get the location of the certificate files user-level used by netx */
+ public static String getCertificatesFile() {
+ System.getProperty("user.home");
+ return CERTIFICATES_FILE;
+ }
+
+ /** Get the home directory */
+ public static String getHomeDir() {
+ System.getProperty("user.home");
+ return HOME_DIR;
+ }
+
+ /** Get the location of the about file */
+ public static String getAboutFile() {
+ System.getProperty("java.home");
+ return NETX_ABOUT_FILE;
+ }
+
+ /** Get the location of the locks directory */
+ public static String getLocksDir() {
+ System.getProperty("user.home");
+ System.getProperty("java.io.tmpdir");
+ return LOCKS_DIR;
+ }
+
+ /** Get the location of a temporary location */
+ public static String getTempDir() {
+ System.getProperty("java.io.tmpdir");
+ return TMP_DIR;
+ }
+
}
diff -r 1c9dabc8729f -r e2b020ce5f03 netx/net/sourceforge/jnlp/security/SecurityUtil.java
--- a/netx/net/sourceforge/jnlp/security/SecurityUtil.java Fri Nov 12 00:28:26 2010 +0000
+++ b/netx/net/sourceforge/jnlp/security/SecurityUtil.java Wed Nov 24 14:56:41 2010 +0000
@@ -49,13 +49,12 @@ public class SecurityUtil {
private static final char[] password = "changeit".toCharArray();
public static String getTrustedCertsFilename() throws Exception{
-
- String homeDir = JNLPRuntime.HOME_DIR;
+ String homeDir = JNLPRuntime.getHomeDir();
if (homeDir == null) {
throw new Exception("Could not access home directory");
} else {
- return JNLPRuntime.CERTIFICATES_FILE;
+ return JNLPRuntime.getCertificatesFile();
}
}
diff -r 1c9dabc8729f -r e2b020ce5f03 netx/net/sourceforge/jnlp/services/SingleInstanceLock.java
--- a/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Fri Nov 12 00:28:26 2010 +0000
+++ b/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Wed Nov 24 14:56:41 2010 +0000
@@ -126,7 +126,7 @@ class SingleInstanceLock {
* may or may not exist.
*/
private File getLockFile() {
- File baseDir = new File(JNLPRuntime.LOCKS_DIR);
+ File baseDir = new File(JNLPRuntime.getLocksDir());
if (!baseDir.isDirectory() && !baseDir.mkdirs()) {
throw new RuntimeException(R("RNoLockDir", baseDir));
diff -r 1c9dabc8729f -r e2b020ce5f03 netx/net/sourceforge/jnlp/util/XDesktopEntry.java
--- a/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Fri Nov 12 00:28:26 2010 +0000
+++ b/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Wed Nov 24 14:56:41 2010 +0000
@@ -77,9 +77,9 @@ public class XDesktopEntry {
String fileContents = "[Desktop Entry]\n";
fileContents += "Version=1.0\n";
- fileContents += "Name=" + file.getTitle() + "\n";
+ fileContents += "Name=" + sanitize(file.getTitle()) + "\n";
fileContents += "GenericName=Java Web Start Application\n";
- fileContents += "Comment=" + file.getInformation().getDescription() + "\n";
+ fileContents += "Comment=" + sanitize(file.getInformation().getDescription()) + "\n";
fileContents += "Type=Application\n";
if (iconLocation != null) {
fileContents += "Icon=" + iconLocation + "\n";
@@ -88,7 +88,7 @@ public class XDesktopEntry {
}
if (file.getInformation().getVendor() != null) {
- fileContents += "Vendor=" + file.getInformation().getVendor() + "\n";
+ fileContents += "Vendor=" + sanitize(file.getInformation().getVendor()) + "\n";
}
//Shortcut executes the jnlp from cache and system preferred java..
@@ -96,6 +96,22 @@ public class XDesktopEntry {
return new StringReader(fileContents);
+ }
+
+ /**
+ * Sanitizes a string so that it can be used safely in a key=value pair in a
+ * desktop entry file.
+ *
+ * @param input a String to sanitize
+ * @return a string safe to use as either the key or the value in the
+ * key=value pair in a desktop entry file
+ */
+ private static String sanitize(String input) {
+ if (input == null) {
+ return "";
+ }
+ /* key=value pairs must be a single line */
+ return input.split("\n")[0];
}
/**
@@ -131,7 +147,7 @@ public class XDesktopEntry {
* Install this XDesktopEntry into the user's desktop as a launcher
*/
private void installDesktopLauncher() {
- File shortcutFile = new File(JNLPRuntime.TMP_DIR + File.separator
+ File shortcutFile = new File(JNLPRuntime.getTempDir() + File.separator
+ FileUtils.sanitizeFileName(file.getTitle()) + ".desktop");
try {
diff -r 1c9dabc8729f -r e2b020ce5f03 patches/extensions/netx.patch
--- a/patches/extensions/netx.patch Fri Nov 12 00:28:26 2010 +0000
+++ b/patches/extensions/netx.patch Wed Nov 24 14:56:41 2010 +0000
@@ -9,114 +9,6 @@ diff -c openjdk.orig/jdk/make/launchers/
$(call make-launcher, jconsole, sun.tools.jconsole.JConsole, \
-J-Djconsole.showOutputViewer, )
$(call make-launcher, jdb, com.sun.tools.example.debug.tty.TTY, , )
-diff -urN openjdk.orig/jdk/src/share/classes/sun/applet/AppletViewerPanel.java openjdk/jdk/src/share/classes/sun/applet/AppletViewerPanel.java
---- openjdk.orig/jdk/src/share/classes/sun/applet/AppletViewerPanel.java 2008-01-12 15:53:45.000000000 -0500
-+++ openjdk/jdk/src/share/classes/sun/applet/AppletViewerPanel.java 2008-02-04 11:51:20.000000000 -0500
-@@ -42,25 +42,25 @@
- *
- * @author Arthur van Hoff
- */
--class AppletViewerPanel extends AppletPanel {
-+public class AppletViewerPanel extends AppletPanel {
-
- /* Are we debugging? */
-- static boolean debug = false;
-+ protected static boolean debug = false;
-
- /**
- * The document url.
- */
-- URL documentURL;
-+ protected URL documentURL;
-
- /**
- * The base url.
- */
-- URL baseURL;
-+ protected URL baseURL;
-
- /**
- * The attributes of the applet.
- */
-- Hashtable atts;
-+ protected Hashtable atts;
-
- /*
- * JDK 1.1 serialVersionUID
-@@ -70,7 +70,7 @@
- /**
- * Construct an applet viewer and start the applet.
- */
-- AppletViewerPanel(URL documentURL, Hashtable atts) {
-+ protected AppletViewerPanel(URL documentURL, Hashtable atts) {
- this.documentURL = documentURL;
- this.atts = atts;
-
-@@ -202,12 +202,12 @@
- return (AppletContext)getParent();
- }
-
-- static void debug(String s) {
-+ protected static void debug(String s) {
- if(debug)
- System.err.println("AppletViewerPanel:::" + s);
- }
-
-- static void debug(String s, Throwable t) {
-+ protected static void debug(String s, Throwable t) {
- if(debug) {
- t.printStackTrace();
- debug(s);
-diff -urN openjdk.orig/jdk/src/share/classes/sun/applet/AppletPanel.java openjdk/jdk/src/share/classes/sun/applet/AppletPanel.java
---- openjdk.orig/jdk/src/share/classes/sun/applet/AppletPanel.java 2008-03-26 04:58:12.000000000 -0400
-+++ openjdk/jdk/src/share/classes/sun/applet/AppletPanel.java 2008-04-07 21:55:56.000000000 -0400
-@@ -68,7 +68,7 @@
- /**
- * The applet (if loaded).
- */
-- Applet applet;
-+ protected Applet applet;
-
- /**
- * Applet will allow initialization. Should be
-@@ -117,7 +117,7 @@
- /**
- * The thread for the applet.
- */
-- Thread handler;
-+ protected Thread handler;
-
-
- /**
-@@ -162,7 +162,8 @@
- * Creates a thread to run the applet. This method is called
- * each time an applet is loaded and reloaded.
- */
-- synchronized void createAppletThread() {
-+ //Overridden by NetxPanel.
-+ protected synchronized void createAppletThread() {
- // Create a thread group for the applet, and start a new
- // thread to load the applet.
- String nm = "applet-" + getCode();
-@@ -306,7 +307,7 @@
- /**
- * Get an event from the queue.
- */
-- synchronized AppletEvent getNextEvent() throws InterruptedException {
-+ protected synchronized AppletEvent getNextEvent() throws InterruptedException {
- while (queue == null || queue.isEmpty()) {
- wait();
- }
-@@ -695,7 +696,8 @@
- * applet event processing so that it can be gracefully interrupted from
- * things like HotJava.
- */
-- private void runLoader() {
-+ //Overridden by NetxPanel.
-+ protected void runLoader() {
- if (status != APPLET_DISPOSE) {
- showAppletStatus("notdisposed");
- return;
--- openjdk/jdk/make/docs/NON_CORE_PKGS.gmk.orig 2009-06-04 11:02:18.000000000 -0400
+++ openjdk/jdk/make/docs/NON_CORE_PKGS.gmk 2009-06-04 11:02:45.000000000 -0400
@@ -84,6 +84,8 @@
diff -r 1c9dabc8729f -r e2b020ce5f03 plugin/icedteanp/java/sun/applet/PluginMain.java
--- a/plugin/icedteanp/java/sun/applet/PluginMain.java Fri Nov 12 00:28:26 2010 +0000
+++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Wed Nov 24 14:56:41 2010 +0000
@@ -89,8 +89,8 @@ public class PluginMain
{
// the files where stdout/stderr are sent to
- public static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr";
- public static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout";
+ static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr";
+ static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout";
final boolean redirectStreams = System.getenv().containsKey("ICEDTEAPLUGIN_DEBUG");
static PluginStreamHandler streamHandler;
More information about the distro-pkg-dev
mailing list