/hg/release/icedtea6-1.7: 6 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Wed Nov 24 07:03:15 PST 2010
changeset e0e679b39351 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=e0e679b39351
author: Andrew John Hughes <ahughes at redhat.com>
date: Thu Nov 18 13:23:54 2010 +0000
RH645843, CVE-2010-3860: Don't expose system properties via public
variables.
2010-11-11 Omair Majid <omajid at redhat.com>
RH645843, CVE-2010-3860
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
* plugin/icedteanp/java/sun/applet/PluginMain.java: Fix
exposure of system properties.
changeset 89ccf12401c2 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=89ccf12401c2
author: Andrew John Hughes <ahughes at redhat.com>
date: Thu Nov 18 13:25:29 2010 +0000
Update NEWS.
2010-11-18 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Updated.
changeset d87447eb1600 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=d87447eb1600
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 17 14:24:45 2010 +0000
PR592: Sanitize user-entered values used in desktop entries.
2010-11-12 Omair Majid <omajid at redhat.com>
PR592
* NEWS: Updated.
* rt/net/sourceforge/jnlp/util/XDesktopEntry.java:
(getContentsAsReader()): Call sanitize on user-inputted values.
(sanitize(String)): Sanitize values used in desktop entries.
changeset f5667b14ce7e in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=f5667b14ce7e
author: Andrew John Hughes <ahughes at redhat.com>
date: Thu Nov 18 15:59:54 2010 +0000
Bump to 1.7.6 proper and add release date.
2010-11-18 Andrew John Hughes <ahughes at redhat.com>
* configure.ac: Bump to 1.7.6 proper.
* NEWS: Add release date.
changeset cb161157ffad in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=cb161157ffad
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 24 15:01:43 2010 +0000
Added tag icedtea6-1.7.6 for changeset f5667b14ce7e
changeset fe7ca47d85b7 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=fe7ca47d85b7
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Nov 24 15:02:56 2010 +0000
Prepare for 1.7.7.
2010-11-24 Andrew John Hughes <ahughes at redhat.com>
* configure.ac: Bump to 1.7.7pre.
* NEWS: Add 1.7.7 section.
diffstat:
10 files changed, 124 insertions(+), 38 deletions(-)
.hgtags | 1
ChangeLog | 34 ++++++++
NEWS | 8 +
configure.ac | 2
plugin/icedteanp/java/sun/applet/PluginMain.java | 4
rt/net/sourceforge/jnlp/runtime/Boot.java | 4
rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java | 59 ++++++++++----
rt/net/sourceforge/jnlp/security/SecurityUtil.java | 24 ++---
rt/net/sourceforge/jnlp/services/SingleInstanceLock.java | 2
rt/net/sourceforge/jnlp/util/XDesktopEntry.java | 24 ++++-
diffs (312 lines):
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 .hgtags
--- a/.hgtags Thu Nov 18 13:01:47 2010 +0000
+++ b/.hgtags Wed Nov 24 15:02:56 2010 +0000
@@ -27,3 +27,4 @@ 0000000000000000000000000000000000000000
0000000000000000000000000000000000000000 icedtea6-1.7.5
0000000000000000000000000000000000000000 icedtea6-1.7.5
6282308dea7401c00bb779bd4ab2ff7f4d269114 icedtea6-1.7.5
+f5667b14ce7eb0dc9b121164a28d3b3fcd516c61 icedtea6-1.7.6
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 ChangeLog
--- a/ChangeLog Thu Nov 18 13:01:47 2010 +0000
+++ b/ChangeLog Wed Nov 24 15:02:56 2010 +0000
@@ -1,3 +1,37 @@ 2010-11-18 Andrew John Hughes <ahughes
+2010-11-24 Andrew John Hughes <ahughes at redhat.com>
+
+ * configure.ac: Bump to 1.7.7pre.
+ * NEWS: Add 1.7.7 section.
+
+2010-11-18 Andrew John Hughes <ahughes at redhat.com>
+
+ * configure.ac: Bump to 1.7.6 proper.
+ * NEWS: Add release date.
+
+2010-11-12 Omair Majid <omajid at redhat.com>
+
+ PR592
+ * NEWS: Updated.
+ * netx/net/sourceforge/jnlp/util/XDesktopEntry.java:
+ (getContentsAsReader()): Call sanitize on user-inputted values.
+ (sanitize(String)): Sanitize values used in desktop
+ entries.
+
+2010-11-18 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Updated.
+
+2010-11-11 Omair Majid <omajid at redhat.com>
+
+ RH645843, CVE-2010-3860
+ * netx/net/sourceforge/jnlp/runtime/Boot.java,
+ * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
+ * netx/net/sourceforge/jnlp/security/SecurityUtil.java,
+ * netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
+ * netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
+ * plugin/icedteanp/java/sun/applet/PluginMain.java:
+ Fix exposure of system properties.
+
2010-11-18 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Add 1.7.6.
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 NEWS
--- a/NEWS Thu Nov 18 13:01:47 2010 +0000
+++ b/NEWS Wed Nov 24 15:02:56 2010 +0000
@@ -8,15 +8,19 @@ GX - http://bugs.gentoo.org/show_bug.cg
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.7.6 (2010-11-XX):
+New in release 1.7.7 (201X-XX-XX):
+
+New in release 1.7.6 (2010-11-24):
* Allow the building of NetX to be disabled.
-* Switch to the IcedTea server for JAXP, JAF and JAXWS tarballs.
+* Security updates
+ - RH645843, CVE-2010-3860: IcedTea System property information leak via public static
* Backports
- S6853592: VM test nsk.regression.b4261880 fails with "X Error of failed request: BadWindow"
inconsistently.
* NetX
- Do not prompt user multiple times for the same certificate.
+ - PR592: NetX can create invalid desktop entry files
New in release 1.7.5 (2010-10-13):
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 configure.ac
--- a/configure.ac Thu Nov 18 13:01:47 2010 +0000
+++ b/configure.ac Wed Nov 24 15:02:56 2010 +0000
@@ -1,4 +1,4 @@ AC_INIT([icedtea6], [1.7.6pre], [distro-
-AC_INIT([icedtea6], [1.7.6pre], [distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6], [1.7.7pre], [distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 plugin/icedteanp/java/sun/applet/PluginMain.java
--- a/plugin/icedteanp/java/sun/applet/PluginMain.java Thu Nov 18 13:01:47 2010 +0000
+++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Wed Nov 24 15:02:56 2010 +0000
@@ -89,8 +89,8 @@ public class PluginMain
{
// the files where stdout/stderr are sent to
- public static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr";
- public static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout";
+ static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr";
+ static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout";
final boolean redirectStreams = System.getenv().containsKey("ICEDTEAPLUGIN_DEBUG");
static PluginStreamHandler streamHandler;
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 rt/net/sourceforge/jnlp/runtime/Boot.java
--- a/rt/net/sourceforge/jnlp/runtime/Boot.java Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/runtime/Boot.java Wed Nov 24 15:02:56 2010 +0000
@@ -230,8 +230,8 @@ public final class Boot implements Privi
*/
private static String getAboutFile() {
- if (new File(JNLPRuntime.NETX_ABOUT_FILE).exists())
- return JNLPRuntime.NETX_ABOUT_FILE;
+ if (new File(JNLPRuntime.getAboutFile()).exists())
+ return JNLPRuntime.getAboutFile();
else
return null;
}
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Nov 24 15:02:56 2010 +0000
@@ -105,42 +105,42 @@ public class JNLPRuntime {
private static List<String> initialArguments;
/** Username */
- public static final String USER = System.getProperty("user.name");
+ private static final String USER = System.getProperty("user.name");
/** User's home directory */
- public static final String HOME_DIR = System.getProperty("user.home");
+ private static final String HOME_DIR = System.getProperty("user.home");
/** the ~/.netxrc file containing netx settings */
- public static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc";
+ private static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc";
/** the ~/.netx directory containing user-specific data */
- public static final String NETX_DIR = HOME_DIR + File.separator + ".netx";
+ private static final String NETX_DIR = HOME_DIR + File.separator + ".netx";
/** the ~/.netx/security directory containing security related information */
- public static final String SECURITY_DIR = NETX_DIR + File.separator + "security";
+ private static final String SECURITY_DIR = NETX_DIR + File.separator + "security";
/** the ~/.netx/security/trusted.certs file containing trusted certificates */
- public static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs";
+ private static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs";
/** the /tmp/ directory used for temporary files */
- public static final String TMP_DIR = System.getProperty("java.io.tmpdir");
+ private static final String TMP_DIR = System.getProperty("java.io.tmpdir");
/**
* the /tmp/$USER/netx/locks/ directory containing locks for single instance
* applications
*/
- public static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator
+ private static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator
+ "netx" + File.separator + "locks";
/** the java.home directory */
- public static final String JAVA_HOME_DIR = System.getProperty("java.home");
-
+ private static final String JAVA_HOME_DIR = System.getProperty("java.home");
+
/** the JNLP file to open to display the network-based about window */
- public static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib"
+ private static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib"
+ File.separator + "about.jnlp";
-
-
+
+
/**
* Returns whether the JNLP runtime environment has been
* initialized. Once initialized, some properties such as the
@@ -558,7 +558,38 @@ public class JNLPRuntime {
public static List<String> getInitialArguments() {
return initialArguments;
}
-
+
+ /** Get the location of the certificate files user-level used by netx */
+ public static String getCertificatesFile() {
+ System.getProperty("user.home");
+ return CERTIFICATES_FILE;
+ }
+
+ /** Get the home directory */
+ public static String getHomeDir() {
+ System.getProperty("user.home");
+ return HOME_DIR;
+ }
+
+ /** Get the location of the about file */
+ public static String getAboutFile() {
+ System.getProperty("java.home");
+ return NETX_ABOUT_FILE;
+ }
+
+ /** Get the location of the locks directory */
+ public static String getLocksDir() {
+ System.getProperty("user.home");
+ System.getProperty("java.io.tmpdir");
+ return LOCKS_DIR;
+ }
+
+ /** Get the location of a temporary location */
+ public static String getTempDir() {
+ System.getProperty("java.io.tmpdir");
+ return TMP_DIR;
+ }
+
}
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 rt/net/sourceforge/jnlp/security/SecurityUtil.java
--- a/rt/net/sourceforge/jnlp/security/SecurityUtil.java Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/security/SecurityUtil.java Wed Nov 24 15:02:56 2010 +0000
@@ -46,18 +46,18 @@ import net.sourceforge.jnlp.runtime.JNLP
public class SecurityUtil {
- private static final char[] password = "changeit".toCharArray();
-
- public static String getTrustedCertsFilename() throws Exception{
-
- String homeDir = JNLPRuntime.HOME_DIR;
-
- if (homeDir == null) {
- throw new Exception("Could not access home directory");
- } else {
- return JNLPRuntime.CERTIFICATES_FILE;
- }
- }
+ private static final char[] password = "changeit".toCharArray();
+
+ public static String getTrustedCertsFilename() throws Exception {
+
+ String homeDir = JNLPRuntime.getHomeDir();
+
+ if (homeDir == null) {
+ throw new Exception("Could not access home directory");
+ } else {
+ return JNLPRuntime.getCertificatesFile();
+ }
+ }
public static char[] getTrustedCertsPassword() {
return password;
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 rt/net/sourceforge/jnlp/services/SingleInstanceLock.java
--- a/rt/net/sourceforge/jnlp/services/SingleInstanceLock.java Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/services/SingleInstanceLock.java Wed Nov 24 15:02:56 2010 +0000
@@ -126,7 +126,7 @@ class SingleInstanceLock {
* may or may not exist.
*/
private File getLockFile() {
- File baseDir = new File(JNLPRuntime.LOCKS_DIR);
+ File baseDir = new File(JNLPRuntime.getLocksDir());
if (!baseDir.isDirectory() && !baseDir.mkdirs()) {
throw new RuntimeException(R("RNoLockDir", baseDir));
diff -r 2eff7c2e01d1 -r fe7ca47d85b7 rt/net/sourceforge/jnlp/util/XDesktopEntry.java
--- a/rt/net/sourceforge/jnlp/util/XDesktopEntry.java Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/util/XDesktopEntry.java Wed Nov 24 15:02:56 2010 +0000
@@ -77,9 +77,9 @@ public class XDesktopEntry {
String fileContents = "[Desktop Entry]\n";
fileContents += "Version=1.0\n";
- fileContents += "Name=" + file.getTitle() + "\n";
+ fileContents += "Name=" + sanitize(file.getTitle()) + "\n";
fileContents += "GenericName=Java Web Start Application\n";
- fileContents += "Comment=" + file.getInformation().getDescription() + "\n";
+ fileContents += "Comment=" + sanitize(file.getInformation().getDescription()) + "\n";
fileContents += "Type=Application\n";
if (iconLocation != null) {
fileContents += "Icon=" + iconLocation + "\n";
@@ -88,7 +88,7 @@ public class XDesktopEntry {
}
if (file.getInformation().getVendor() != null) {
- fileContents += "Vendor=" + file.getInformation().getVendor() + "\n";
+ fileContents += "Vendor=" + sanitize(file.getInformation().getVendor()) + "\n";
}
//Shortcut executes the jnlp from cache and system preferred java..
@@ -96,6 +96,22 @@ public class XDesktopEntry {
return new StringReader(fileContents);
+ }
+
+ /**
+ * Sanitizes a string so that it can be used safely in a key=value pair in a
+ * desktop entry file.
+ *
+ * @param input a String to sanitize
+ * @return a string safe to use as either the key or the value in the
+ * key=value pair in a desktop entry file
+ */
+ private static String sanitize(String input) {
+ if (input == null) {
+ return "";
+ }
+ /* key=value pairs must be a single line */
+ return input.split("\n")[0];
}
/**
@@ -131,7 +147,7 @@ public class XDesktopEntry {
* Install this XDesktopEntry into the user's desktop as a launcher
*/
private void installDesktopLauncher() {
- File shortcutFile = new File(JNLPRuntime.TMP_DIR + File.separator
+ File shortcutFile = new File(JNLPRuntime.getTempDir() + File.separator
+ FileUtils.sanitizeFileName(file.getTitle()) + ".desktop");
try {
More information about the distro-pkg-dev
mailing list