/hg/release/icedtea6-1.7: 3 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Tue Feb 1 06:36:56 PST 2011
changeset 1db6ba4a4593 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=1db6ba4a4593
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Jan 25 15:39:52 2011 +0000
RH672262, CVE-2011-0025: IcedTea jarfile signature verification
bypass
2011-01-24 Deepak Bhole <dbhole at redhat.com>
RH672262, CVE-2011-0025: IcedTea jarfile signature
verification bypass
* rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
(initializeResources): Prompt user only if there is a single
certificate that signs all jars in the jnlp file, otherwise
treat as unsigned.
* rt/net/sourceforge/jnlp/security/CertVerifier.java: Rename getCerts
to getCertPath and make it return a CertPath.
* rt/net/sourceforge/jnlp/security/CertsInfoPane.java: Rename certs
variable to certPath and change its type to CertPath.
(buildTree): Use new certPath variable. (populateTable):
Same.
* rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java: Rename
getCerts to getCertPath and make it return a CertPath.
* rt/net/sourceforge/jnlp/tools/JarSigner.java: Change type for certs
variable to be a hashmap that stores certs and the number of entries
they have signed. (totalSignableEntries): New
variable to track how many signable entries have been
encountered. (getCerts): Updated method to return certs from
new hashmap. (isFullySignedByASingleCert): New method.
Returns if there is a single cert that signs all the entries
in the jars specified in the jnlp file. (verifyJars): Move
verifiedJars and unverifiedJars out of the for loop so that
the data is not lost when the next jar is processed. After verifying
each jar, see if there is a single signer, and prompt the user if
there is such an untrusted signer. (verifyJar):
Increment totalSignableEntries for each signable entry
encountered and the count for each cert when it signs an entry. Move
checkTrustedCerts() out of the function into verifyJars().
changeset 626c4d1e1fa4 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=626c4d1e1fa4
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Feb 01 14:35:07 2011 +0000
Bump to 1.7.8.
2011-01-25 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Update for 1.7.8 release.
* configure.ac: Bump to 1.7.8.
changeset 392843c37e47 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=392843c37e47
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Feb 01 14:35:18 2011 +0000
Added tag icedtea6-1.7.8 for changeset 626c4d1e1fa4
diffstat:
9 files changed, 120 insertions(+), 43 deletions(-)
.hgtags | 1
ChangeLog | 35 +++++
NEWS | 6
configure.ac | 2
rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 2
rt/net/sourceforge/jnlp/security/CertVerifier.java | 2
rt/net/sourceforge/jnlp/security/CertsInfoPane.java | 20 +--
rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java | 4
rt/net/sourceforge/jnlp/tools/JarSigner.java | 91 ++++++++++-----
diffs (340 lines):
diff -r 500f06b81c78 -r 392843c37e47 .hgtags
--- a/.hgtags Thu Jan 20 11:11:20 2011 -0500
+++ b/.hgtags Tue Feb 01 14:35:18 2011 +0000
@@ -29,3 +29,4 @@ 6282308dea7401c00bb779bd4ab2ff7f4d269114
6282308dea7401c00bb779bd4ab2ff7f4d269114 icedtea6-1.7.5
f5667b14ce7eb0dc9b121164a28d3b3fcd516c61 icedtea6-1.7.6
8784e22fa2897df7373ca8869e7dab8d3af8c8c9 icedtea6-1.7.7
+626c4d1e1fa47b492bb41c8438f66aacd35146ae icedtea6-1.7.8
diff -r 500f06b81c78 -r 392843c37e47 ChangeLog
--- a/ChangeLog Thu Jan 20 11:11:20 2011 -0500
+++ b/ChangeLog Tue Feb 01 14:35:18 2011 +0000
@@ -1,3 +1,38 @@ 2011-01-20 Deepak Bhole <dbhole at redhat.
+2011-01-25 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Update for 1.7.8 release.
+ * configure.ac: Bump to 1.7.8.
+
+2011-01-24 Deepak Bhole <dbhole at redhat.com>
+
+ RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
+ * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+ (initializeResources): Prompt user only if there is a single certificate
+ that signs all jars in the jnlp file, otherwise treat as unsigned.
+ * rt/net/sourceforge/jnlp/security/CertVerifier.java: Rename getCerts to
+ getCertPath and make it return a CertPath.
+ * rt/net/sourceforge/jnlp/security/CertsInfoPane.java: Rename certs
+ variable to certPath and change its type to CertPath.
+ (buildTree): Use new certPath variable.
+ (populateTable): Same.
+ * rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java: Rename getCerts
+ to getCertPath and make it return a CertPath.
+ * rt/net/sourceforge/jnlp/tools/JarSigner.java: Change type for certs
+ variable to be a hashmap that stores certs and the number of entries they
+ have signed.
+ (totalSignableEntries): New variable to track how many signable entries
+ have been encountered.
+ (getCerts): Updated method to return certs from new hashmap.
+ (isFullySignedByASingleCert): New method. Returns if there is a single
+ cert that signs all the entries in the jars specified in the jnlp file.
+ (verifyJars): Move verifiedJars and unverifiedJars out of the for loop so
+ that the data is not lost when the next jar is processed. After verifying
+ each jar, see if there is a single signer, and prompt the user if there is
+ such an untrusted signer.
+ (verifyJar): Increment totalSignableEntries for each signable entry
+ encountered and the count for each cert when it signs an entry. Move
+ checkTrustedCerts() out of the function into verifyJars().
+
2011-01-20 Deepak Bhole <dbhole at redhat.com>
PR619: Improper finalization by the plugin can crash the browser
diff -r 500f06b81c78 -r 392843c37e47 NEWS
--- a/NEWS Thu Jan 20 11:11:20 2011 -0500
+++ b/NEWS Tue Feb 01 14:35:18 2011 +0000
@@ -8,14 +8,16 @@ GX - http://bugs.gentoo.org/show_bug.cg
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.7.8 (2011-XX-XX):
+New in release 1.7.8 (2011-02-01):
+* Security updates
+ - RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
* Backports
- S6687968: PNGImageReader leaks native memory through an Inflater
- S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
- S6782079: PNG: reading metadata may cause OOM on truncated images
* Fixes:
- - RH647157,RH582455: Update fontconfig files for rhel 6
+ - RH647157, RH582455: Update fontconfig files for rhel 6
- PR619: Improper finalization by the plugin can crash the browser
New in release 1.7.7 (2011-01-18):
diff -r 500f06b81c78 -r 392843c37e47 configure.ac
--- a/configure.ac Thu Jan 20 11:11:20 2011 -0500
+++ b/configure.ac Tue Feb 01 14:35:18 2011 +0000
@@ -1,4 +1,4 @@ AC_INIT([icedtea6], [1.7.8pre], [distro-
-AC_INIT([icedtea6], [1.7.8pre], [distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6], [1.7.8], [distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 500f06b81c78 -r 392843c37e47 rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Jan 20 11:11:20 2011 -0500
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 14:35:18 2011 +0000
@@ -399,7 +399,7 @@ public class JNLPClassLoader extends URL
}
//Case when at least one jar has some signing
- if (js.anyJarsSigned()){
+ if (js.anyJarsSigned() && js.isFullySignedByASingleCert()){
signing = true;
if (!js.allJarsSigned() &&
diff -r 500f06b81c78 -r 392843c37e47 rt/net/sourceforge/jnlp/security/CertVerifier.java
--- a/rt/net/sourceforge/jnlp/security/CertVerifier.java Thu Jan 20 11:11:20 2011 -0500
+++ b/rt/net/sourceforge/jnlp/security/CertVerifier.java Tue Feb 01 14:35:18 2011 +0000
@@ -76,7 +76,7 @@ public interface CertVerifier {
* Return a valid certificate path to this certificate(s) being verified
* @return The CertPath
*/
- public ArrayList<CertPath> getCerts();
+ public CertPath getCertPath();
/**
* Returns the application's publisher's certificate.
diff -r 500f06b81c78 -r 392843c37e47 rt/net/sourceforge/jnlp/security/CertsInfoPane.java
--- a/rt/net/sourceforge/jnlp/security/CertsInfoPane.java Thu Jan 20 11:11:20 2011 -0500
+++ b/rt/net/sourceforge/jnlp/security/CertsInfoPane.java Tue Feb 01 14:35:18 2011 +0000
@@ -65,7 +65,7 @@ import net.sourceforge.jnlp.tools.*;
*/
public class CertsInfoPane extends SecurityDialogUI {
- private ArrayList<CertPath> certs;
+ private CertPath certPath;
private JList list;
protected JTree tree;
private JTable table;
@@ -84,12 +84,10 @@ public class CertsInfoPane extends Secur
* Builds the JTree out of CertPaths.
*/
void buildTree() {
- certs = ((SecurityWarningDialog)optionPane).getJarSigner().getCerts();
- //for now, we're only going to display the first signer, even though
- //jars can be signed by multiple people.
- CertPath firstPath = certs.get(0);
+ certPath = ((SecurityWarningDialog)optionPane).getJarSigner().getCertPath();
+
X509Certificate firstCert =
- ((X509Certificate)firstPath.getCertificates().get(0));
+ ((X509Certificate)certPath.getCertificates().get(0));
String subjectString =
SecurityUtil.getCN(firstCert.getSubjectX500Principal().getName());
String issuerString =
@@ -101,9 +99,9 @@ public class CertsInfoPane extends Secur
//not self signed
if (!firstCert.getSubjectDN().equals(firstCert.getIssuerDN())
- && (firstPath.getCertificates().size() > 1)) {
+ && (certPath.getCertificates().size() > 1)) {
X509Certificate secondCert =
- ((X509Certificate)firstPath.getCertificates().get(1));
+ ((X509Certificate)certPath.getCertificates().get(1));
subjectString =
SecurityUtil.getCN(secondCert.getSubjectX500Principal().getName());
issuerString =
@@ -122,12 +120,12 @@ public class CertsInfoPane extends Secur
* Fills in certsNames, certsData with data from the certificates.
*/
protected void populateTable() {
- certNames = new String[certs.get(0).getCertificates().size()];
+ certNames = new String[certPath.getCertificates().size()];
certsData = new ArrayList<String[][]>();
- for (int i = 0; i < certs.get(0).getCertificates().size(); i++) {
+ for (int i = 0; i < certPath.getCertificates().size(); i++) {
- X509Certificate c = (X509Certificate) certs.get(0).getCertificates().get(i);
+ X509Certificate c = (X509Certificate) certPath.getCertificates().get(i);
certsData.add(parseCert(c));
certNames[i] = SecurityUtil.getCN(c.getSubjectX500Principal().getName())
+ " (" + SecurityUtil.getCN(c.getIssuerX500Principal().getName()) + ")";
diff -r 500f06b81c78 -r 392843c37e47 rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java
--- a/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java Thu Jan 20 11:11:20 2011 -0500
+++ b/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java Tue Feb 01 14:35:18 2011 +0000
@@ -82,7 +82,7 @@ public class HttpsCertVerifier implement
return isTrusted;
}
- public ArrayList<CertPath> getCerts() {
+ public CertPath getCertPath() {
ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
for (int i=0; i < chain.length; i++)
@@ -98,7 +98,7 @@ public class HttpsCertVerifier implement
// carry on
}
- return certPaths;
+ return certPaths.get(0);
}
public ArrayList<String> getDetails() {
diff -r 500f06b81c78 -r 392843c37e47 rt/net/sourceforge/jnlp/tools/JarSigner.java
--- a/rt/net/sourceforge/jnlp/tools/JarSigner.java Thu Jan 20 11:11:20 2011 -0500
+++ b/rt/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 14:35:18 2011 +0000
@@ -142,11 +142,13 @@ public class JarSigner implements CertVe
private ArrayList<String> unverifiedJars = null;
/** the certificates used for jar verification */
- private ArrayList<CertPath> certs = null;
+ private HashMap<CertPath, Integer> certs = new HashMap<CertPath, Integer>();
/** details of this signing */
private ArrayList<String> details = new ArrayList<String>();
+ private int totalSignableEntries = 0;
+
/* (non-Javadoc)
* @see net.sourceforge.jnlp.tools.CertVerifier2#getAlreadyTrustPublisher()
*/
@@ -195,18 +197,41 @@ public class JarSigner implements CertVe
* @see net.sourceforge.jnlp.tools.CertVerifier2#getCerts()
*/
public ArrayList<CertPath> getCerts() {
- return certs;
+ return new ArrayList<CertPath>(certs.keySet());
}
+ /**
+ * Returns whether or not all entries have a common signer.
+ *
+ * It is possible to create jars where only some entries are signed. In
+ * such cases, we should not prompt the user to accept anything, as the whole
+ * application must be treated as unsigned. This method should be called by a
+ * caller before it is about to ask the user to accept a cert and determine
+ * whether the application is trusted or not.
+ *
+ * @return Whether or not all entries have a common signer
+ */
+ public boolean isFullySignedByASingleCert() {
+
+ for (CertPath cPath : certs.keySet()) {
+ // If this cert has signed everything, return true
+ if (certs.get(cPath) == totalSignableEntries)
+ return true;
+ }
+
+ // No cert found that signed all entries. Return false.
+ return false;
+ }
+
public void verifyJars(List<JARDesc> jars, ResourceTracker tracker)
throws Exception {
- certs = new ArrayList<CertPath>();
+ verifiedJars = new ArrayList<String>();
+ unverifiedJars = new ArrayList<String>();
+
for (int i = 0; i < jars.size(); i++) {
JARDesc jar = (JARDesc) jars.get(i);
- verifiedJars = new ArrayList<String>();
- unverifiedJars = new ArrayList<String>();
try {
@@ -235,6 +260,22 @@ public class JarSigner implements CertVe
throw e;
}
}
+
+ //we really only want the first certPath
+ for (CertPath cPath : certs.keySet()) {
+
+ if (certs.get(cPath) != totalSignableEntries)
+ continue;
+ else
+ certPath = cPath;
+
+ // check if the certs added above are in the trusted path
+ checkTrustedCerts();
+
+ if (alreadyTrustPublisher || rootInCacerts)
+ break;
+ }
+
}
public verifyResult verifyJar(String jarName) throws Exception {
@@ -242,10 +283,6 @@ public class JarSigner implements CertVe
boolean hasUnsignedEntry = false;
JarFile jarFile = null;
- // certs could be uninitialized if one calls this method directly
- if (certs == null)
- certs = new ArrayList<CertPath>();
-
try {
jarFile = new JarFile(jarName, true);
Vector<JarEntry> entriesVec = new Vector<JarEntry>();
@@ -283,21 +320,23 @@ public class JarSigner implements CertVe
CodeSigner[] signers = je.getCodeSigners();
boolean isSigned = (signers != null);
anySigned |= isSigned;
- hasUnsignedEntry |= !je.isDirectory() && !isSigned
- && !signatureRelated(name);
+
+ boolean shouldHaveSignature = !je.isDirectory()
+ && !signatureRelated(name);
+
+ hasUnsignedEntry |= shouldHaveSignature && !isSigned;
+
+ if (shouldHaveSignature)
+ totalSignableEntries++;
+
if (isSigned) {
- // TODO: Perhaps we should check here that
- // signers.length is only of size 1, and throw an
- // exception if it's not?
for (int i = 0; i < signers.length; i++) {
CertPath certPath = signers[i].getSignerCertPath();
- if (!certs.contains(certPath))
- certs.add(certPath);
-
- //we really only want the first certPath
- if (!certPath.equals(this.certPath)){
- this.certPath = certPath;
- }
+
+ if (!certs.containsKey(certPath))
+ certs.put(certPath, 1);
+ else
+ certs.put(certPath, certs.get(certPath) + 1);
Certificate cert = signers[i].getSignerCertPath()
.getCertificates().get(0);
@@ -317,7 +356,12 @@ public class JarSigner implements CertVe
}
}
} //while e has more elements
- } //if man not null
+ } else { //if man not null
+
+ // Else increment totalEntries by 1 so that unsigned jars with
+ // no manifests can't sneak in
+ totalSignableEntries++;
+ }
//Alert the user if any of the following are true.
if (!anySigned) {
@@ -357,9 +401,6 @@ public class JarSigner implements CertVe
jarFile.close();
}
}
-
- // check if the certs added above are in the trusted path
- checkTrustedCerts();
//anySigned does not guarantee that all files were signed.
return (anySigned && !(hasUnsignedEntry || hasExpiredCert
More information about the distro-pkg-dev
mailing list