/hg/icedtea-web: Verify nested jars just like main jars
omajid at icedtea.classpath.org
omajid at icedtea.classpath.org
Tue Feb 1 18:08:03 PST 2011
changeset 2d39fa58036e in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=2d39fa58036e
author: Omair Majid <omajid at redhat.com>
date: Tue Feb 01 21:07:03 2011 -0500
Verify nested jars just like main jars
Fix an exception that occurs when More Information is clicked in the
Certificate warning dialog when dealing with signed nested jars.
2011-02-01 Omair Majid <omajid at redhat.com>
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
(activateJars): Add the nested jar to ResourceTracker. Use
JarSigner.verifyJars instead of JarSigner.verifyJar.
* netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJar): Make
private to indicate nothing should be using this directly.
diffstat:
3 files changed, 15 insertions(+), 2 deletions(-)
ChangeLog | 9 +++++++++
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 6 +++++-
netx/net/sourceforge/jnlp/tools/JarSigner.java | 2 +-
diffs (44 lines):
diff -r 97f40ebebbdf -r 2d39fa58036e ChangeLog
--- a/ChangeLog Tue Feb 01 10:53:44 2011 -0500
+++ b/ChangeLog Tue Feb 01 21:07:03 2011 -0500
@@ -1,3 +1,12 @@ 2011-01-24 Deepak Bhole <dbhole at redhat.c
+2011-02-01 Omair Majid <omajid at redhat.com>
+
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+ (activateJars): Add the nested jar to ResourceTracker. Use
+ JarSigner.verifyJars instead of JarSigner.verifyJar.
+ * netx/net/sourceforge/jnlp/tools/JarSigner.java
+ (verifyJar): Make private to indicate nothing should be using this
+ directly.
+
2011-01-24 Deepak Bhole <dbhole at redhat.com>
RH672262, CVE-2011-0025: IcedTea jarfile signature verification bypass
diff -r 97f40ebebbdf -r 2d39fa58036e netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 10:53:44 2011 -0500
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Feb 01 21:07:03 2011 -0500
@@ -693,7 +693,11 @@ public class JNLPClassLoader extends URL
}
JarSigner signer = new JarSigner();
- signer.verifyJar(extractedJarLocation);
+ List<JARDesc> jars = new ArrayList<JARDesc>();
+ JARDesc jarDesc = new JARDesc(new File(extractedJarLocation).toURL(), null, null, false, false, false, false);
+ jars.add(jarDesc);
+ tracker.addResource(new File(extractedJarLocation).toURL(), null, null);
+ signer.verifyJars(jars, tracker);
if (signer.anyJarsSigned() && !signer.getAlreadyTrustPublisher()) {
checkTrustWithUser(signer);
diff -r 97f40ebebbdf -r 2d39fa58036e netx/net/sourceforge/jnlp/tools/JarSigner.java
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 10:53:44 2011 -0500
+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Feb 01 21:07:03 2011 -0500
@@ -232,7 +232,7 @@ public class JarSigner implements CertVe
}
- public verifyResult verifyJar(String jarName) throws Exception {
+ private verifyResult verifyJar(String jarName) throws Exception {
boolean anySigned = false;
boolean hasUnsignedEntry = false;
JarFile jarFile = null;
More information about the distro-pkg-dev
mailing list