/hg/release/icedtea6-1.8: Fix for security exceptions when JPopu...
dlila at icedtea.classpath.org
dlila at icedtea.classpath.org
Wed Feb 23 12:50:19 PST 2011
changeset 934d7afe1f52 in /hg/release/icedtea6-1.8
details: http://icedtea.classpath.org/hg/release/icedtea6-1.8?cmd=changeset;node=934d7afe1f52
author: Denis Lila <dlila at redhat.com>
date: Wed Feb 23 14:11:39 2011 -0500
Fix for security exceptions when JPopupMenu sets always on top.
diffstat:
5 files changed, 266 insertions(+), 1 deletion(-)
ChangeLog | 9
Makefile.am | 4
NEWS | 6
patches/openjdk/6675802-securityExceptions-applets.patch | 75 ++++
patches/openjdk/6691503-malicious-applet-always-on-top.patch | 173 ++++++++++
diffs (309 lines):
diff -r 326f7589d7e8 -r 934d7afe1f52 ChangeLog
--- a/ChangeLog Tue Feb 15 23:02:33 2011 +0000
+++ b/ChangeLog Wed Feb 23 14:11:39 2011 -0500
@@ -1,3 +1,12 @@ 2011-02-15 Andrew John Hughes <ahughes
+2011-02-23 Denis Lila <dlila at redhat.com>
+
+ * Makefile.am: Added patches.
+ * NEWS: Updated.
+ * patches/openjdk/6675802-securityExceptions-applets.patch:
+ Get permissions before setting always on top.
+ * patches/openjdk/6691503-malicious-applet-always-on-top.patch:
+ Remove the fix above. Do nothing if SecurityException is thrown.
+
2011-02-15 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Add 1.8.8 section.
diff -r 326f7589d7e8 -r 934d7afe1f52 Makefile.am
--- a/Makefile.am Tue Feb 15 23:02:33 2011 +0000
+++ b/Makefile.am Wed Feb 23 14:11:39 2011 -0500
@@ -373,7 +373,9 @@ ICEDTEA_PATCHES = \
patches/openjdk/6541476-png-iTXt-chunk.patch \
patches/openjdk/6782079-png_metadata_oom.patch \
patches/rh676659-gcc-export-dynamic.patch \
- patches/latent_jaxp_bug.patch
+ patches/latent_jaxp_bug.patch \
+ patches/openjdk/6675802-securityExceptions-applets.patch \
+ patches/openjdk/6691503-malicious-applet-always-on-top.patch
if WITH_ALT_HSBUILD
ICEDTEA_PATCHES += patches/hotspot/$(HSBUILD)/openjdk-6886353-ignore_deoptimizealot.patch \
diff -r 326f7589d7e8 -r 934d7afe1f52 NEWS
--- a/NEWS Tue Feb 15 23:02:33 2011 +0000
+++ b/NEWS Wed Feb 23 14:11:39 2011 -0500
@@ -10,6 +10,10 @@ CVE-XXXX-YYYY: http://www.cve.mitre.org/
New in release 1.8.8 (20XX-XX-XX):
+* Backports
+ - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
+ - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
+
New in release 1.8.7 (2011-02-15):
* Security updates
@@ -21,6 +25,8 @@ New in release 1.8.7 (2011-02-15):
- S6985453, CVE-2010-4471: Java2D font-related system property leak
- S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
- RH677332, CVE-2011-0706: Multiple signers privilege escalation
+ - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
+ - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
* Bug fixes
- RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
- Fix latent JAXP bug caused by missing import
diff -r 326f7589d7e8 -r 934d7afe1f52 patches/openjdk/6675802-securityExceptions-applets.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/6675802-securityExceptions-applets.patch Wed Feb 23 14:11:39 2011 -0500
@@ -0,0 +1,75 @@
+# HG changeset patch
+# User mlapshin
+# Date 1208528462 -14400
+# Node ID dd66920b2d51e33ca2157ab045117cc7c7f5f0c0
+# Parent 147803acf437b81e72e50236030f2bc9ac37caee
+6675802: Regression: heavyweight popups cause SecurityExceptions in applets
+Summary: The problem code in Popup class is surrounded by AccessController.doPrivileged()
+Reviewed-by: alexp
+
+diff -r 147803acf437 -r dd66920b2d51 src/share/classes/javax/swing/Popup.java
+--- openjdk.orig/jdk/src/share/classes/javax/swing/Popup.java Mon Apr 14 16:41:00 2008 +0400
++++ openjdk/jdk/src/share/classes/javax/swing/Popup.java Fri Apr 18 18:21:02 2008 +0400
+@@ -229,7 +229,14 @@
+ // Popups are typically transient and most likely won't benefit
+ // from true double buffering. Turn it off here.
+ getRootPane().setUseTrueDoubleBuffering(false);
+- setAlwaysOnTop(true);
++ java.security.AccessController.doPrivileged(
++ new java.security.PrivilegedAction<Object>() {
++ public Object run() {
++ setAlwaysOnTop(true);
++ return null;
++ }
++ }
++ );
+ }
+
+ public void update(Graphics g) {
+diff -r 147803acf437 -r dd66920b2d51 test/javax/swing/JPopupMenu/6675802/bug6675802.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/test/javax/swing/JPopupMenu/6675802/bug6675802.java Fri Apr 18 18:21:02 2008 +0400
+@@ -0,0 +1,43 @@
++/*
++ * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 6675802
++ * @summary Checks that there is no AccessControlException when
++ * a heaviweight popup menu is shown from an applet.
++ * @author Mikhail Lapshin
++ * @run main bug6675802
++ */
++
++import javax.swing.*;
++
++public class bug6675802 {
++ public static void main(String[] args) {
++ System.setSecurityManager(new SecurityManager());
++ final JPopupMenu popupMenu = new JPopupMenu();
++ popupMenu.add(new JMenuItem("Click"));
++ popupMenu.show(null, 0, 0);
++ System.out.println("Test passed");
++ }
++}
diff -r 326f7589d7e8 -r 934d7afe1f52 patches/openjdk/6691503-malicious-applet-always-on-top.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/6691503-malicious-applet-always-on-top.patch Wed Feb 23 14:11:39 2011 -0500
@@ -0,0 +1,173 @@
+diff -r dd66920b2d51 src/share/classes/javax/swing/Popup.java
+--- openjdk.orig/jdk/src/share/classes/javax/swing/Popup.java Fri Apr 18 18:21:02 2008 +0400
++++ openjdk/jdk/src/share/classes/javax/swing/Popup.java Wed Feb 23 13:50:58 2011 -0500
+@@ -1,12 +1,12 @@
+ /*
+- * Copyright 1999-2007 Sun Microsystems, Inc. All Rights Reserved.
++ * Copyright (c) 1999, 2008, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation. Sun designates this
++ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+- * by Sun in the LICENSE file that accompanied this code.
++ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+@@ -18,9 +18,9 @@
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+- * CA 95054 USA or visit www.sun.com if you need additional information or
+- * have any questions.
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
+ */
+
+ package javax.swing;
+@@ -229,14 +229,15 @@
+ // Popups are typically transient and most likely won't benefit
+ // from true double buffering. Turn it off here.
+ getRootPane().setUseTrueDoubleBuffering(false);
+- java.security.AccessController.doPrivileged(
+- new java.security.PrivilegedAction<Object>() {
+- public Object run() {
+- setAlwaysOnTop(true);
+- return null;
+- }
+- }
+- );
++ // Try to set "always-on-top" for the popup window.
++ // Applets usually don't have sufficient permissions to do it.
++ // In this case simply ignore the exception.
++ try {
++ setAlwaysOnTop(true);
++ } catch (SecurityException se) {
++ // setAlwaysOnTop is restricted,
++ // the exception is ignored
++ }
+ }
+
+ public void update(Graphics g) {
+diff -r dd66920b2d51 test/javax/swing/JPopupMenu/6691503/bug6691503.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/test/javax/swing/JPopupMenu/6691503/bug6691503.java Wed Feb 23 13:50:58 2011 -0500
+@@ -0,0 +1,113 @@
++/*
++ * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 6691503
++ * @summary Checks that there is no opportunity for a malicious applet
++ * to show a popup menu which has whole screen size.
++ * a heaviweight popup menu is shown from an applet.
++ * @author Mikhail Lapshin
++ * @run main bug6691503
++ */
++
++import sun.awt.SunToolkit;
++
++import javax.swing.*;
++import java.awt.*;
++
++public class bug6691503 {
++ private JPopupMenu popupMenu;
++ private JFrame frame;
++ private boolean isAlwaysOnTop1 = false;
++ private boolean isAlwaysOnTop2 = true;
++
++ public static void main(String[] args) {
++ bug6691503 test = new bug6691503();
++ test.setupUI();
++ test.testApplication();
++ test.testApplet();
++ test.checkResult();
++ test.stopEDT();
++ }
++
++ private void setupUI() {
++ SwingUtilities.invokeLater(new Runnable() {
++ public void run() {
++ frame = new JFrame();
++ frame.setVisible(true);
++ popupMenu = new JPopupMenu();
++ JMenuItem click = new JMenuItem("Click");
++ popupMenu.add(click);
++ }
++ });
++ }
++
++ private void testApplication() {
++ SwingUtilities.invokeLater(new Runnable() {
++ public void run() {
++ popupMenu.show(frame, 0, 0);
++ Window popupWindow = (Window)
++ (popupMenu.getParent().getParent().getParent().getParent());
++ isAlwaysOnTop1 = popupWindow.isAlwaysOnTop();
++ System.out.println(
++ "Application: popupWindow.isAlwaysOnTop() = " + isAlwaysOnTop1);
++ popupMenu.setVisible(false);
++ }
++ });
++ }
++
++ private void testApplet() {
++ SwingUtilities.invokeLater(new Runnable() {
++ public void run() {
++ System.setSecurityManager(new SecurityManager());
++ popupMenu.show(frame, 0, 0);
++ Window popupWindow = (Window)
++ (popupMenu.getParent().getParent().getParent().getParent());
++ isAlwaysOnTop2 = popupWindow.isAlwaysOnTop();
++ System.out.println(
++ "Applet: popupWindow.isAlwaysOnTop() = " + isAlwaysOnTop2);
++ popupMenu.setVisible(false);
++ }
++ });
++ }
++
++ private void checkResult() {
++ ((SunToolkit)(Toolkit.getDefaultToolkit())).realSync();
++ if (!isAlwaysOnTop1 || isAlwaysOnTop2) {
++ throw new RuntimeException("Malicious applet can show always-on-top " +
++ "popup menu which has whole screen size");
++ }
++ System.out.println("Test passed");
++ }
++
++ private void stopEDT() {
++ SwingUtilities.invokeLater(new Runnable() {
++ public void run() {
++ frame.dispose();
++ }
++ });
++ }
++}
++
++
More information about the distro-pkg-dev
mailing list