/hg/release/icedtea-web-1.0: RH663680, CVE-2010-4351: JNLP Secur...

dbhole at icedtea.classpath.org dbhole at icedtea.classpath.org
Tue Jan 18 10:09:23 PST 2011 

changeset ee7a2e5e3849 in /hg/release/icedtea-web-1.0
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=ee7a2e5e3849
author: Deepak Bhole <dbhole at redhat.com>
date: Tue Jan 18 12:07:45 2011 -0500

	RH663680, CVE-2010-4351: JNLP SecurityManager bypass

	2010-12-16 Omair Majid <omajid at redhat.com>

	RH663680, CVE-2010-4351:
	* NEWS: List issue.
	* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java: Make
	sure SecurityException is thrown if necessary.


diffstat:

3 files changed, 10 insertions(+)
ChangeLog                                                  |    7 +++++++
NEWS                                                       |    1 +
netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java |    2 ++

diffs (46 lines):

diff -r b3647620fa41 -r ee7a2e5e3849 ChangeLog
--- a/ChangeLog	Fri Jan 07 08:08:41 2011 -0500
+++ b/ChangeLog	Tue Jan 18 12:07:45 2011 -0500
@@ -24,6 +24,13 @@ 2010-12-22  Deepak Bhole <dbhole at redhat.
 	(parseReturn): Skip one less space so that the first cookie is not
 	skipped.
 	* NEWS: Updated.
+
+2010-12-16 Omair Majid <omajid at redhat.com>
+
+	RH663680, CVE-2010-4351:
+	* NEWS: List issue.
+	* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java:
+	Make sure SecurityException is thrown if necessary. 
 
 2010-12-14  Andrew John Hughes  <ahughes at redhat.com>
 
diff -r b3647620fa41 -r ee7a2e5e3849 NEWS
--- a/NEWS	Fri Jan 07 08:08:41 2011 -0500
+++ b/NEWS	Tue Jan 18 12:07:45 2011 -0500
@@ -28,5 +28,6 @@ New in release 1.0 (2010-XX-XX):
   - Add a new option -Xclearcache
   - Interfaces javax.jnlp.IntegrationService and javax.jnlp.DownloadService2 are now available
   - PR592: NetX can create invalid desktop entry files
+  - RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
 * Control Panel
   - Modifications to deployments.properties file can now be done through a GUI
diff -r b3647620fa41 -r ee7a2e5e3849 netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Fri Jan 07 08:08:41 2011 -0500
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Tue Jan 18 12:07:45 2011 -0500
@@ -313,6 +313,7 @@ class JNLPSecurityManager extends AWTSec
                     }
 
                 } else if (perm instanceof SecurityPermission) {
+                    tmpPerm = perm;
 
                     // JCE's initialization requires putProviderProperty permission
                     if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) {
@@ -322,6 +323,7 @@ class JNLPSecurityManager extends AWTSec
                     }
 
                 } else if (perm instanceof RuntimePermission) {
+                    tmpPerm = perm;
 
                     // KeyGenerator's init method requires internal spec access
                     if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) {

More information about the distro-pkg-dev mailing list