/hg/icedtea-web: RH663680, CVE-2010-4351: JNLP SecurityManager b...

dbhole at icedtea.classpath.org dbhole at icedtea.classpath.org
Tue Jan 18 10:13:34 PST 2011 

changeset 925f97c584a8 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=925f97c584a8
author: Deepak Bhole <dbhole at redhat.com>
date: Tue Jan 18 12:07:45 2011 -0500

	RH663680, CVE-2010-4351: JNLP SecurityManager bypass

	2010-12-16 Omair Majid <omajid at redhat.com>

	RH663680, CVE-2010-4351:
	* NEWS: List issue.
	* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java: Make
	sure SecurityException is thrown if necessary.


diffstat:

3 files changed, 10 insertions(+)
ChangeLog                                                  |    7 +++++++
NEWS                                                       |    1 +
netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java |    2 ++

diffs (46 lines):

diff -r 98215ab000dd -r 925f97c584a8 ChangeLog
--- a/ChangeLog	Mon Jan 17 13:44:31 2011 -0500
+++ b/ChangeLog	Tue Jan 18 12:07:45 2011 -0500
@@ -248,6 +248,13 @@ 2010-12-17  Omair Majid  <omajid at redhat.
 	value is not security-sensitive and the method is private.
 	* netx/net/sourceforge/jnlp/services/ServiceUtil.java
 	(shouldPromptUser): Likewise.
+
+2010-12-16 Omair Majid <omajid at redhat.com>
+
+	RH663680, CVE-2010-4351:
+	* NEWS: List issue.
+	* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java:
+	Make sure SecurityException is thrown if necessary. 
 
 2010-12-15  Omair Majid  <omajid at redhat.com>
 
diff -r 98215ab000dd -r 925f97c584a8 NEWS
--- a/NEWS	Mon Jan 17 13:44:31 2011 -0500
+++ b/NEWS	Tue Jan 18 12:07:45 2011 -0500
@@ -28,5 +28,6 @@ New in release 1.0 (2010-XX-XX):
   - Add a new option -Xclearcache
   - Interfaces javax.jnlp.IntegrationService and javax.jnlp.DownloadService2 are now available
   - PR592: NetX can create invalid desktop entry files
+  - RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
 * Control Panel
   - Modifications to deployments.properties file can now be done through a GUI
diff -r 98215ab000dd -r 925f97c584a8 netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Mon Jan 17 13:44:31 2011 -0500
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Tue Jan 18 12:07:45 2011 -0500
@@ -308,6 +308,7 @@ class JNLPSecurityManager extends AWTSec
                     }
 
                 } else if (perm instanceof SecurityPermission) {
+                    tmpPerm = perm;
 
                     // JCE's initialization requires putProviderProperty permission
                     if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) {
@@ -317,6 +318,7 @@ class JNLPSecurityManager extends AWTSec
                     }
 
                 } else if (perm instanceof RuntimePermission) {
+                    tmpPerm = perm;
 
                     // KeyGenerator's init method requires internal spec access
                     if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) {

More information about the distro-pkg-dev mailing list