/hg/release/icedtea6-1.9: 3 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Wed Jul 20 08:32:14 PDT 2011
changeset 5fe46e0ad4ba in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=5fe46e0ad4ba
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Jul 20 12:38:14 2011 +0100
Prepare for 1.9.9 release.
2011-07-20 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Set release date to 2011-07-20.
* configure.ac: Bump to 1.9.9 proper.
changeset 5eedbbda2c82 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=5eedbbda2c82
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Jul 20 14:01:34 2011 +0100
RH718164, CVE-2011-2513: Home directory path disclosure to untrusted
apps
2011-07-20 Andrew John Hughes <ahughes at redhat.com>
* NEWS: List security fix.
2011-07-14 Omair Majid <omajid at redhat.com>
*
netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java: New
file.
* netx/net/sourceforge/jnlp/util/UrlUtils.java: New file.
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
jarLocationSecurityMap now contains originating urls, not cache
urls. (initializeResources): Add remote url to map instead
of local url. (activateJars): Add remote url to the
classloader's urls. Add mapping for remote to local url. Put
remote url in jarLocationSecurityMap. (loadClass): Add
remote url to the classloader's urls. Add mapping for remote
to local url. (getCodeSourceSecurity): Update javadoc to
note that the url must be remote.
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
(initialize): Set the callback for URLJarFile.
changeset eb05a18232e9 in /hg/release/icedtea6-1.9
details: http://icedtea.classpath.org/hg/release/icedtea6-1.9?cmd=changeset;node=eb05a18232e9
author: Andrew John Hughes <ahughes at redhat.com>
date: Wed Jul 20 16:32:04 2011 +0100
Added tag icedtea6-1.9.9 for changeset 5eedbbda2c82
diffstat:
.hgtags | 1 +
ChangeLog | 25 +
NEWS | 4 +-
configure.ac | 2 +-
netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java | 157 +++++++++++
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 24 +-
netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java | 4 +
netx/net/sourceforge/jnlp/util/UrlUtils.java | 53 +++
8 files changed, 260 insertions(+), 10 deletions(-)
diffs (387 lines):
diff -r b80005297ae5 -r eb05a18232e9 .hgtags
--- a/.hgtags Wed Jul 20 12:32:30 2011 +0100
+++ b/.hgtags Wed Jul 20 16:32:04 2011 +0100
@@ -28,3 +28,4 @@
03258f7ff9107c7e3be6931df2093b8395db89e4 icedtea6-1.9.6
9822da18c162896b9da66d45bdc341a1cd53581b icedtea6-1.9.7
25b9909a5432b811f85b121305a6ba7f01c7aace icedtea6-1.9.8
+5eedbbda2c822758fd693f7b1ad9a73caca53471 icedtea6-1.9.9
diff -r b80005297ae5 -r eb05a18232e9 ChangeLog
--- a/ChangeLog Wed Jul 20 12:32:30 2011 +0100
+++ b/ChangeLog Wed Jul 20 16:32:04 2011 +0100
@@ -1,3 +1,28 @@
+2011-07-20 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: List security fix.
+
+2011-07-14 Omair Majid <omajid at redhat.com>
+
+ * netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java: New file.
+ * netx/net/sourceforge/jnlp/util/UrlUtils.java: New file.
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
+ jarLocationSecurityMap now contains originating urls, not cache urls.
+ (initializeResources): Add remote url to map instead of local url.
+ (activateJars): Add remote url to the classloader's urls. Add mapping for
+ remote to local url. Put remote url in jarLocationSecurityMap.
+ (loadClass): Add remote url to the classloader's urls. Add mapping for
+ remote to local url.
+ (getCodeSourceSecurity): Update javadoc to note that the url must be
+ remote.
+ * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
+ (initialize): Set the callback for URLJarFile.
+
+2011-07-20 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Set release date to 2011-07-20.
+ * configure.ac: Bump to 1.9.9 proper.
+
2011-06-28 Andrew John Hughes <ahughes at redhat.com>
* Makefile.am: Add new patch.
diff -r b80005297ae5 -r eb05a18232e9 NEWS
--- a/NEWS Wed Jul 20 12:32:30 2011 +0100
+++ b/NEWS Wed Jul 20 16:32:04 2011 +0100
@@ -8,8 +8,10 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.9.9 (20XX-XX-XX):
+New in release 1.9.9 (2011-07-20):
+* Security fixes
+ - RH718164, CVE-2011-2513: Home directory path disclosure to untrusted apps
* Bug Fixes
- PR744: icedtea6-1.10.2 : patching error
- PR748: Icedtea6 fails to build with Linux 3.0.
diff -r b80005297ae5 -r eb05a18232e9 configure.ac
--- a/configure.ac Wed Jul 20 12:32:30 2011 +0100
+++ b/configure.ac Wed Jul 20 16:32:04 2011 +0100
@@ -1,4 +1,4 @@
-AC_INIT([icedtea6],[1.9.9pre],[distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6],[1.9.9],[distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r b80005297ae5 -r eb05a18232e9 netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Wed Jul 20 16:32:04 2011 +0100
@@ -0,0 +1,157 @@
+/* CachedJarFileCallback.java
+ Copyright (C) 2011 Red Hat, Inc.
+ Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.runtime;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.jar.JarFile;
+
+import net.sourceforge.jnlp.util.UrlUtils;
+
+import sun.net.www.protocol.jar.URLJarFile;
+import sun.net.www.protocol.jar.URLJarFileCallBack;
+
+/**
+ * Invoked by URLJarFile to get a JarFile corresponding to a URL.
+ *
+ * Large parts of this class are based on JarFileFactory and URLJarFile.
+ */
+final class CachedJarFileCallback implements URLJarFileCallBack {
+
+ private static final CachedJarFileCallback INSTANCE = new CachedJarFileCallback();
+
+ public synchronized static CachedJarFileCallback getInstance() {
+ return INSTANCE;
+ }
+
+ /* our managed cache */
+ private final Map<URL, URL> mapping;
+
+ private CachedJarFileCallback() {
+ mapping = new ConcurrentHashMap<URL, URL>();
+ }
+
+ protected void addMapping(URL remoteUrl, URL localUrl) {
+ mapping.put(remoteUrl, localUrl);
+ }
+
+ @Override
+ public JarFile retrieve(URL url) throws IOException {
+ URL localUrl = mapping.get(url);
+
+ if (localUrl == null) {
+ /*
+ * If the jar url is not known, treat it as it would be treated in
+ * general by URLJarFile.
+ */
+ return cacheJarFile(url);
+ }
+
+ if (UrlUtils.isLocalFile(localUrl)) {
+ // if it is known to us, just return the cached file
+ return new JarFile(localUrl.getPath());
+ } else {
+ // throw new IllegalStateException("a non-local file in cache");
+ return null;
+ }
+
+ }
+
+ /*
+ * This method is a copy of URLJarFile.retrieve() without the callback check.
+ */
+ private JarFile cacheJarFile(URL url) throws IOException {
+ JarFile result = null;
+
+ final int BUF_SIZE = 2048;
+
+ /* get the stream before asserting privileges */
+ final InputStream in = url.openConnection().getInputStream();
+
+ try {
+ result =
+ AccessController.doPrivileged(new PrivilegedExceptionAction<JarFile>() {
+ @Override
+ public JarFile run() throws IOException {
+ OutputStream out = null;
+ File tmpFile = null;
+ try {
+ tmpFile = File.createTempFile("jar_cache", null);
+ tmpFile.deleteOnExit();
+ out = new FileOutputStream(tmpFile);
+ int read = 0;
+ byte[] buf = new byte[BUF_SIZE];
+ while ((read = in.read(buf)) != -1) {
+ out.write(buf, 0, read);
+ }
+ out.close();
+ out = null;
+ return new URLJarFile(tmpFile, null);
+ } catch (IOException e) {
+ if (tmpFile != null) {
+ tmpFile.delete();
+ }
+ throw e;
+ } finally {
+ if (in != null) {
+ in.close();
+ }
+ if (out != null) {
+ out.close();
+ }
+ }
+ }
+ });
+ } catch (PrivilegedActionException pae) {
+ throw (IOException) pae.getException();
+ }
+
+ return result;
+ }
+
+}
diff -r b80005297ae5 -r eb05a18232e9 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Jul 20 12:32:30 2011 +0100
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Jul 20 16:32:04 2011 +0100
@@ -141,7 +141,7 @@
/** File entries in the jar files available to this classloader */
private TreeSet jarEntries = new TreeSet();
- /** Map of specific codesources to securitydesc */
+ /** Map of specific original (remote) CodeSource Urls to securitydesc */
private HashMap<URL, SecurityDesc> jarLocationSecurityMap = new HashMap<URL, SecurityDesc>();
/**
@@ -458,7 +458,7 @@
}
}
- jarLocationSecurityMap.put(location, jarSecurity);
+ jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
} catch (MalformedURLException mfe) {
System.err.println(mfe.getMessage());
}
@@ -676,7 +676,10 @@
try {
URL fileURL = new URL("file://" + extractedJarLocation);
- addURL(fileURL);
+ // there is no remote URL for this, so lets fake one
+ URL fakeRemote = new URL(jar.getLocation().toString() + "!" + je.getName());
+ CachedJarFileCallback.getInstance().addMapping(fakeRemote, fileURL);
+ addURL(fakeRemote);
SecurityDesc jarSecurity = file.getSecurity();
@@ -697,7 +700,7 @@
codebase.getHost());
}
- jarLocationSecurityMap.put(fileURL, jarSecurity);
+ jarLocationSecurityMap.put(fakeRemote, jarSecurity);
} catch (MalformedURLException mfue) {
if (JNLPRuntime.isDebug())
@@ -712,15 +715,18 @@
}
- addURL(location);
+ addURL(jar.getLocation());
// there is currently no mechanism to cache files per
// instance.. so only index cached files
if (localFile != null) {
+ CachedJarFileCallback.getInstance().addMapping(jar.getLocation(), localFile.toURL());
JarIndex index = JarIndex.getJarIndex(new JarFile(localFile.getAbsolutePath()), null);
if (index != null)
jarIndexes.add(index);
+ } else {
+ CachedJarFileCallback.getInstance().addMapping(jar.getLocation(), jar.getLocation());
}
if (JNLPRuntime.isDebug())
@@ -986,8 +992,10 @@
throw new ClassNotFoundException(name);
}
- if (u != null)
- addURL(u);
+ if (u != null) {
+ addURL(remoteURL);
+ CachedJarFileCallback.getInstance().addMapping(remoteURL, u);
+ }
}
@@ -1174,7 +1182,7 @@
/**
* Returns the security descriptor for given code source URL
*
- * @param source The code source
+ * @param source the origin (remote) url of the code
* @return The SecurityDescriptor for that source
*/
diff -r b80005297ae5 -r eb05a18232e9 netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Jul 20 12:32:30 2011 +0100
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Jul 20 16:32:04 2011 +0100
@@ -25,6 +25,8 @@
import java.security.*;
import javax.jnlp.*;
+import sun.net.www.protocol.jar.URLJarFile;
+
import net.sourceforge.jnlp.*;
import net.sourceforge.jnlp.cache.*;
import net.sourceforge.jnlp.services.*;
@@ -201,6 +203,8 @@
System.setSecurityManager(security);
}
+ URLJarFile.setCallBack(CachedJarFileCallback.getInstance());
+
initialized = true;
}
diff -r b80005297ae5 -r eb05a18232e9 netx/net/sourceforge/jnlp/util/UrlUtils.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java Wed Jul 20 16:32:04 2011 +0100
@@ -0,0 +1,53 @@
+/* UrlUtils.java
+ Copyright (C) 2011 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.util;
+
+import java.net.URL;
+
+public class UrlUtils {
+
+ public static boolean isLocalFile(URL url) {
+
+ if (url.getProtocol().equals("file") &&
+ (url.getAuthority() == null || url.getAuthority().equals("")) &&
+ (url.getHost() == null || url.getHost().equals(("")))) {
+ return true;
+ }
+ return false;
+ }
+}
More information about the distro-pkg-dev
mailing list