/hg/icedtea-web: 2 new changesets
dbhole at icedtea.classpath.org
dbhole at icedtea.classpath.org
Tue Nov 8 08:06:59 PST 2011
changeset 614de01ec4e4 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=614de01ec4e4
author: Deepak Bhole <dbhole at redhat.com>
date: Fri Oct 28 14:29:21 2011 -0400
RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains
and suffix domain SOP bypass
changeset f36e0b3fb9f0 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=f36e0b3fb9f0
author: Deepak Bhole <dbhole at redhat.com>
date: Tue Nov 08 11:06:52 2011 -0500
merge
diffstat:
ChangeLog | 16 +++
NEWS | 2 +
netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 70 +-------------
netx/net/sourceforge/jnlp/tools/JarSigner.java | 2 +-
4 files changed, 20 insertions(+), 70 deletions(-)
diffs (134 lines):
diff -r 9f5ea9198a66 -r f36e0b3fb9f0 ChangeLog
--- a/ChangeLog Thu Oct 27 18:24:46 2011 -0400
+++ b/ChangeLog Tue Nov 08 11:06:52 2011 -0500
@@ -1,3 +1,19 @@
+2011-10-31 Omair Majid <omajid at redhat.com>
+
+ PR808: javaws is unable to start when missing jars are enumerated before
+ main jar
+ * NEWS: Update.
+ * netx/net/sourceforge/jnlp/tools/JarSigner.java (verifyJars): Continue
+ with other jars if the first jar can't be used.
+
+2011-10-28 Deepak Bhole <dbhole at redhat.com>
+
+ RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and
+ suffix domain SOP bypass
+ * NEWS: Updated
+ * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
+ (checkPermission): Remove special case for SocketPermission.
+
2011-10-27 Deepak Bhole <dbhole at redhat.com>
PR778: Jar download and server certificate verification deadlock
diff -r 9f5ea9198a66 -r f36e0b3fb9f0 NEWS
--- a/NEWS Thu Oct 27 18:24:46 2011 -0400
+++ b/NEWS Tue Nov 08 11:06:52 2011 -0500
@@ -12,6 +12,7 @@
* Security updates:
- RH718164, CVE-2011-2513: Home directory path disclosure to untrusted applications
- RH718170, CVE-2011-2514: Java Web Start security warning dialog manipulation
+ - RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass
* NetX
- PR618: Can't install OpenDJ, JavaWebStart fails with Input stream is null error
- PR765: JNLP file with all resource jars marked as 'lazy' fails to validate signature and stops the launch of application
@@ -29,6 +30,7 @@
- PR778: Jar download and server certificate verification deadlock
- PR789: typo in jrunscript.sh
- PR794: IcedTea-Web does not work if a Web Start app jar has a Class-Path element in the manifest
+ - PR808: javaws is unable to start, when missing jars are enumerated before main jar
- RH734081: Javaws cannot use proxy settings from Firefox
- RH738814: Access denied at ssl handshake
- Support for authenticating using client certificates
diff -r 9f5ea9198a66 -r f36e0b3fb9f0 netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Thu Oct 27 18:24:46 2011 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Tue Nov 08 11:06:52 2011 -0500
@@ -281,75 +281,7 @@
// }
// }
- try {
- super.checkPermission(perm);
- } catch (SecurityException se) {
-
- //This section is a special case for dealing with SocketPermissions.
- if (JNLPRuntime.isDebug())
- System.err.println("Requesting permission: " + perm.toString());
-
- //Change this SocketPermission's action to connect and accept
- //(and resolve). This is to avoid asking for connect permission
- //on every address resolve.
- Permission tmpPerm = null;
- if (perm instanceof SocketPermission) {
- tmpPerm = new SocketPermission(perm.getName(),
- SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION);
-
- // before proceeding, check if we are trying to connect to same origin
- ApplicationInstance app = getApplication();
- JNLPFile file = app.getJNLPFile();
-
- String srcHost = file.getSourceLocation().getAuthority();
- String destHost = name;
-
- // host = abc.xyz.com or abc.xyz.com:<port>
- if (destHost.indexOf(':') >= 0)
- destHost = destHost.substring(0, destHost.indexOf(':'));
-
- // host = abc.xyz.com
- String[] hostComponents = destHost.split("\\.");
-
- int length = hostComponents.length;
- if (length >= 2) {
-
- // address is in xxx.xxx.xxx format
- destHost = hostComponents[length - 2] + "." + hostComponents[length - 1];
-
- // host = xyz.com i.e. origin
- boolean isDestHostName = false;
-
- // make sure that it is not an ip address
- try {
- Integer.parseInt(hostComponents[length - 1]);
- } catch (NumberFormatException e) {
- isDestHostName = true;
- }
-
- if (isDestHostName) {
- // okay, destination is hostname. Now figure out if it is a subset of origin
- if (srcHost.endsWith(destHost)) {
- addPermission(tmpPerm);
- return;
- }
- }
- }
- } else {
- tmpPerm = perm;
- }
-
- if (tmpPerm != null) {
- //askPermission will only prompt the user on SocketPermission
- //meaning we're denying all other SecurityExceptions that may arise.
- if (askPermission(tmpPerm)) {
- addPermission(tmpPerm);
- //return quietly.
- } else {
- throw se;
- }
- }
- }
+ super.checkPermission(perm);
} catch (SecurityException ex) {
if (JNLPRuntime.isDebug()) {
System.out.println("Denying permission: " + perm);
diff -r 9f5ea9198a66 -r f36e0b3fb9f0 netx/net/sourceforge/jnlp/tools/JarSigner.java
--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Thu Oct 27 18:24:46 2011 -0400
+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Tue Nov 08 11:06:52 2011 -0500
@@ -194,7 +194,7 @@
// some sort of resource download/cache error. Nothing to add
// in that case ... but don't fail here
if (jarFile == null) {
- return;
+ continue;
}
String localFile = jarFile.getAbsolutePath();
More information about the distro-pkg-dev
mailing list