[rfc][icedtea-web] Reproducer of BeansStatement behaviour

Omair Majid omajid at redhat.com
Wed Jan 2 14:36:09 PST 2013 

On 12/18/2012 06:01 AM, Jiri Vanek wrote:
> On 12/17/2012 06:01 PM, Omair Majid wrote:
>> On 12/14/2012 03:58 PM, Adam Domurad wrote:
>>> On 12/13/2012 11:35 AM, Jiri Vanek wrote:
>>> Looks OK, although this seems like something that is better placed in a
>>> JRE's test suite, not ITWs.
>>
>> Agreed. While it is nice to have another test to check a security
>> property, I am not sure how sensible it is to add this test to
>> icedtea-web. The test is, after all, testing that the JRE enforces a
>> security check when a certain operation is performed. We do have a
>> number of tests that check that the code in icedtea-web is running in a
>> sandbox, but nothing that is as specific as this.
>>
>> I would like to know what's the motivation for adding this specific test
>> to icedtea-web.
>>
> 
> Motivation is simple,  this was once safe and working. Due to  several
> changes in jdk this become penetrable.

I don't see why this means this bug should be tested in icedtea-web,
though. Surely there have been hundreds of vulnerabilities in the JRE.
Are we planning to test for all of them in icedtea-web? Should we also
test vulnerabilities in other parts of the stack? (Some libraries that
we use for graphics and audio have had vulnerabilities in the past)

> ITW is the way via which it can be misused.

IcedTea-Web is the vector, but there is nothing that we can do to
avoid/fix the security problem here. We are doing everything correctly,
and other code is behaving incorrectly.

It's not likely that we can introduce this bug in IcedTea-Web in the
future if we make a mistake either - there are already existing tests
that ensure that a SecurityManager is installed, which is all that JRE
should need to secure BeansStatement.

> I think that having such a
> reproducer run periodically can speed up discovery and so fix in case
> that some changes will lead to penetrability again.

I agree that a reproduce would be good to have, but I think it belongs
in OpenJDK (where the problem actually is) rather than in IcedTea-Web.

Cheers,
Omair

-- 
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681

More information about the distro-pkg-dev mailing list