/hg/icedtea-web: Bug fix for security hole in PR1769 fix

aazores at icedtea.classpath.org aazores at icedtea.classpath.org
Tue Aug 5 14:07:52 UTC 2014 

changeset 2833fae52261 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=2833fae52261
author: Andrew Azores <aazores at redhat.com>
date: Tue Aug 05 10:07:27 2014 -0400

	Bug fix for security hole in PR1769 fix

	2014-08-05  Andrew Azores  <aazores at redhat.com>

		Small bug fix (security hole) for previous PR1769 patch. This patch closes
		a hole where very specifically formulated partially signed applets could
		maintain fully signed privileges (all-permissions), even for their
		unsigned components.
		* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
		(initializeResources): ensure that the 'signing' field is properly set for
		partially signed applets and that applets with an external main class are
		properly detected.


diffstat:

 ChangeLog                                              |  11 +++++++++++
 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java |  10 ++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diffs (60 lines):

diff -r d1584d50c1e9 -r 2833fae52261 ChangeLog
--- a/ChangeLog	Fri Aug 01 11:29:26 2014 -0400
+++ b/ChangeLog	Tue Aug 05 10:07:27 2014 -0400
@@ -1,3 +1,14 @@
+2014-08-05  Andrew Azores  <aazores at redhat.com>
+
+	Small bug fix (security hole) for previous PR1769 patch. This patch closes
+	a hole where very specifically formulated partially signed applets could
+	maintain fully signed privileges (all-permissions), even for their
+	unsigned components.
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+	(initializeResources): ensure that the 'signing' field is properly set for
+	partially signed applets and that applets with an external main class are
+	properly detected.
+
 2014-08-01  Andrew Azores  <aazores at redhat.com>
 
 	Fixed support for signed applets which specify the Permissions attribute
diff -r d1584d50c1e9 -r 2833fae52261 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Fri Aug 01 11:29:26 2014 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Aug 05 10:07:27 2014 -0400
@@ -579,8 +579,11 @@
                 }
             }
 
-            if (allSigned)
+            if (allSigned) {
                 signing = SigningState.FULL;
+            } else {
+                signing = SigningState.NONE;
+            }
 
             //Check if main jar is found within extensions
             foundMainJar = foundMainJar || hasMainInExtensions();
@@ -678,7 +681,7 @@
 
                 // If externalAppletMainClass is true and a LaunchException was not thrown above,
                 // then the main-class can be loaded from the applet codebase, but is obviously not signed
-                if (!jcv.allJarsSigned()) {
+                if (externalAppletMainClass) {
                     checkPartialSigningWithUser();
                 }
 
@@ -733,6 +736,7 @@
             }
 
             if (containsUnsignedJar && containsSignedJar) {
+                signing = SigningState.PARTIAL;
                 break;
             }
         }
@@ -741,6 +745,8 @@
             checkPartialSigningWithUser();
         }
 
+        setSecurity();
+
         initializeManifestAttributesChecker();
         mac.checkAll();

More information about the distro-pkg-dev mailing list