Hello community, here is the log from the commit of package icedtea-web for openSUSE:Factory checked in at Thu Jul 21 11:45:55 CEST 2011.
-------- --- icedtea-web/icedtea-web.changes 2011-07-08 10:33:00.000000000 +0200 +++ /mounts/work_src_done/STABLE/icedtea-web/icedtea-web.changes 2011-07-20 15:19:15.000000000 +0200 @@ -1,0 +2,9 @@ +Wed Jul 20 13:18:38 UTC 2011 - [email protected] + +- fix bnc#704309 - VUL-0: icedtea/icedtea-web two issues + * CVE-2011-2513 + * CVE-2011-2514 +- use --with-java instead of patching of launchers as + suggested by upstream + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- icedtea-1.1-use-jre-in-launchers.patch New: ---- icedtea-web-1.1-CVE-2011-2513.patch icedtea-web-1.1-CVE-2011-2514.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ icedtea-web.spec ++++++ --- /var/tmp/diff_new_pack.Jf1Ykb/_old 2011-07-21 11:45:14.000000000 +0200 +++ /var/tmp/diff_new_pack.Jf1Ykb/_new 2011-07-21 11:45:14.000000000 +0200 @@ -50,7 +50,7 @@ Name: icedtea-web Version: 1.1 -Release: 2 +Release: 4 Summary: Java Web Start and plugin implementation Group: Development/Languages/Java License: GPLv2 ; - with the OpenJDK Assembly Exception and the GNU Classpath Exception @@ -61,10 +61,9 @@ # https://bugzilla.mozilla.org/show_bug.cgi?id=582130 # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=622 Patch1: icedtea-web-1.1-moonlight-symbol-clash.patch -#PATCH-FIX-OPENSUSE: -#https://bugzilla.novell.com/show_bug.cgi?id=704419#c1 -#sent to icedtea mailinglist -Patch2: icedtea-1.1-use-jre-in-launchers.patch +#PATCH-FIX-UPSTREAM: bnc#704309 +Patch2: icedtea-web-1.1-CVE-2011-2513.patch +Patch3: icedtea-web-1.1-CVE-2011-2514.patch Patch1000: icedtea-web-suse-desktop-files.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: java-1_6_0-openjdk-devel @@ -117,6 +116,7 @@ %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch1000 -p1 @@ -124,6 +124,7 @@ #XXX: This disallows usage of openjdk 7 %{configure} \ --with-jdk-home=%{_jvmdir}/%{sdkdir} \ + --with-java=%{jvmdir}/%{jredir}/bin/java \ --docdir=%{_javadocdir}/%{name} \ --with-pkgversion=suse-%{release}-%{_arch} ++++++ icedtea-web-1.1-CVE-2011-2513.patch ++++++ diff -r 910fb608062d netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Thu Jul 14 13:12:10 2011 -0400 @@ -0,0 +1,157 @@ +/* CachedJarFileCallback.java + Copyright (C) 2011 Red Hat, Inc. + Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. +*/ + +package net.sourceforge.jnlp.runtime; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.URL; +import java.security.AccessController; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; +import java.util.jar.JarFile; + +import net.sourceforge.jnlp.util.UrlUtils; + +import sun.net.www.protocol.jar.URLJarFile; +import sun.net.www.protocol.jar.URLJarFileCallBack; + +/** + * Invoked by URLJarFile to get a JarFile corresponding to a URL. + * + * Large parts of this class are based on JarFileFactory and URLJarFile. + */ +final class CachedJarFileCallback implements URLJarFileCallBack { + + private static final CachedJarFileCallback INSTANCE = new CachedJarFileCallback(); + + public synchronized static CachedJarFileCallback getInstance() { + return INSTANCE; + } + + /* our managed cache */ + private final Map<URL, URL> mapping; + + private CachedJarFileCallback() { + mapping = new ConcurrentHashMap<URL, URL>(); + } + + protected void addMapping(URL remoteUrl, URL localUrl) { + mapping.put(remoteUrl, localUrl); + } + + @Override + public JarFile retrieve(URL url) throws IOException { + URL localUrl = mapping.get(url); + + if (localUrl == null) { + /* + * If the jar url is not known, treat it as it would be treated in + * general by URLJarFile. + */ + return cacheJarFile(url); + } + + if (UrlUtils.isLocalFile(localUrl)) { + // if it is known to us, just return the cached file + return new JarFile(localUrl.getPath()); + } else { + // throw new IllegalStateException("a non-local file in cache"); + return null; + } + + } + + /* + * This method is a copy of URLJarFile.retrieve() without the callback check. + */ + private JarFile cacheJarFile(URL url) throws IOException { + JarFile result = null; + + final int BUF_SIZE = 2048; + + /* get the stream before asserting privileges */ + final InputStream in = url.openConnection().getInputStream(); + + try { + result = + AccessController.doPrivileged(new PrivilegedExceptionAction<JarFile>() { + @Override + public JarFile run() throws IOException { + OutputStream out = null; + File tmpFile = null; + try { + tmpFile = File.createTempFile("jar_cache", null); + tmpFile.deleteOnExit(); + out = new FileOutputStream(tmpFile); + int read = 0; + byte[] buf = new byte[BUF_SIZE]; + while ((read = in.read(buf)) != -1) { + out.write(buf, 0, read); + } + out.close(); + out = null; + return new URLJarFile(tmpFile, null); + } catch (IOException e) { + if (tmpFile != null) { + tmpFile.delete(); + } + throw e; + } finally { + if (in != null) { + in.close(); + } + if (out != null) { + out.close(); + } + } + } + }); + } catch (PrivilegedActionException pae) { + throw (IOException) pae.getException(); + } + + return result; + } + +} diff -r 910fb608062d netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Jun 14 13:29:12 2011 -0400 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Jul 14 13:12:10 2011 -0400 @@ -147,7 +147,7 @@ /** File entries in the jar files available to this classloader */ private TreeSet<String> jarEntries = new TreeSet<String>(); - /** Map of specific codesources to securitydesc */ + /** Map of specific original (remote) CodeSource Urls to securitydesc */ private HashMap<URL, SecurityDesc> jarLocationSecurityMap = new HashMap<URL, SecurityDesc>(); @@ -509,7 +509,7 @@ } } - jarLocationSecurityMap.put(location, jarSecurity); + jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity); } catch (MalformedURLException mfe) { System.err.println(mfe.getMessage()); } @@ -731,7 +731,10 @@ try { URL fileURL = new URL("file://" + extractedJarLocation); - addURL(fileURL); + // there is no remote URL for this, so lets fake one + URL fakeRemote = new URL(jar.getLocation().toString() + "!" + je.getName()); + CachedJarFileCallback.getInstance().addMapping(fakeRemote, fileURL); + addURL(fakeRemote); SecurityDesc jarSecurity = file.getSecurity(); @@ -752,7 +755,7 @@ codebase.getHost()); } - jarLocationSecurityMap.put(fileURL, jarSecurity); + jarLocationSecurityMap.put(fakeRemote, jarSecurity); } catch (MalformedURLException mfue) { if (JNLPRuntime.isDebug()) @@ -767,17 +770,21 @@ } - addURL(location); + addURL(jar.getLocation()); // there is currently no mechanism to cache files per // instance.. so only index cached files if (localFile != null) { + CachedJarFileCallback.getInstance().addMapping(jar.getLocation(), localFile.toURL()); + JarFile jarFile = new JarFile(localFile.getAbsolutePath()); Manifest mf = jarFile.getManifest(); classpaths.addAll(getClassPathsFromManifest(mf, jar.getLocation().getPath())); JarIndex index = JarIndex.getJarIndex(jarFile, null); if (index != null) jarIndexes.add(index); + } else { + CachedJarFileCallback.getInstance().addMapping(jar.getLocation(), jar.getLocation()); } if (JNLPRuntime.isDebug()) @@ -1098,11 +1105,9 @@ ); URL remoteURL = desc.getLocation(); - - URL u = tracker.getCacheURL(remoteURL); - if (u != null) { - addURL(u); - } + URL cachedUrl = tracker.getCacheURL(remoteURL); + addURL(remoteURL); + CachedJarFileCallback.getInstance().addMapping(remoteURL, cachedUrl); } /** @@ -1295,7 +1300,7 @@ /** * Returns the security descriptor for given code source URL * - * @param source The code source + * @param source the origin (remote) url of the code * @return The SecurityDescriptor for that source */ diff -r 910fb608062d netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java --- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Tue Jun 14 13:29:12 2011 -0400 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Jul 14 13:12:10 2011 -0400 @@ -35,6 +35,8 @@ import javax.swing.UIManager; import javax.swing.text.html.parser.ParserDelegator; +import sun.net.www.protocol.jar.URLJarFile; + import net.sourceforge.jnlp.*; import net.sourceforge.jnlp.browser.BrowserAwareProxySelector; import net.sourceforge.jnlp.cache.*; @@ -237,6 +239,8 @@ Security.setProperty("package.access", Security.getProperty("package.access")+",net.sourceforge.jnlp"); + URLJarFile.setCallBack(CachedJarFileCallback.getInstance()); + initialized = true; } diff -r 910fb608062d netx/net/sourceforge/jnlp/util/UrlUtils.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java Thu Jul 14 13:12:10 2011 -0400 @@ -0,0 +1,53 @@ +/* UrlUtils.java + Copyright (C) 2011 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. +*/ + +package net.sourceforge.jnlp.util; + +import java.net.URL; + +public class UrlUtils { + + public static boolean isLocalFile(URL url) { + + if (url.getProtocol().equals("file") && + (url.getAuthority() == null || url.getAuthority().equals("")) && + (url.getHost() == null || url.getHost().equals(("")))) { + return true; + } + return false; + } +} ++++++ icedtea-web-1.1-CVE-2011-2514.patch ++++++ diff -r af1ed34483d1 netx/net/sourceforge/jnlp/services/XExtendedService.java --- a/netx/net/sourceforge/jnlp/services/XExtendedService.java Tue May 31 12:00:01 2011 -0400 +++ b/netx/net/sourceforge/jnlp/services/XExtendedService.java Wed Jun 01 18:41:18 2011 -0400 @@ -34,10 +34,12 @@ public FileContents openFile(File file) throws IOException { + File secureFile = new File(file.getPath()); + /* FIXME: this opens a file with read/write mode, not just read or write */ - if (ServiceUtil.checkAccess(AccessType.READ_FILE, new Object[] { file.getAbsolutePath() })) { + if (ServiceUtil.checkAccess(AccessType.READ_FILE, new Object[] { secureFile.getAbsolutePath() })) { return (FileContents) ServiceUtil.createPrivilegedProxy(FileContents.class, - new XFileContents(file)); + new XFileContents(secureFile)); } else { return null; } diff -r af1ed34483d1 netx/net/sourceforge/jnlp/services/XFileContents.java --- a/netx/net/sourceforge/jnlp/services/XFileContents.java Tue May 31 12:00:01 2011 -0400 +++ b/netx/net/sourceforge/jnlp/services/XFileContents.java Wed Jun 01 18:41:18 2011 -0400 @@ -34,7 +34,8 @@ * Create a file contents implementation for the file. */ protected XFileContents(File file) { - this.file = file; + // create a safe copy + this.file = new File(file.getPath()); } /** ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
