Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-12-02 Thread Alain Rpnpif 
From Gaute Amundsen :

Hi.

I don't have an email address I want posted on a public webpage, but I 
believe I have this problem in Ubuntu 14.04, with icedtea-plugin 
1.5.3-0ubuntu0.14.04.1.

I had some trouble downgrading OpenJDK 7 as suggested due to complex 
dependencies but I was able to "solve" the problem by instead adding 
"permission java.security.AllPermission;" to the default section 
/etc/java-7-openjdk/security/java.policy.

Perhaps one of you may want to add this to the bug report?

Regards
Gaute Amundsen

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-12-01 Thread Tiago Daitx 
It turns out that  applets are failing because the security update in
S8155973 restricted MD5-based signatures in JAR files. It was
eventually backed out by S8166381 but that one didn't make to the
update.

One easy way to fix is to edit
/etc/java-7-openjdk/security/java.security and remove MD5 from the
list of "jdk.jar.disabledAlgorithms". By default this is a new setting
and should be the last line, just make sure it looks like:

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024



For future reference, once can see when an applet is being affect by
looking for the following log line:
Codebase matches codebase manifest attribute, but application is
unsigned. Continuing.
The browser must be run with icedtea plugin debug enabled as in
"ICEDTEAPLUGIN_DEBUG=true firefox".

Also, please be aware that Oracle is planning to reintroduce the MD5
signature restriction back in January, see section "Restrict JARs
signed with weak algorithms and keys" in
http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

-thanks

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-11-16 Thread Tiago Daitx 
While icedtea-web 1.6.2 does fixes a few bugs, this is not one of those.

Alain did reply to me in private saying that he was still seeing the
issue with the new icedtea-web and that downgrading to 7u111-2.6.7-1
got applets working again. So this is definitely a regression. Alain
also pointed me to a page with good applets to test this, the "Simple
upload" applet fails to run on the affected version:
http://demo.element-it.com/Examples/JavaPowUpload/index.htm

Meanwhile a new IcedTea release was out on experimental
(7u121-2.6.8-1), I tested it and I can confirm there is no regression
in it. It might take a while for a backport to show up, if you are
affected by this I recommend downgrading OpenJDK 7 as a workaround.


For future reference the actual error for the "Simple upload" applet is:

java.security.AccessControlException: access denied
("java.util.PropertyPermission" "java.net.preferIPv4Stack" "read")
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:685)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at 
net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:292)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1298)
at java.lang.System.getProperty(System.java:708)
at com.elementit.JavaPowUpload.Manager.init(Unknown Source)
at sun.applet.AppletPanel.run(AppletPanel.java:436)
at sun.applet.AppletViewerPanelAccess.run(AppletViewerPanelAccess.java:90)
at java.lang.Thread.run(Thread.java:745)

java.security.AccessControlException: access denied
("java.util.PropertyPermission" "java.net.preferIPv4Stack" "read")
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:685)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at 
net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:292)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1298)
at java.lang.System.getProperty(System.java:708)
at com.elementit.JavaPowUpload.Manager.init(Unknown Source)
at sun.applet.AppletPanel.run(AppletPanel.java:436)
at sun.applet.AppletViewerPanelAccess.run(AppletViewerPanelAccess.java:90)
at java.lang.Thread.run(Thread.java:745)

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-11-10 Thread Tiago Daitx 
Hi Alain,

Please try out the deb files @
https://keybase.pub/tdaitx/icedtea-web-1.6.2/ and let me know if they
do solve the problem.

If they don't, I would need you to point me to a public online applet
that was known to work on the older openjdk version and is now failing
on the new one, otherwise I'm stuck as I have no way to reproduce the
issue.

-thanks

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-11-10 Thread Alain Rpnpif 
Le  9 novembre 2016, Tiago Daitx a écrit :

> I found a similar bug report at
> https://bugzilla.redhat.com/show_bug.cgi?id=1299976 (it's for a
> different function), but the solution was to upgrade icedtea-web. I
> built icedtea-web 1.6.2 for jessie and was able to get it working. Let
> me know if you are willing to try it locally and see if it also fixes
> your lexmark scanner client - I can then provide you with the deb
> files for testing.

Yes I could try the 1.6.2 release backported to Jessie, hoping that it
fixes this issues.

Thank you for your help.

-- 
Alain Rpnpif

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-11-09 Thread Tiago Daitx 
On Wed, Nov 9, 2016 at 4:30 PM, Alain Rpnpif  wrote:
> Thanks for your answer.
> Yes the applet on
> https://www.w3.org/People/mimasa/test/object/java/clock work fine but
> with a lot of popup dialog to accept.
>
> I have also always errors when I used my Lexmark network printer
> scanner.
> I can control remotely the scanner but it claims that it was
> disconnected when it should upload the picture file to the client. So it
> is unusable with this openjdk.
>
> Before that openjdk was updated, all work fine.
>
> Is it a new permission problem ?
>
> On the local computer, here are the errors from syslog with the
> scanner :
>
> IcedTea-Web java error - for more info see itweb-settings debug options
> or console. See
> http://icedtea.classpath.org/wiki/IcedTea-Web#Filing_bugs for help.
> IcedTea-Web java error manual log: java.io.IOException: Server returned
> HTTP response code: 501 for URL:
> http://192.168.1.201/cgi-bin/dynamic/printer/applets/applets.jar at

This indicates that the HTTP request failed on the server side, but
there's not enough information to understand why and I am unable to
reproduce it as I have no such scanner.

I need something that I can reproduce locally, could you please test a
publicly available applet that was known to work on the older openjdk
version and is now failing on the new one?


Also, I took another look at the default java applet test at
https://www.java.com/en/download/installed.jsp because it worked fine
from a newer distro running OpenJDK 8. The actual error was a
NullPointerException at
SecurityDialogs.showMatchingALACAttributePanel, as shown bellow:

[tdaitx][ITW-JAVAWS][ERROR_DEBUG][Wed Nov 09 17:11:40 BRST
2016][net.sourceforge.jnlp.AbstractLaunchHandler.printMessage(AbstractLaunchHandler.java:67)]
NETX Thread# 55b76aab, name Java Detection
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error:
Could not initialize applet. For more information click "more
information button".
at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:739)
at net.sourceforge.jnlp.Launcher.launchApplet(Launcher.java:640)
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:907)
Caused by: java.lang.NullPointerException
at 
net.sourceforge.jnlp.security.SecurityDialogs.showMatchingALACAttributePanel(SecurityDialogs.java:299)
at 
net.sourceforge.jnlp.runtime.ManifestAttributesChecker.checkApplicationLibraryAllowableCodebaseAttribute(ManifestAttributesChecker.java:341)
at 
net.sourceforge.jnlp.runtime.ManifestAttributesChecker.checkAll(ManifestAttributesChecker.java:83)
at 
net.sourceforge.jnlp.runtime.JNLPClassLoader.(JNLPClassLoader.java:288)
at 
net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:351)
at 
net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:418)
at 
net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:394)
at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:704)
... 2 more


I found a similar bug report at
https://bugzilla.redhat.com/show_bug.cgi?id=1299976 (it's for a
different function), but the solution was to upgrade icedtea-web. I
built icedtea-web 1.6.2 for jessie and was able to get it working. Let
me know if you are willing to try it locally and see if it also fixes
your lexmark scanner client - I can then provide you with the deb
files for testing.

thanks

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-11-09 Thread Alain Rpnpif 
Thanks for your answer.
Yes the applet on
https://www.w3.org/People/mimasa/test/object/java/clock work fine but
with a lot of popup dialog to accept.

I have also always errors when I used my Lexmark network printer
scanner.
I can control remotely the scanner but it claims that it was
disconnected when it should upload the picture file to the client. So it
is unusable with this openjdk.

Before that openjdk was updated, all work fine.

Is it a new permission problem ?

On the local computer, here are the errors from syslog with the
scanner :

IcedTea-Web java error - for more info see itweb-settings debug options
or console. See
http://icedtea.classpath.org/wiki/IcedTea-Web#Filing_bugs for help.
IcedTea-Web java error manual log: java.io.IOException: Server returned
HTTP response code: 501 for URL:
http://192.168.1.201/cgi-bin/dynamic/printer/applets/applets.jar at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at
sun.net.www.protocol.http.HttpURLConnection$7.run(HttpURLConnection.java:1719)
at
sun.net.www.protocol.http.HttpURLConnection$7.run(HttpURLConnection.java:1717)
at java.security.AccessController.doPrivileged(Native Method) at
sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1715)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1285)
at
net.sourceforge.jnlp.util.HttpUtils.consumeAndCloseConnection(HttpUtils.java:66)
at
net.sourceforge.jnlp.util.HttpUtils.consumeAndCloseConnectionSilently(HttpUtils.java:52)
at
net.sourceforge.jnlp.cache.ResourceTracker.getUrlResponseCodeWithRedirectonResult(ResourceTracker.java:907)
at
net.sourceforge.jnlp.cache.ResourceTracker.findBestUrl(ResourceTracker.java:955)
at
net.sourceforge.jnlp.cache.ResourceTracker.initializeResource(ResourceTracker.java:787)
at
net.sourceforge.jnlp.cache.ResourceTracker.processResource(ResourceTracker.java:614)
at
net.sourceforge.jnlp.cache.ResourceTracker.access$600(ResourceTracker.java:81)
at
net.sourceforge.jnlp.cache.ResourceTracker$Downloader$1.run(ResourceTracker.java:1235)
at
net.sourceforge.jnlp.cache.ResourceTracker$Downloader$1.run(ResourceTracker.java:1233)
at java.security.AccessController.doPrivileged(Native Method) at
net.sourceforge.jnlp.cache.ResourceTracker$Downloader.run(ResourceTracker.java:1233)
at java.lang.Thread.run(Thread.java:745) Caused by:
java.io.IOException: Server returned HTTP response code: 501 for URL:
http://192.168.1.201/cgi-bin/dynamic/printer/applets/applets.jar at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1670)
at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at
net.sourceforge.jnlp.cache.ResourceTracker.getUrlResponseCodeWithRedirectonResult(ResourceTracker.java:903)
 ...
9 more IcedTea-Web java error - for more info see itweb-settings debug
options or console. See
http://icedtea.classpath.org/wiki/IcedTea-Web#Filing_bugs for help.
IcedTea-Web java error manual log: This application does not specify a
Codebase in its manifest. Please verify with the applet's vendor.
Continuing. See:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html
for details.

Regards.

-- 
Alain Rpnpif

Bug#843784: [Openjdk] Bug#843784: openjdk-7-jre: After last security update, icedtea-plugin fails all applets

2016-11-09 Thread Tiago Daitx 
On Wed, Nov 9, 2016 at 1:26 PM, rpnpif  wrote:
> Package: openjdk-7-jre
> Version: 7u111-2.6.7-2~deb8u1
> Severity: normal
>
> Dear Maintainer,
>
> After the last security update, now java is unusable in Firefox with
> icedtea-7-plugin on all applets.

I was unable to reproduce this.

> On https://www.java.com/en/download/installed.jsp, an exception occurs :
>
> IcedTea-Web Plugin version: 1.5.3 (1.5.3-1)
> Wed Nov 09 16:16:49 CET 2016

Yes, this particular test fails, but the actual error is:
[tdaitx][ITW-APPLET][ERROR_ALL][Wed Nov 09 17:32:09 UTC
2016][net.sourceforge.jnlp.runtime.JNLPClassLoader.checkForMain(JNLPClassLoader.java:835)]
NETX Thread# 673fcb2c, name Applet: JAR
https://www.java.com/en/download/JavaDetection.jar not found.
Continuing.

or from the terminal console:
java.io.FileNotFoundException:
https://www.java.com/en/download/JavaDetection.jar

And indeed that jar file is not available at that location, so no
wonder that applet won't work.

I could get other applets to work on Jessie with IceWeasel, eg:
https://www.w3.org/People/mimasa/test/object/java/clock

-thanks