Hello community,
here is the log from the commit of package icedtea-web for openSUSE:11.4
checked in at Thu Jul 21 20:30:23 CEST 2011.
--------
--- old-versions/11.4/UPDATES/all/icedtea-web/icedtea-web.changes 2011-07-01 23:08:33.000000000 +0200
+++ 11.4/icedtea-web/icedtea-web.changes 2011-07-20 15:19:15.000000000 +0200
@@ -1,0 +2,17 @@
+Wed Jul 20 13:18:38 UTC 2011 - mvyskocil@suse.cz
+
+- fix bnc#704309 - VUL-0: icedtea/icedtea-web two issues
+ * CVE-2011-2513
+ * CVE-2011-2514
+- use --with-java instead of patching of launchers as
+ suggested by upstream
+
+-------------------------------------------------------------------
+Fri Jul 8 08:03:40 UTC 2011 - mvyskocil@suse.cz
+
+- fix bnc#704419 - Use correct path in IcedteaPlugin.so
+ * allow plugin usage without -devel package installed
+ * fix lanchers location from JAVA to JRE
+ * icedtea-1.1-use-jre-in-launchers.patch
+
+-------------------------------------------------------------------
@@ -4 +21 @@
-- fix bnc#702825 - IcedTeaPlugin.so gives undefined symbol
+- fic bnx#702825 - IcedTeaPlugin.so gives undefined symbol
calling whatdependson for 11.4-i586
New:
----
icedtea-web-1.1-CVE-2011-2513.patch
icedtea-web-1.1-CVE-2011-2514.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ icedtea-web.spec ++++++
--- /var/tmp/diff_new_pack.a9wR99/_old 2011-07-21 20:29:38.000000000 +0200
+++ /var/tmp/diff_new_pack.a9wR99/_new 2011-07-21 20:29:38.000000000 +0200
@@ -44,28 +44,26 @@
%define pluginsdir %{_libdir}/browser-plugins
%define jredir jre-%{javaver}-openjdk
-%define sdkdir java-%{javaver}-openjdk
+%define sdkdir java-%{javaver}-openjdk-%{javaver}
%define pluginpath %{_libdir}
%define pluginname IcedTeaPlugin.so
-%define suse_insert_debug_package ERROR %{suse_insert_debug_package}
-
Name: icedtea-web
Version: 1.1
-Release: 0.<RELEASE4>
+Release: 0.<RELEASE6>
Summary: Java Web Start and plugin implementation
Group: Development/Languages/Java
License: GPLv2 ; - with the OpenJDK Assembly Exception and the GNU Classpath Exception
Url: http://icedtea.classpath.org
-# hg clone http://icedtea.classpath.org/hg/release/icedtea-web-1.1/
-# (cd icedtea-web-1.1; ./autogen.sh)
-# tar --exclude-vcs -czf icedtea-web-1.1.tar.gz icedtea-web-1.1/
Source0: http://icedtea.classpath.org/download/source/%{name}-%{version}.tar.gz
Patch0: icedtea-web-1.0.2-no-return-in-nonvoid-function.patch
#PATCH-FIX-UPSTREAM:
# https://bugzilla.mozilla.org/show_bug.cgi?id=582130
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=622
Patch1: icedtea-web-1.1-moonlight-symbol-clash.patch
+#PATCH-FIX-UPSTREAM: bnc#704309
+Patch2: icedtea-web-1.1-CVE-2011-2513.patch
+Patch3: icedtea-web-1.1-CVE-2011-2514.patch
Patch1000: icedtea-web-suse-desktop-files.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: java-1_6_0-openjdk-devel
@@ -117,12 +115,16 @@
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%patch1000 -p1
%build
+#XXX: This disallows usage of openjdk 7
%{configure} \
--with-jdk-home=%{_jvmdir}/%{sdkdir} \
+ --with-java=%{jvmdir}/%{jredir}/bin/java \
--docdir=%{_javadocdir}/%{name} \
--with-pkgversion=suse-%{release}-%{_arch}
++++++ icedtea-web-1.1-CVE-2011-2513.patch ++++++
diff -r 910fb608062d netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Thu Jul 14 13:12:10 2011 -0400
@@ -0,0 +1,157 @@
+/* CachedJarFileCallback.java
+ Copyright (C) 2011 Red Hat, Inc.
+ Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.runtime;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.jar.JarFile;
+
+import net.sourceforge.jnlp.util.UrlUtils;
+
+import sun.net.www.protocol.jar.URLJarFile;
+import sun.net.www.protocol.jar.URLJarFileCallBack;
+
+/**
+ * Invoked by URLJarFile to get a JarFile corresponding to a URL.
+ *
+ * Large parts of this class are based on JarFileFactory and URLJarFile.
+ */
+final class CachedJarFileCallback implements URLJarFileCallBack {
+
+ private static final CachedJarFileCallback INSTANCE = new CachedJarFileCallback();
+
+ public synchronized static CachedJarFileCallback getInstance() {
+ return INSTANCE;
+ }
+
+ /* our managed cache */
+ private final Map mapping;
+
+ private CachedJarFileCallback() {
+ mapping = new ConcurrentHashMap();
+ }
+
+ protected void addMapping(URL remoteUrl, URL localUrl) {
+ mapping.put(remoteUrl, localUrl);
+ }
+
+ @Override
+ public JarFile retrieve(URL url) throws IOException {
+ URL localUrl = mapping.get(url);
+
+ if (localUrl == null) {
+ /*
+ * If the jar url is not known, treat it as it would be treated in
+ * general by URLJarFile.
+ */
+ return cacheJarFile(url);
+ }
+
+ if (UrlUtils.isLocalFile(localUrl)) {
+ // if it is known to us, just return the cached file
+ return new JarFile(localUrl.getPath());
+ } else {
+ // throw new IllegalStateException("a non-local file in cache");
+ return null;
+ }
+
+ }
+
+ /*
+ * This method is a copy of URLJarFile.retrieve() without the callback check.
+ */
+ private JarFile cacheJarFile(URL url) throws IOException {
+ JarFile result = null;
+
+ final int BUF_SIZE = 2048;
+
+ /* get the stream before asserting privileges */
+ final InputStream in = url.openConnection().getInputStream();
+
+ try {
+ result =
+ AccessController.doPrivileged(new PrivilegedExceptionAction<JarFile>() {
+ @Override
+ public JarFile run() throws IOException {
+ OutputStream out = null;
+ File tmpFile = null;
+ try {
+ tmpFile = File.createTempFile("jar_cache", null);
+ tmpFile.deleteOnExit();
+ out = new FileOutputStream(tmpFile);
+ int read = 0;
+ byte[] buf = new byte[BUF_SIZE];
+ while ((read = in.read(buf)) != -1) {
+ out.write(buf, 0, read);
+ }
+ out.close();
+ out = null;
+ return new URLJarFile(tmpFile, null);
+ } catch (IOException e) {
+ if (tmpFile != null) {
+ tmpFile.delete();
+ }
+ throw e;
+ } finally {
+ if (in != null) {
+ in.close();
+ }
+ if (out != null) {
+ out.close();
+ }
+ }
+ }
+ });
+ } catch (PrivilegedActionException pae) {
+ throw (IOException) pae.getException();
+ }
+
+ return result;
+ }
+
+}
diff -r 910fb608062d netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Jun 14 13:29:12 2011 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Jul 14 13:12:10 2011 -0400
@@ -147,7 +147,7 @@
/** File entries in the jar files available to this classloader */
private TreeSet<String> jarEntries = new TreeSet<String>();
- /** Map of specific codesources to securitydesc */
+ /** Map of specific original (remote) CodeSource Urls to securitydesc */
private HashMap jarLocationSecurityMap =
new HashMap();
@@ -509,7 +509,7 @@
}
}
- jarLocationSecurityMap.put(location, jarSecurity);
+ jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
} catch (MalformedURLException mfe) {
System.err.println(mfe.getMessage());
}
@@ -731,7 +731,10 @@
try {
URL fileURL = new URL("file://" + extractedJarLocation);
- addURL(fileURL);
+ // there is no remote URL for this, so lets fake one
+ URL fakeRemote = new URL(jar.getLocation().toString() + "!" + je.getName());
+ CachedJarFileCallback.getInstance().addMapping(fakeRemote, fileURL);
+ addURL(fakeRemote);
SecurityDesc jarSecurity = file.getSecurity();
@@ -752,7 +755,7 @@
codebase.getHost());
}
- jarLocationSecurityMap.put(fileURL, jarSecurity);
+ jarLocationSecurityMap.put(fakeRemote, jarSecurity);
} catch (MalformedURLException mfue) {
if (JNLPRuntime.isDebug())
@@ -767,17 +770,21 @@
}
- addURL(location);
+ addURL(jar.getLocation());
// there is currently no mechanism to cache files per
// instance.. so only index cached files
if (localFile != null) {
+ CachedJarFileCallback.getInstance().addMapping(jar.getLocation(), localFile.toURL());
+
JarFile jarFile = new JarFile(localFile.getAbsolutePath());
Manifest mf = jarFile.getManifest();
classpaths.addAll(getClassPathsFromManifest(mf, jar.getLocation().getPath()));
JarIndex index = JarIndex.getJarIndex(jarFile, null);
if (index != null)
jarIndexes.add(index);
+ } else {
+ CachedJarFileCallback.getInstance().addMapping(jar.getLocation(), jar.getLocation());
}
if (JNLPRuntime.isDebug())
@@ -1098,11 +1105,9 @@
);
URL remoteURL = desc.getLocation();
-
- URL u = tracker.getCacheURL(remoteURL);
- if (u != null) {
- addURL(u);
- }
+ URL cachedUrl = tracker.getCacheURL(remoteURL);
+ addURL(remoteURL);
+ CachedJarFileCallback.getInstance().addMapping(remoteURL, cachedUrl);
}
/**
@@ -1295,7 +1300,7 @@
/**
* Returns the security descriptor for given code source URL
*
- * @param source The code source
+ * @param source the origin (remote) url of the code
* @return The SecurityDescriptor for that source
*/
diff -r 910fb608062d netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Tue Jun 14 13:29:12 2011 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Jul 14 13:12:10 2011 -0400
@@ -35,6 +35,8 @@
import javax.swing.UIManager;
import javax.swing.text.html.parser.ParserDelegator;
+import sun.net.www.protocol.jar.URLJarFile;
+
import net.sourceforge.jnlp.*;
import net.sourceforge.jnlp.browser.BrowserAwareProxySelector;
import net.sourceforge.jnlp.cache.*;
@@ -237,6 +239,8 @@
Security.setProperty("package.access",
Security.getProperty("package.access")+",net.sourceforge.jnlp");
+ URLJarFile.setCallBack(CachedJarFileCallback.getInstance());
+
initialized = true;
}
diff -r 910fb608062d netx/net/sourceforge/jnlp/util/UrlUtils.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java Thu Jul 14 13:12:10 2011 -0400
@@ -0,0 +1,53 @@
+/* UrlUtils.java
+ Copyright (C) 2011 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.util;
+
+import java.net.URL;
+
+public class UrlUtils {
+
+ public static boolean isLocalFile(URL url) {
+
+ if (url.getProtocol().equals("file") &&
+ (url.getAuthority() == null || url.getAuthority().equals("")) &&
+ (url.getHost() == null || url.getHost().equals(("")))) {
+ return true;
+ }
+ return false;
+ }
+}
++++++ icedtea-web-1.1-CVE-2011-2514.patch ++++++
diff -r af1ed34483d1 netx/net/sourceforge/jnlp/services/XExtendedService.java
--- a/netx/net/sourceforge/jnlp/services/XExtendedService.java Tue May 31 12:00:01 2011 -0400
+++ b/netx/net/sourceforge/jnlp/services/XExtendedService.java Wed Jun 01 18:41:18 2011 -0400
@@ -34,10 +34,12 @@
public FileContents openFile(File file) throws IOException {
+ File secureFile = new File(file.getPath());
+
/* FIXME: this opens a file with read/write mode, not just read or write */
- if (ServiceUtil.checkAccess(AccessType.READ_FILE, new Object[] { file.getAbsolutePath() })) {
+ if (ServiceUtil.checkAccess(AccessType.READ_FILE, new Object[] { secureFile.getAbsolutePath() })) {
return (FileContents) ServiceUtil.createPrivilegedProxy(FileContents.class,
- new XFileContents(file));
+ new XFileContents(secureFile));
} else {
return null;
}
diff -r af1ed34483d1 netx/net/sourceforge/jnlp/services/XFileContents.java
--- a/netx/net/sourceforge/jnlp/services/XFileContents.java Tue May 31 12:00:01 2011 -0400
+++ b/netx/net/sourceforge/jnlp/services/XFileContents.java Wed Jun 01 18:41:18 2011 -0400
@@ -34,7 +34,8 @@
* Create a file contents implementation for the file.
*/
protected XFileContents(File file) {
- this.file = file;
+ // create a safe copy
+ this.file = new File(file.getPath());
}
/**
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org