Mercurial > hg > release > icedtea-web-1.2

--- a/ChangeLog	Wed Apr 10 18:31:18 2013 +0200
+++ b/ChangeLog	Thu Apr 11 12:22:24 2013 +0200
@@ -1,3 +1,10 @@
+2013-04-11 Adam Domurad  <adomurad@redhat.com>
+
+	CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with
+	same relative-path.
+	* netx/net/sourceforge/jnlp/NetxPanel.java: (NetxPanel) Construct
+	unique-key with absolute path
+
 2013-04-10  Jiri Vanek <jvanek@redhat.com>

 	Fixed gifar vulnereability with automated testcase
--- a/NEWS	Wed Apr 10 18:31:18 2013 +0200
+++ b/NEWS	Thu Apr 11 12:22:24 2013 +0200
@@ -11,6 +11,7 @@
 New in release 1.2.3 (2013-04-17):
 * Security Updates
   - CVE-2013-1927, RH884705 - fixed gifar vulnerability
+  - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
 * Common
   - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
 * Plugin
--- a/netx/net/sourceforge/jnlp/NetxPanel.java	Wed Apr 10 18:31:18 2013 +0200
+++ b/netx/net/sourceforge/jnlp/NetxPanel.java	Thu Apr 11 12:22:24 2013 +0200
@@ -77,11 +77,6 @@
          * bad tag cannot trick the loader into getting shared with another.
          */

-        // Firefox sometimes skips the codebase if it is default  -- ".",
-        // so set it that way if absent
-        String codebaseAttr =      atts.get("codebase") != null ?
-                                   atts.get("codebase") : ".";
-
         String cache_archiveAttr = atts.get("cache_archive") != null ?
                                    atts.get("cache_archive") : "";

@@ -91,7 +86,7 @@
         String archiveAttr =       atts.get("archive") != null ?
                                    atts.get("archive") : "";

-        this.uKey = "codebase=" + codebaseAttr +
+        this.uKey = "codebase=" + getCodeBase().toExternalForm() +
                     "cache_archive=" + cache_archiveAttr +
                     "java_archive=" + java_archiveAttr +
                     "archive=" +  archiveAttr;