Mercurial > hg > release > icedtea-web-1.3
changeset 513:25dd7c7ac39c
Fixed CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
author | Jiri Vanek <jvanek@redhat.com> |
---|---|
date | Thu, 11 Apr 2013 12:29:47 +0200 |
parents | c8544250d5b2 |
children | 88fb945c9397 |
files | ChangeLog NEWS netx/net/sourceforge/jnlp/NetxPanel.java |
diffstat | 3 files changed, 10 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Apr 10 18:31:56 2013 +0200 +++ b/ChangeLog Thu Apr 11 12:29:47 2013 +0200 @@ -1,3 +1,10 @@ +2013-04-11 Adam Domurad <adomurad@redhat.com> + + CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with + same relative-path. + * netx/net/sourceforge/jnlp/NetxPanel.java: (NetxPanel) Construct + unique-key with absolute path + 2013-04-10 Jiri Vanek <jvanek@redhat.com> Fixed gifar vulnereability with automated testcase
--- a/NEWS Wed Apr 10 18:31:56 2013 +0200 +++ b/NEWS Thu Apr 11 12:29:47 2013 +0200 @@ -10,7 +10,8 @@ New in release 1.3.2 (2013-04-17): * Security Updates - - CVE-2013-1927, RH884705 - fixed gifar vulnerability + - CVE-2013-1927, RH884705: fixed gifar vulnerability + - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. * Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. * Plugin
--- a/netx/net/sourceforge/jnlp/NetxPanel.java Wed Apr 10 18:31:56 2013 +0200 +++ b/netx/net/sourceforge/jnlp/NetxPanel.java Thu Apr 11 12:29:47 2013 +0200 @@ -77,11 +77,6 @@ * bad tag cannot trick the loader into getting shared with another. */ - // Firefox sometimes skips the codebase if it is default -- ".", - // so set it that way if absent - String codebaseAttr = atts.get("codebase") != null ? - atts.get("codebase") : "."; - String cache_archiveAttr = atts.get("cache_archive") != null ? atts.get("cache_archive") : ""; @@ -91,7 +86,7 @@ String archiveAttr = atts.get("archive") != null ? atts.get("archive") : ""; - this.uKey = "codebase=" + codebaseAttr + + this.uKey = "codebase=" + getCodeBase().toExternalForm() + "cache_archive=" + cache_archiveAttr + "java_archive=" + java_archiveAttr + "archive=" + archiveAttr;