# HG changeset patch
# User Andrew John Hughes <ahughes@redhat.com>
# Date 1297624721 0
# Node ID 4cb5a70fef4dece07a646df2fa18d25ffbdf3b93
# Parent  9c8044a7a1d3bbe518a5d6d1a2b0c58d4b6afb7a
Vulnerability in permissions assigned to applets with multiple JARs

2011-02-13  Andrew John Hughes  <ahughes@redhat.com>

	* NEWS: Updated.

2011-02-11  Omair Majid  <omajid@redhat.com>

	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
	(initializeResources()): Only create a SecurityDesc with
	all permissions when the jar is signed.

diff -r 9c8044a7a1d3 -r 4cb5a70fef4d ChangeLog
--- a/ChangeLog	Fri Feb 11 16:24:11 2011 +0000
+++ b/ChangeLog	Sun Feb 13 19:18:41 2011 +0000
@@ -1,3 +1,13 @@
+2011-02-13  Andrew John Hughes  <ahughes@redhat.com>
+
+	* NEWS: Updated.
+
+2011-02-11  Omair Majid  <omajid@redhat.com>
+
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
+	(initializeResources()): Only create a SecurityDesc with
+	all permissions when the jar is signed.
+
 2011-02-11  Andrew John Hughes  <ahughes@redhat.com>
 
 	* configure.ac: Bump to 1.7.10.
diff -r 9c8044a7a1d3 -r 4cb5a70fef4d NEWS
--- a/NEWS	Fri Feb 11 16:24:11 2011 +0000
+++ b/NEWS	Sun Feb 13 19:18:41 2011 +0000
@@ -18,6 +18,7 @@
   - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
   - S6985453, CVE-2010-4471: Java2D font-related system property leak
   - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
+  - Vulnerability in permissions assigned to applets with multiple JARs
 
 New in release 1.7.9 (2011-02-09):
 
diff -r 9c8044a7a1d3 -r 4cb5a70fef4d rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Fri Feb 11 16:24:11 2011 +0000
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Sun Feb 13 19:18:41 2011 +0000
@@ -440,9 +440,15 @@
 			            codebase = file.getResources().getMainJAR().getLocation();
 			        }
 					
-					jarSecurity = new SecurityDesc(file, 
-							SecurityDesc.ALL_PERMISSIONS,
-							codebase.getHost());
+                    if (signing) {
+                        jarSecurity = new SecurityDesc(file,
+                                                        SecurityDesc.ALL_PERMISSIONS,
+                                                        codebase.getHost());
+                    } else {
+                        jarSecurity = new SecurityDesc(file,
+                                                       SecurityDesc.SANDBOX_PERMISSIONS,
+                                                       codebase.getHost());
+                    }
 				}
 				
 				jarLocationSecurityMap.put(location, jarSecurity);