Mercurial > hg > release > icedtea6-1.7
changeset 2040:4cb5a70fef4d
Vulnerability in permissions assigned to applets with multiple JARs
2011-02-13 Andrew John Hughes <ahughes@redhat.com>
* NEWS: Updated.
2011-02-11 Omair Majid <omajid@redhat.com>
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
(initializeResources()): Only create a SecurityDesc with
all permissions when the jar is signed.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Sun, 13 Feb 2011 19:18:41 +0000 |
parents | 9c8044a7a1d3 |
children | 9d9eee71b94a |
files | ChangeLog NEWS rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java |
diffstat | 3 files changed, 20 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Feb 11 16:24:11 2011 +0000 +++ b/ChangeLog Sun Feb 13 19:18:41 2011 +0000 @@ -1,3 +1,13 @@ +2011-02-13 Andrew John Hughes <ahughes@redhat.com> + + * NEWS: Updated. + +2011-02-11 Omair Majid <omajid@redhat.com> + + * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: + (initializeResources()): Only create a SecurityDesc with + all permissions when the jar is signed. + 2011-02-11 Andrew John Hughes <ahughes@redhat.com> * configure.ac: Bump to 1.7.10.
--- a/NEWS Fri Feb 11 16:24:11 2011 +0000 +++ b/NEWS Sun Feb 13 19:18:41 2011 +0000 @@ -18,6 +18,7 @@ - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries - S6985453, CVE-2010-4471: Java2D font-related system property leak - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation + - Vulnerability in permissions assigned to applets with multiple JARs New in release 1.7.9 (2011-02-09):
--- a/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Feb 11 16:24:11 2011 +0000 +++ b/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Sun Feb 13 19:18:41 2011 +0000 @@ -440,9 +440,15 @@ codebase = file.getResources().getMainJAR().getLocation(); } - jarSecurity = new SecurityDesc(file, - SecurityDesc.ALL_PERMISSIONS, - codebase.getHost()); + if (signing) { + jarSecurity = new SecurityDesc(file, + SecurityDesc.ALL_PERMISSIONS, + codebase.getHost()); + } else { + jarSecurity = new SecurityDesc(file, + SecurityDesc.SANDBOX_PERMISSIONS, + codebase.getHost()); + } } jarLocationSecurityMap.put(location, jarSecurity);