Mercurial > hg > release > icedtea6-1.8
changeset 2104:330ee084669d
RH645843, CVE-2010-3860: Don't expose system properties via public variables.
2010-11-12 Andrew John Hughes <ahughes@redhat.com>
* NEWS: Updated.
2010-11-11 Omair Majid <omajid@redhat.com>
RH645843, CVE-2010-3860
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
* plugin/icedteanp/java/sun/applet/PluginMain.java:
Fix exposure of system properties.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Wed, 17 Nov 2010 17:18:19 +0000 |
parents | 74a5c2ed67d3 |
children | 5879df03ebdd |
files | ChangeLog NEWS netx/net/sourceforge/jnlp/runtime/Boot.java netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java netx/net/sourceforge/jnlp/security/SecurityUtil.java netx/net/sourceforge/jnlp/services/SingleInstanceLock.java netx/net/sourceforge/jnlp/util/XDesktopEntry.java plugin/icedteanp/java/sun/applet/PluginMain.java |
diffstat | 8 files changed, 80 insertions(+), 32 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Nov 16 12:39:47 2010 +0000 +++ b/ChangeLog Wed Nov 17 17:18:19 2010 +0000 @@ -1,3 +1,18 @@ +2010-11-12 Andrew John Hughes <ahughes@redhat.com> + + * NEWS: Updated. + +2010-11-11 Omair Majid <omajid@redhat.com> + + RH645843, CVE-2010-3860 + * netx/net/sourceforge/jnlp/runtime/Boot.java, + * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java, + * netx/net/sourceforge/jnlp/security/SecurityUtil.java, + * netx/net/sourceforge/jnlp/services/SingleInstanceLock.java, + * netx/net/sourceforge/jnlp/util/XDesktopEntry.java, + * plugin/icedteanp/java/sun/applet/PluginMain.java: + Fix exposure of system properties. + 2010-11-16 Andrew John Hughes <ahughes@redhat.com> * Makefile.am:
--- a/NEWS Tue Nov 16 12:39:47 2010 +0000 +++ b/NEWS Wed Nov 17 17:18:19 2010 +0000 @@ -12,6 +12,8 @@ * Allow the building of NetX to be disabled. * Switch to the IcedTea server for JAXP, JAF and JAXWS tarballs. +* Security updates + - RH645843, CVE-2010-3860: IcedTea System property information leak via public static * Backports - S6853592: VM test nsk.regression.b4261880 fails with "X Error of failed request: BadWindow" inconsistently.
--- a/netx/net/sourceforge/jnlp/runtime/Boot.java Tue Nov 16 12:39:47 2010 +0000 +++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Nov 17 17:18:19 2010 +0000 @@ -230,8 +230,8 @@ */ private static String getAboutFile() { - if (new File(JNLPRuntime.NETX_ABOUT_FILE).exists()) - return JNLPRuntime.NETX_ABOUT_FILE; + if (new File(JNLPRuntime.getAboutFile()).exists()) + return JNLPRuntime.getAboutFile(); else return null; }
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Tue Nov 16 12:39:47 2010 +0000 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Nov 17 17:18:19 2010 +0000 @@ -105,42 +105,42 @@ private static List<String> initialArguments; /** Username */ - public static final String USER = System.getProperty("user.name"); + private static final String USER = System.getProperty("user.name"); /** User's home directory */ - public static final String HOME_DIR = System.getProperty("user.home"); + private static final String HOME_DIR = System.getProperty("user.home"); /** the ~/.netxrc file containing netx settings */ - public static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc"; + private static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc"; /** the ~/.netx directory containing user-specific data */ - public static final String NETX_DIR = HOME_DIR + File.separator + ".netx"; + private static final String NETX_DIR = HOME_DIR + File.separator + ".netx"; /** the ~/.netx/security directory containing security related information */ - public static final String SECURITY_DIR = NETX_DIR + File.separator + "security"; + private static final String SECURITY_DIR = NETX_DIR + File.separator + "security"; /** the ~/.netx/security/trusted.certs file containing trusted certificates */ - public static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs"; + private static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs"; /** the /tmp/ directory used for temporary files */ - public static final String TMP_DIR = System.getProperty("java.io.tmpdir"); + private static final String TMP_DIR = System.getProperty("java.io.tmpdir"); /** * the /tmp/$USER/netx/locks/ directory containing locks for single instance * applications */ - public static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator + private static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator + "netx" + File.separator + "locks"; /** the java.home directory */ - public static final String JAVA_HOME_DIR = System.getProperty("java.home"); - + private static final String JAVA_HOME_DIR = System.getProperty("java.home"); + /** the JNLP file to open to display the network-based about window */ - public static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib" + private static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib" + File.separator + "about.jnlp"; - - + + /** * Returns whether the JNLP runtime environment has been * initialized. Once initialized, some properties such as the @@ -558,7 +558,38 @@ public static List<String> getInitialArguments() { return initialArguments; } - + + /** Get the location of the certificate files user-level used by netx */ + public static String getCertificatesFile() { + System.getProperty("user.home"); + return CERTIFICATES_FILE; + } + + /** Get the home directory */ + public static String getHomeDir() { + System.getProperty("user.home"); + return HOME_DIR; + } + + /** Get the location of the about file */ + public static String getAboutFile() { + System.getProperty("java.home"); + return NETX_ABOUT_FILE; + } + + /** Get the location of the locks directory */ + public static String getLocksDir() { + System.getProperty("user.home"); + System.getProperty("java.io.tmpdir"); + return LOCKS_DIR; + } + + /** Get the location of a temporary location */ + public static String getTempDir() { + System.getProperty("java.io.tmpdir"); + return TMP_DIR; + } + }
--- a/netx/net/sourceforge/jnlp/security/SecurityUtil.java Tue Nov 16 12:39:47 2010 +0000 +++ b/netx/net/sourceforge/jnlp/security/SecurityUtil.java Wed Nov 17 17:18:19 2010 +0000 @@ -46,18 +46,18 @@ public class SecurityUtil { - private static final char[] password = "changeit".toCharArray(); - - public static String getTrustedCertsFilename() throws Exception{ - - String homeDir = JNLPRuntime.HOME_DIR; - - if (homeDir == null) { - throw new Exception("Could not access home directory"); - } else { - return JNLPRuntime.CERTIFICATES_FILE; - } - } + private static final char[] password = "changeit".toCharArray(); + + public static String getTrustedCertsFilename() throws Exception { + + String homeDir = JNLPRuntime.getHomeDir(); + + if (homeDir == null) { + throw new Exception("Could not access home directory"); + } else { + return JNLPRuntime.getCertificatesFile(); + } + } public static char[] getTrustedCertsPassword() { return password;
--- a/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Tue Nov 16 12:39:47 2010 +0000 +++ b/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Wed Nov 17 17:18:19 2010 +0000 @@ -126,7 +126,7 @@ * may or may not exist. */ private File getLockFile() { - File baseDir = new File(JNLPRuntime.LOCKS_DIR); + File baseDir = new File(JNLPRuntime.getLocksDir()); if (!baseDir.isDirectory() && !baseDir.mkdirs()) { throw new RuntimeException(R("RNoLockDir", baseDir));
--- a/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Tue Nov 16 12:39:47 2010 +0000 +++ b/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Wed Nov 17 17:18:19 2010 +0000 @@ -131,7 +131,7 @@ * Install this XDesktopEntry into the user's desktop as a launcher */ private void installDesktopLauncher() { - File shortcutFile = new File(JNLPRuntime.TMP_DIR + File.separator + File shortcutFile = new File(JNLPRuntime.getTempDir() + File.separator + FileUtils.sanitizeFileName(file.getTitle()) + ".desktop"); try {
--- a/plugin/icedteanp/java/sun/applet/PluginMain.java Tue Nov 16 12:39:47 2010 +0000 +++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Wed Nov 17 17:18:19 2010 +0000 @@ -89,8 +89,8 @@ { // the files where stdout/stderr are sent to - public static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr"; - public static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout"; + static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr"; + static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout"; final boolean redirectStreams = System.getenv().containsKey("ICEDTEAPLUGIN_DEBUG"); static PluginStreamHandler streamHandler;