Mercurial > hg > release > icedtea6-1.8
changeset 2169:3835320867e7
RH742515, CVE-2011-3377: IcedTea-Web: second-level domain and suffix domain SOP bypass
2011-10-28 Deepak Bhole <dbhole@redhat.com>
RH742515, CVE-2011-3377: IcedTea-Web: second-level domain and
suffix domain SOP bypass
* NEWS: Updated.
* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
(checkPermission): Remove special case for SocketPermission.
| author | Andrew John Hughes <ahughes@redhat.com> |
|---|---|
| date | Tue, 08 Nov 2011 01:09:07 +0000 |
| parents | b3744307bac0 |
| children | 14bad91b28f2 |
| files | ChangeLog NEWS netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java |
| diffstat | 3 files changed, 13 insertions(+), 66 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Oct 21 15:04:36 2011 +0100 +++ b/ChangeLog Tue Nov 08 01:09:07 2011 +0000 @@ -1,3 +1,11 @@ +2011-10-28 Deepak Bhole <dbhole@redhat.com> + + RH742515, CVE-2011-3377: IcedTea-Web: second-level domain and + suffix domain SOP bypass + * NEWS: Updated. + * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java + (checkPermission): Remove special case for SocketPermission. + 2011-10-21 Andrew John Hughes <ahughes@redhat.com> * patches/security/20111018/7083012.patch:
--- a/NEWS Fri Oct 21 15:04:36 2011 +0100 +++ b/NEWS Tue Nov 08 01:09:07 2011 +0000 @@ -10,6 +10,9 @@ New in release 1.8.11 (20XX-XX-XX): +* Security fixes + - RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass + New in release 1.8.10 (2011-10-18): * Security fixes
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 21 15:04:36 2011 +0100 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Tue Nov 08 01:09:07 2011 +0000 @@ -250,60 +250,10 @@ super.checkPermission(perm); } catch (SecurityException se) { - //This section is a special case for dealing with SocketPermissions. if (JNLPRuntime.isDebug()) System.err.println("Requesting permission: " + perm.toString()); - //Change this SocketPermission's action to connect and accept - //(and resolve). This is to avoid asking for connect permission - //on every address resolve. - Permission tmpPerm = null; - if (perm instanceof SocketPermission) { - tmpPerm = new SocketPermission(perm.getName(), - SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION); - - // before proceeding, check if we are trying to connect to same origin - ApplicationInstance app = getApplication(); - JNLPFile file = app.getJNLPFile(); - - String srcHost = file.getSourceLocation().getAuthority(); - String destHost = name; - - // host = abc.xyz.com or abc.xyz.com:<port> - if (destHost.indexOf(':') >= 0) - destHost = destHost.substring(0, destHost.indexOf(':')); - - // host = abc.xyz.com - String[] hostComponents = destHost.split("\\."); - - int length = hostComponents.length; - if (length >= 2) { - - // address is in xxx.xxx.xxx format - destHost = hostComponents[length -2] + "." + hostComponents[length -1]; - - // host = xyz.com i.e. origin - boolean isDestHostName = false; - - // make sure that it is not an ip address - try { - Integer.parseInt(hostComponents[length -1]); - } catch (NumberFormatException e) { - isDestHostName = true; - } - - if (isDestHostName) { - // okay, destination is hostname. Now figure out if it is a subset of origin - if (srcHost.endsWith(destHost)) { - addPermission(tmpPerm); - return; - } - } - } - - } else if (perm instanceof SecurityPermission) { - tmpPerm = perm; - + if (perm instanceof SecurityPermission) { // JCE's initialization requires putProviderProperty permission if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) { if (inTrustedCallChain("com.sun.crypto.provider.SunJCE", "run")) { @@ -312,29 +262,15 @@ } } else if (perm instanceof RuntimePermission) { - tmpPerm = perm; - // KeyGenerator's init method requires internal spec access if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) { if (inTrustedCallChain("javax.crypto.KeyGenerator", "init")) { return; } } - - } else { - tmpPerm = perm; } - if (tmpPerm != null) { - //askPermission will only prompt the user on SocketPermission - //meaning we're denying all other SecurityExceptions that may arise. - if (askPermission(tmpPerm)) { - addPermission(tmpPerm); - //return quietly. - } else { - throw se; - } - } + throw se; } } catch (SecurityException ex) {