Mercurial > hg > release > icedtea6-1.8
changeset 2138:9d55580ba753
Vulnerability in permissions assigned to applets with multiple JARs.
2011-02-13 Andrew John Hughes <ahughes@redhat.com>
* NEWS: Updated.
2011-02-11 Omair Majid <omajid@redhat.com>
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
(initializeResources()): Only create a SecurityDesc with
all permissions when the jar is signed.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Sun, 13 Feb 2011 19:02:30 +0000 |
parents | 1677c90e2f8e |
children | 83b15d0d30ff |
files | ChangeLog NEWS netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java |
diffstat | 3 files changed, 20 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Sun Feb 13 14:41:07 2011 +0000 +++ b/ChangeLog Sun Feb 13 19:02:30 2011 +0000 @@ -1,3 +1,13 @@ +2011-02-13 Andrew John Hughes <ahughes@redhat.com> + + * NEWS: Updated. + +2011-02-11 Omair Majid <omajid@redhat.com> + + * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: + (initializeResources()): Only create a SecurityDesc with + all permissions when the jar is signed. + 2011-02-11 Andrew John Hughes <ahughes@redhat.com> * configure.ac: Bump to 1.8.7.
--- a/NEWS Sun Feb 13 14:41:07 2011 +0000 +++ b/NEWS Sun Feb 13 19:02:30 2011 +0000 @@ -18,6 +18,7 @@ - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries - S6985453, CVE-2010-4471: Java2D font-related system property leak - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation + - Vulnerability in permissions assigned to applets with multiple JARs New in release 1.8.6 (2011-02-09):
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Sun Feb 13 14:41:07 2011 +0000 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Sun Feb 13 19:02:30 2011 +0000 @@ -439,9 +439,15 @@ codebase = file.getResources().getMainJAR().getLocation(); } - jarSecurity = new SecurityDesc(file, - SecurityDesc.ALL_PERMISSIONS, - codebase.getHost()); + if (signing) { + jarSecurity = new SecurityDesc(file, + SecurityDesc.ALL_PERMISSIONS, + codebase.getHost()); + } else { + jarSecurity = new SecurityDesc(file, + SecurityDesc.SANDBOX_PERMISSIONS, + codebase.getHost()); + } } jarLocationSecurityMap.put(location, jarSecurity);