Mercurial > hg > release > icedtea6-1.9

--- a/ChangeLog	Thu Dec 16 19:31:39 2010 +0000
+++ b/ChangeLog	Fri Dec 17 01:02:47 2010 +0000
@@ -1,3 +1,10 @@
+2010-12-16  Omair Majid  <omajid@redhat.com>
+
+	RH663680, CVE-2010-4351:
+	* NEWS: List issue.
+	* netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java:
+	Make sure SecurityException is thrown if necessary.
+
 2010-12-16  Andrew John Hughes  <ahughes@redhat.com>

 	* NEWS: Place RH647674 under correct section.
--- a/NEWS	Thu Dec 16 19:31:39 2010 +0000
+++ b/NEWS	Fri Dec 17 01:02:47 2010 +0000
@@ -8,8 +8,10 @@

 CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

-New in release 1.9.4 (2011-XX-XX):
+New in release 1.9.4 (2011-01-12):

+* Security updates
+  - RH663680, CVE-2010-4351: IcedTea JNLP SecurityManager bypass
 * Backports
   - S4356282: RFE: JDK should support OpenType/CFF fonts
   - S6954424, RH525870: Support OpenType/CFF fonts in JDK 7
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Thu Dec 16 19:31:39 2010 +0000
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Fri Dec 17 01:02:47 2010 +0000
@@ -302,6 +302,7 @@
                                         }

                                 } else if (perm instanceof SecurityPermission) {
+                                    tmpPerm = perm;

                                     // JCE's initialization requires putProviderProperty permission
                                     if (perm.equals(new SecurityPermission("putProviderProperty.SunJCE"))) {
@@ -311,6 +312,7 @@
                                     }

                                 } else if (perm instanceof RuntimePermission) {
+                                    tmpPerm = perm;

                                     // KeyGenerator's init method requires internal spec access
                                     if (perm.equals(new SecurityPermission("accessClassInPackage.sun.security.internal.spec"))) {