Mercurial > hg > release > icedtea6-1.9
changeset 2282:9aa0018d8c28
RH645843, CVE-2010-3860: Don't expose system properties via public variables.
2010-11-12 Andrew John Hughes <ahughes@redhat.com>
* NEWS: Updated.
2010-11-11 Omair Majid <omajid@redhat.com>
RH645843, CVE-2010-3860
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
* plugin/icedteanp/java/sun/applet/PluginMain.java:
Fix exposure of system properties.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Fri, 12 Nov 2010 17:05:06 +0000 |
parents | 1c9dabc8729f |
children | 23f4ec2c7f7a |
files | ChangeLog NEWS netx/net/sourceforge/jnlp/runtime/Boot.java netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java netx/net/sourceforge/jnlp/security/SecurityUtil.java netx/net/sourceforge/jnlp/services/SingleInstanceLock.java netx/net/sourceforge/jnlp/util/XDesktopEntry.java plugin/icedteanp/java/sun/applet/PluginMain.java |
diffstat | 8 files changed, 66 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Nov 12 00:28:26 2010 +0000 +++ b/ChangeLog Fri Nov 12 17:05:06 2010 +0000 @@ -1,3 +1,18 @@ +2010-11-12 Andrew John Hughes <ahughes@redhat.com> + + * NEWS: Updated. + +2010-11-11 Omair Majid <omajid@redhat.com> + + RH645843, CVE-2010-3860 + * netx/net/sourceforge/jnlp/runtime/Boot.java, + * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java, + * netx/net/sourceforge/jnlp/security/SecurityUtil.java, + * netx/net/sourceforge/jnlp/services/SingleInstanceLock.java, + * netx/net/sourceforge/jnlp/util/XDesktopEntry.java, + * plugin/icedteanp/java/sun/applet/PluginMain.java: + Fix exposure of system properties. + 2010-11-11 Andrew John Hughes <ahughes@redhat.com> * configure.ac: Update to 1.9.2pre.
--- a/NEWS Fri Nov 12 00:28:26 2010 +0000 +++ b/NEWS Fri Nov 12 17:05:06 2010 +0000 @@ -14,6 +14,8 @@ * Allow the building of NetX to be disabled. * Additional S390 size_t fixes. * Switch to the IcedTea server for JAXP, JAF and JAXWS tarballs. +* Security updates + - RH645843, CVE-2010-3860: IcedTea System property information leak via public static * Backports - S6622432: RFE: Performance improvements to java.math.BigDecimal - S6850606: Regression from JDK 1.6.0_12
--- a/netx/net/sourceforge/jnlp/runtime/Boot.java Fri Nov 12 00:28:26 2010 +0000 +++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Fri Nov 12 17:05:06 2010 +0000 @@ -230,8 +230,8 @@ */ private static String getAboutFile() { - if (new File(JNLPRuntime.NETX_ABOUT_FILE).exists()) - return JNLPRuntime.NETX_ABOUT_FILE; + if (new File(JNLPRuntime.getAboutFile()).exists()) + return JNLPRuntime.getAboutFile(); else return null; }
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Fri Nov 12 00:28:26 2010 +0000 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Fri Nov 12 17:05:06 2010 +0000 @@ -105,38 +105,38 @@ private static List<String> initialArguments; /** Username */ - public static final String USER = System.getProperty("user.name"); + private static final String USER = System.getProperty("user.name"); /** User's home directory */ - public static final String HOME_DIR = System.getProperty("user.home"); + private static final String HOME_DIR = System.getProperty("user.home"); /** the ~/.netxrc file containing netx settings */ - public static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc"; + private static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc"; /** the ~/.netx directory containing user-specific data */ - public static final String NETX_DIR = HOME_DIR + File.separator + ".netx"; + private static final String NETX_DIR = HOME_DIR + File.separator + ".netx"; /** the ~/.netx/security directory containing security related information */ - public static final String SECURITY_DIR = NETX_DIR + File.separator + "security"; + private static final String SECURITY_DIR = NETX_DIR + File.separator + "security"; /** the ~/.netx/security/trusted.certs file containing trusted certificates */ - public static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs"; + private static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs"; /** the /tmp/ directory used for temporary files */ - public static final String TMP_DIR = System.getProperty("java.io.tmpdir"); + private static final String TMP_DIR = System.getProperty("java.io.tmpdir"); /** * the /tmp/$USER/netx/locks/ directory containing locks for single instance * applications */ - public static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator + private static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator + "netx" + File.separator + "locks"; /** the java.home directory */ - public static final String JAVA_HOME_DIR = System.getProperty("java.home"); + private static final String JAVA_HOME_DIR = System.getProperty("java.home"); /** the JNLP file to open to display the network-based about window */ - public static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib" + private static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib" + File.separator + "about.jnlp"; @@ -559,4 +559,35 @@ return initialArguments; } + /** Get the location of the certificate files user-level used by netx */ + public static String getCertificatesFile() { + System.getProperty("user.home"); + return CERTIFICATES_FILE; + } + + /** Get the home directory */ + public static String getHomeDir() { + System.getProperty("user.home"); + return HOME_DIR; + } + + /** Get the location of the about file */ + public static String getAboutFile() { + System.getProperty("java.home"); + return NETX_ABOUT_FILE; + } + + /** Get the location of the locks directory */ + public static String getLocksDir() { + System.getProperty("user.home"); + System.getProperty("java.io.tmpdir"); + return LOCKS_DIR; + } + + /** Get the location of a temporary location */ + public static String getTempDir() { + System.getProperty("java.io.tmpdir"); + return TMP_DIR; + } + }
--- a/netx/net/sourceforge/jnlp/security/SecurityUtil.java Fri Nov 12 00:28:26 2010 +0000 +++ b/netx/net/sourceforge/jnlp/security/SecurityUtil.java Fri Nov 12 17:05:06 2010 +0000 @@ -49,13 +49,12 @@ private static final char[] password = "changeit".toCharArray(); public static String getTrustedCertsFilename() throws Exception{ - - String homeDir = JNLPRuntime.HOME_DIR; + String homeDir = JNLPRuntime.getHomeDir(); if (homeDir == null) { throw new Exception("Could not access home directory"); } else { - return JNLPRuntime.CERTIFICATES_FILE; + return JNLPRuntime.getCertificatesFile(); } }
--- a/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Fri Nov 12 00:28:26 2010 +0000 +++ b/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Fri Nov 12 17:05:06 2010 +0000 @@ -126,7 +126,7 @@ * may or may not exist. */ private File getLockFile() { - File baseDir = new File(JNLPRuntime.LOCKS_DIR); + File baseDir = new File(JNLPRuntime.getLocksDir()); if (!baseDir.isDirectory() && !baseDir.mkdirs()) { throw new RuntimeException(R("RNoLockDir", baseDir));
--- a/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Fri Nov 12 00:28:26 2010 +0000 +++ b/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Fri Nov 12 17:05:06 2010 +0000 @@ -131,7 +131,7 @@ * Install this XDesktopEntry into the user's desktop as a launcher */ private void installDesktopLauncher() { - File shortcutFile = new File(JNLPRuntime.TMP_DIR + File.separator + File shortcutFile = new File(JNLPRuntime.getTempDir() + File.separator + FileUtils.sanitizeFileName(file.getTitle()) + ".desktop"); try {
--- a/plugin/icedteanp/java/sun/applet/PluginMain.java Fri Nov 12 00:28:26 2010 +0000 +++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Fri Nov 12 17:05:06 2010 +0000 @@ -89,8 +89,8 @@ { // the files where stdout/stderr are sent to - public static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr"; - public static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout"; + static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr"; + static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout"; final boolean redirectStreams = System.getenv().containsKey("ICEDTEAPLUGIN_DEBUG"); static PluginStreamHandler streamHandler;