rpms
/
icedtea-web
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import icedtea-web-1.7.1-17.el8

This commit is contained in:
CentOS Sources 2020-01-21 16:00:36 -05:00 committed by Stepan Oksanichenko
parent a96d3cb6c8
commit 9d15b8f92b
8 changed files with 6574 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
SOURCES/PreventiveleQueue.patch Normal file
View File

@ -0,0 +1,23 @@
commit 5437234c59f6c375a8ad0b07f93d459eefd571ba
Author: Jiri Vanek <jvanek@redhat.com>
Date: Tue Jul 9 12:10:39 2019 +0200
Preventively, hash also .. in queue
diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
index 5c8652b6..15e8865c 100644
--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
@@ -703,7 +703,11 @@ public class CacheUtil {
path.append(File.separatorChar);
}
String locationPath = location.getPath().replace('/', File.separatorChar);
- if (locationPath.contains("..")){
+ String query = "";
+ if (location.getQuery() != null) {
+ query = location.getQuery();
+ }
+ if (locationPath.contains("..") || query.contains("..")){
try {
/**
* if path contains .. then it can harm lcoal system

29
SOURCES/issue1-bin.patch Normal file
View File

@ -0,0 +1,29 @@
commit 78cf73473dda5ceee3eecda5169621f36b93c3db
Author: Jiri Vanek <jvanek@redhat.com>
Date: Tue Jun 18 15:37:47 2019 +0200
Fixed bug when relative path (..) could leak up (even out of cache)
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/j1.jar b/tests/netx/unit/net/sourceforge/jnlp/runtime/j1.jar
new file mode 100644
index 0000000000000000000000000000000000000000..080383629e9349101b25ad3b33b9950f456c4e8e
GIT binary patch
literal 940
zcmWIWW@Zs#VBp|jI8$@gj{yjnKm-tQGO#fCx`sIFdiuHP|2xINz|0VUqL}B}?nD=$
zLRTOL8i7#k>*(j{<{BKL=j-;__snS@Z(Y5MyxzK6=gyqp9At3C_`%a6JuhD!Pv48B
zt5`TAUPvC1mXy-W_#v*U_I!z!#dC4dC*rEp7_Mf2D*9N&h-B+wpcBjVOyp!385rgO
zF%QsIkJOx;d_%qDoW$bd+yGzi!wv$qm(}j7^={j?tnS+b#|}B3rtMwgjy58qN^v%-
zr7NR9DH;m?;ru6Kt5NZR{m0@XH$ya>z8h@*d~f#5?Z5wi{>l1)gISt)i*Ct=OD@;l
z_*XNnbC`d@B5b9WA4h5a`?iERY2}kH$gK>Co8qbR`L#ipq~WB1r7io)t!K6QFO+Y8
zd4#_!X6fXGd0U#-oH_o<C$sQ%%(23<iUm{oSY|P0^Ih9`@b^1yuY}77#kNV#$mE>+
z^UmoEt>Z`SH7e?KQVyAIp2S(6=9KzR)LP?4JI`drh1(g_I@n{6=G^}(w(~fj&p(CQ
zEQPnz7azUaU|eYS-QHn+&BOAdoDhYFthyHUm+r0--Ec49^|kwnXP%k`HyjN1b(^+I
z_w;^f+%a%4>;;D6o#rRf3Bb_H24Zdo8CWQ0C6*<IhHx@4Z@tSCJEv4AwzPtqfsy3}
zGXn!lJ5Z^%hVQA9K4Bi`JazQKK6soxdD1*&#j{620U8Y+BGXl-F|6G5=Zr|}og-&#
zdLK+$bY@S9t*veAkwssU&SotLQs7vpqvv_{>S=x5i`opQrayU-sgc^?8+>UCo7T#w
ztDZ6eqneRP1eBO?q(`6=kN`^RMAwR*IuZJGflRnoq_m1`0=ATfFkvx}iJb00I^~!_
tc>r7JN`N&2lPklL#+N_}suL2{tdOuq3+DiDRyL3>79ivRYUu-KN&w$EG4%id
literal 0
HcmV?d00001

323
SOURCES/issue1.patch Normal file
View File

@ -0,0 +1,323 @@
commit 78cf73473dda5ceee3eecda5169621f36b93c3db
Author: Jiri Vanek <jvanek@redhat.com>
Date: Tue Jun 18 15:37:47 2019 +0200
Fixed bug when relative path (..) could leak up (even out of cache)
--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+++ a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
@@ -696,46 +696,68 @@
path.append(location.getPort());
path.append(File.separatorChar);
}
- path.append(location.getPath().replace('/', File.separatorChar));
- if (location.getQuery() != null && !location.getQuery().trim().isEmpty()) {
- path.append(".").append(location.getQuery());
- }
-
- File candidate = new File(FileUtils.sanitizePath(path.toString()));
- if (candidate.getName().length() > 255) {
- /**
- * When filename is longer then 255 chars, then then various
- * filesytems have issues to save it. By saving the file by its
- * summ, we are trying to prevent collision of two files differs in
- * suffixes (general suffix of name, not only 'filetype suffix')
- * only. It is also preventing bug when truncate (files with 1000
- * chars hash in query) cuts to much.
- */
+ String locationPath = location.getPath().replace('/', File.separatorChar);
+ if (locationPath.contains("..")){
try {
- MessageDigest md = MessageDigest.getInstance("SHA-256");
- byte[] sum = md.digest(candidate.getName().getBytes(StandardCharsets.UTF_8));
- //convert the byte to hex format method 2
- StringBuilder hexString = new StringBuilder();
- for (int i = 0; i < sum.length; i++) {
- hexString.append(Integer.toHexString(0xFF & sum[i]));
- }
- String extension = "";
- int i = candidate.getName().lastIndexOf('.');
- if (i > 0) {
- extension = candidate.getName().substring(i);//contains dot
- }
- if (extension.length() < 10 && extension.length() > 1) {
- hexString.append(extension);
- }
- candidate = new File(candidate.getParentFile(), hexString.toString());
+ /**
+ * if path contains .. then it can harm lcoal system
+ * So without mercy, hash it
+ */
+ String hexed = hex(new File(locationPath).getName(), locationPath);
+ return new File(path.toString(), hexed.toString());
} catch (NoSuchAlgorithmException ex) {
- // should not occure, cite from javadoc:
- // every java iomplementation should support
+ // should not occur, cite from javadoc:
+ // every java implementation should support
// MD5 SHA-1 SHA-256
throw new RuntimeException(ex);
}
- }
- return candidate;
+ } else {
+ path.append(locationPath);
+ if (location.getQuery() != null && !location.getQuery().trim().isEmpty()) {
+ path.append(".").append(location.getQuery());
+ }
+
+ File candidate = new File(FileUtils.sanitizePath(path.toString()));
+ try {
+ if (candidate.getName().length() > 255) {
+ /**
+ * When filename is longer then 255 chars, then then various
+ * filesystems have issues to save it. By saving the file by its
+ * sum, we are trying to prevent collision of two files differs in
+ * suffixes (general suffix of name, not only 'filetype suffix')
+ * only. It is also preventing bug when truncate (files with 1000
+ * chars hash in query) cuts to much.
+ */
+ String hexed = hex(candidate.getName(), candidate.getName());
+ candidate = new File(candidate.getParentFile(), hexed.toString());
+ }
+ } catch (NoSuchAlgorithmException ex) {
+ // should not occur, cite from javadoc:
+ // every java implementation should support
+ // MD5 SHA-1 SHA-256
+ throw new RuntimeException(ex);
+ }
+ return candidate;
+ }
+ }
+
+ private static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
+ MessageDigest md = MessageDigest.getInstance("SHA-256");
+ byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8));
+ //convert the byte to hex format method 2
+ StringBuilder hexString = new StringBuilder();
+ for (int i = 0; i < sum.length; i++) {
+ hexString.append(Integer.toHexString(0xFF & sum[i]));
+ }
+ String extension = "";
+ int i = origName.lastIndexOf('.');
+ if (i > 0) {
+ extension = origName.substring(i);//contains dot
+ }
+ if (extension.length() < 10 && extension.length() > 1) {
+ hexString.append(extension);
+ }
+ return hexString.toString();
}
/**
diff --git a/netx/net/sourceforge/jnlp/util/FileUtils.java b/netx/net/sourceforge/jnlp/util/FileUtils.java
index 89216375..a5356e08 100644
--- a/netx/net/sourceforge/jnlp/util/FileUtils.java
+++ b/netx/net/sourceforge/jnlp/util/FileUtils.java
@@ -183,6 +183,13 @@
*/
public static void createParentDir(File f, String eMsg) throws IOException {
File parent = f.getParentFile();
+ // warning, linux and windows behave differently. Below snippet will pass on win(security hole), fail on linux
+ // warning mkdir is canonicaling, but exists/isDirectory is not. So where mkdirs return true, and really creates dir, isDirectory can still return false
+ // can be seen on this example
+ // mkdirs /a/b/../c
+ // where b do not exists will lead creation of /a/c
+ // but exists on /a/b/../c is false on linux even afterwards
+ // without hexing of .. paths,
if (!parent.isDirectory() && !parent.mkdirs()) {
throw new IOException(R("RCantCreateDir",
eMsg == null ? parent : eMsg));
diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
index 6422246b..0d2d9811 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
@@ -88,6 +88,53 @@ public class CacheUtilTest {
final File expected = new File("/tmp/https/example.com/5050/applet/e4f3cf11f86f5aa33f424bc3efe3df7a9d20837a6f1a5bbbc60c1f57f3780a4");
Assert.assertEquals(expected, CacheUtil.urlToPath(u, "/tmp"));
}
+
+ @Test
+ public void tesPathUpNoGoBasic() throws Exception {
+ final URL u = new URL("https://example.com/applet/../my.jar");
+ final File expected = new File("/tmp/https/example.com/abca4723622ed60db3dea12cbe2402622a74f7a49b73e23b55988e4eee5ded.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasicLong() throws Exception {
+ final URL u = new URL("https://example.com/applet/../my.jar.q_SlNFU1NJT05JRD02OUY1ODVCNkJBOTM1NThCQjdBMTA5RkQyNDZEQjEwRi5wcm9kX3RwdG9tY2F0MjE1X2p2bTsgRW50cnVzdFRydWVQYXNzUmVkaXJlY3RVcmw9Imh0dHBzOi8vZWZzLnVzcHRvLmdvdi9FRlNXZWJVSVJlZ2lzdGVyZWQvRUZTV2ViUmVnaXN0ZXJlZCI7IFRDUFJPRFBQQUlSc2Vzc2lvbj02MjIxMjk0MTguMjA0ODAuMDAwMA\"");
+ final File expected = new File("/tmp/https/example.com/ec97413e3f6eee8215ecc8375478cc1ae5f44f18241b9375361d5dfcd7b0ec");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasic2() throws Exception {
+ final URL u = new URL("https://example.com/../my.jar");
+ final File expected = new File("/tmp/https/example.com/eb1a56bed34523dbe7ad84d893ebc31a8bbbba9ce3f370e42741b6a5f067c140.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasicEvil() throws Exception {
+ final URL u = new URL("https://example.com/../../my.jar");
+ final File expected = new File("/tmp/https/example.com/db464f11d68af73e37eefaef674517b6be23f0e4a5738aaee774ecf5b58f1bfc.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasicEvil2() throws Exception {
+ final URL u = new URL("https://example.com:99/../../../my.jar");
+ final File expected = new File("/tmp/https/example.com/99/95401524c345e0d554d4d77330e86c98a77b9bb58a0f93094204df446b356.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+ @Test
+ public void tesPathUpNoGoBasicEvilest() throws Exception {
+ final URL u = new URL("https://example2.com/something/../../../../../../../../../../../my.jar");
+ final File expected = new File("/tmp/https/example2.com/a8df64388f5b84d5f635e4d6dea5f4d2f692ae5381f8ec6736825ff8d6ff2c0.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
@Test
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
index 100d9150..7580d23b 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
@@ -43,6 +43,8 @@
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
+import java.net.URL;
+import java.nio.charset.Charset;
import java.nio.file.Files;
import java.util.Arrays;
import java.util.List;
@@ -55,6 +57,12 @@
import net.sourceforge.jnlp.browsertesting.browsers.firefox.FirefoxProfilesOperator;
import net.sourceforge.jnlp.cache.UpdatePolicy;
import net.sourceforge.jnlp.config.DeploymentConfiguration;
+import net.sourceforge.jnlp.config.PathsAndFiles;
+import net.sourceforge.jnlp.JNLPFile;
+import net.sourceforge.jnlp.ServerAccess;
+import net.sourceforge.jnlp.ServerLauncher;
+import net.sourceforge.jnlp.util.StreamUtils;
+import net.sourceforge.jnlp.cache.CacheUtil;
import net.sourceforge.jnlp.mock.DummyJNLPFileWithJar;
import net.sourceforge.jnlp.security.appletextendedsecurity.AppletSecurityLevel;
import net.sourceforge.jnlp.security.appletextendedsecurity.AppletStartupSecuritySettings;
@@ -65,6 +73,7 @@
import org.junit.BeforeClass;
import org.junit.Test;
+import org.junit.Ignore;
public class JNLPClassLoaderTest extends NoStdOutErrTest {
@@ -138,7 +147,8 @@
File tempDirectory = FileTestUtils.createTempDirectory();
File jarLocation = new File(tempDirectory, "test.jar");
- /* Test with main-class in manifest */ {
+ /* Test with main-class in manifest */
+ {
Manifest manifest = new Manifest();
manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, "DummyClass");
FileTestUtils.createJarWithContents(jarLocation, manifest);
@@ -156,8 +166,10 @@
}
@Test
+ @Ignore
public void getMainClassNameTestEmpty() throws Exception {
- /* Test with-out any main-class specified */ {
+ /* Test with-out any main-class specified */
+ {
File tempDirectory = FileTestUtils.createTempDirectory();
File jarLocation = new File(tempDirectory, "test.jar");
FileTestUtils.createJarWithContents(jarLocation /* No contents */);
@@ -363,4 +375,57 @@
}
}
+
+ @Test
+ public void testRelativePathInUrl() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ dir = new File(dir,"base");
+ dir.mkdir();
+ File jar = new File(dir,"j1.jar");
+ File jnlp = new File(dir+"/a/b/up.jnlp");
+ jnlp.getParentFile().mkdirs();
+ InputStream is = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/up.jnlp");
+ String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8");
+ is.close();
+ jnlpString = jnlpString.replaceAll("8080", ""+port);
+ is = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar");
+ StreamUtils.copyStream(is, new FileOutputStream(jar));
+ Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8"));
+ ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ try {
+ final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
+ final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) {
+ @Override
+ protected void activateJars(List<JARDesc> jars) {
+ super.activateJars(jars);
+ }
+
+ };
+ InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
+ is1.close();
+ is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
+ is1.close();
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/up.jnlp").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/f812acb32c857fd916c842e2bf4fb32b9c3837ef63922b167a7e163305058b7.jar").exists());
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ as.stop();
+ }
+
+ }
+
}
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp
new file mode 100644
index 00000000..b22fdfb7
--- /dev/null
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<jnlp spec="6.0+" codebase=".">
+
+<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
+
+
+<resources>
+ <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
+<!-- absolute url is a must -->
+ <jar href="http://localhost:8080/../../../base/j1.jar" version="2.0"/>
+</resources>
+
+<application-desc main-class="Hello1" />
+
+</jnlp>

78
SOURCES/issue2.patch Normal file
View File

@ -0,0 +1,78 @@
commit 09bcd3ebb639af6cfd83ff2203ffeb80a59cc0eb
Author: Jiri Vanek <jvanek@redhat.com>
Date: Fri Jun 28 16:05:35 2019 +0200
All files, except signaturre files, are now checked for signatures
diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
index 759bedfb..cabfb3c5 100644
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
@@ -41,6 +41,7 @@
import java.util.Map;
import java.util.Vector;
import java.util.jar.JarEntry;
+import java.util.regex.Pattern;
import net.sourceforge.jnlp.JARDesc;
import net.sourceforge.jnlp.JNLPFile;
@@ -67,6 +68,7 @@
public class JarCertVerifier implements CertVerifier {
private static final String META_INF = "META-INF/";
+ private static final Pattern SIG = Pattern.compile(".*" + META_INF + "SIG-.*");
// prefix for new signature-related files in META-INF directory
private static final String SIG_PREFIX = META_INF + "SIG-";
@@ -500,12 +502,20 @@
/**
* Returns whether a file is in META-INF, and thus does not require signing.
- *
+ * <p>
* Signature-related files under META-INF include: . META-INF/MANIFEST.MF . META-INF/SIG-* . META-INF/*.SF . META-INF/*.DSA . META-INF/*.RSA
*/
static boolean isMetaInfFile(String name) {
- String ucName = name.toUpperCase();
- return ucName.startsWith(META_INF);
+ if (name.endsWith("class")) {
+ return false;
+ }
+ return name.startsWith(META_INF) && (
+ name.endsWith(".MF") ||
+ name.endsWith(".SF") ||
+ name.endsWith(".DSA") ||
+ name.endsWith(".RSA") ||
+ SIG.matcher(name).matches()
+ );
}
/**
diff --git a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
index 4661fb87..44253e08 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
@@ -58,9 +58,22 @@ public class JarCertVerifierTest {
@Test
public void testIsMetaInfFile() {
final String METAINF = "META-INF";
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah"));
+
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah.class"));
+
assertFalse(JarCertVerifier.isMetaInfFile("some_dir/" + METAINF + "/filename"));
assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "filename"));
- assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
}
class JarCertVerifierEntry extends JarEntry {

5709
SOURCES/issue3-bin.patch Normal file
View File

File diff suppressed because it is too large Load Diff

160
SOURCES/issue3.patch Normal file
View File

@ -0,0 +1,160 @@
commit b4232ae35d2b86592a945a56c948f107fe7efabe
Author: Jiri Vanek <jvanek@redhat.com>
Date: Wed Jun 26 13:46:45 2019 +0200
Nested jar, if by relative path point up, is stored as hashed
diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
index a972eb8e..5c8652b6 100644
--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
@@ -741,7 +741,7 @@
}
}
- private static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
+ public static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8));
//convert the byte to hex format method 2
diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
index e015f348..117163f3 100644
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
@@ -1340,7 +1340,11 @@
// (inline loading with "jar:..!/..." path will not work
// with standard classloader methods)
- String extractedJarLocation = localFile + ".nested/" + je.getName();
+ String name = je.getName();
+ if (name.contains("..")){
+ name=CacheUtil.hex(name, name);
+ }
+ String extractedJarLocation = localFile + ".nested/" + name;
File parentDir = new File(extractedJarLocation).getParentFile();
if (!parentDir.isDirectory() && !parentDir.mkdirs()) {
throw new RuntimeException(R("RNestedJarExtration"));
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
index 7580d23b..a20a1d8f 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
@@ -43,6 +43,8 @@
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
+import java.io.OutputStream;
+import net.sourceforge.jnlp.ResourcesDesc;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
@@ -407,13 +409,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setDebug(true);
try {
final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
- final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) {
- @Override
- protected void activateJars(List<JARDesc> jars) {
- super.activateJars(jars);
- }
-
- };
+ final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
is1.close();
is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
@@ -430,4 +426,74 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
}
+ @Test
+ public void testRelativePathInNestedJars() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ File jar = new File(dir,"jar03_dotdotN1.jar");
+ File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp");
+ InputStream is1 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp");
+ InputStream is2 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar");
+ OutputStream fos1 = new FileOutputStream(jnlp);
+ OutputStream fos2 = new FileOutputStream(jar);
+ StreamUtils.copyStream(is1, fos1);
+ StreamUtils.copyStream(is2, fos2);
+ fos1.flush();;
+ fos2.flush();
+ fos1.close();
+ fos2.close();
+ ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ try {
+ //it is invalid jar, so we have to disable checks first
+ final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
+ final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false);
+
+ //ThreadGroup group = Thread.currentThread().getThreadGroup();
+ //ApplicationInstance app = new ApplicationInstance(jnlpFile, group, classLoader);
+ //classLoader.setApplication(app);
+ //app.initialize();
+
+ //this test is actually not testing mutch. The app must be accessing the nested jar in plugin-like way
+ InputStream is = classLoader.getResourceAsStream("application/abev/nyomtatvanyinfo/1965.teminfo.enyk");
+ is.close();
+ is = classLoader.getResourceAsStream("META-INF/MANIFEST.MF");
+ is.close();
+ is = classLoader.getResourceAsStream("META-INF/j1.jar");
+ is.close();
+ is = classLoader.getResourceAsStream("META-INF/../../jar01_to_be_injected.jar");
+ //the .. is not recognized correctly
+ //is.close();
+ //Class c = classLoader.getClass().forName("Hello1");
+ // in j1.jar
+ is = classLoader.getResourceAsStream("Hello1.class");
+ //is.close(); nested jar is not on defualt CP
+ //in jar01
+ //c = classLoader.getClass().forName("com.devdaily.FileUtilities");
+ is = classLoader.getResourceAsStream("com/devdaily/FileUtilities.class");
+ // is.close(); nested jar is not on defualt CP
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/jar_03_dotdot_jarN1.jnlp").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/99a90686bfbe84e3f9dbeed8127bba85672ed73688d3c69191aa1ee70916a.jar").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/META-INF/j1.jar").exists());
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ as.stop();
+ }
+
+ }
+
+
}
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp
new file mode 100644
index 00000000..71bdea87
--- /dev/null
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<jnlp spec="6.0+" >
+
+<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
+
+<security><all-permissions/></security>
+
+<resources>
+ <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
+ <jar href="jar03_dotdotN1.jar" version="2.0"/>
+</resources>
+
+<application-desc main-class="http://localhost/jar01.jar!META-INF/jar01_to_be_injected.jar!METAxINF.Test" />
+
+</jnlp>

210
SOURCES/testTuning.patch Normal file
View File

@ -0,0 +1,210 @@
diff --git a/ChangeLog b/ChangeLog
index 0c63dd98..d8e560e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,29 @@
+2019-06-26 Jiri Vanek <jvanek@redhat.com>
+
+ All files, except signaturre files, are now checked for signatures - CVE-2019-10181
+ * b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not
+ checked for signature. Now only signature files are skipped
+ * tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from
+ signature check
+
+2019-06-26 Jiri Vanek <jvanek@redhat.com>
+
+ Nested jar, if by relative path point up, is stored as hashed - CVE-2019-10185
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar: crafted jar with hacked zip entries to be named like ".."
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp: jnlp to call jar03_dotdotN1.jar
+ * netx/net/sourceforge/jnlp/cache/CacheUtil.jsava: (hex) made public to be reused in JNLPClassLoader
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: if nested jar contains .. in path, is extracted as hashed
+
+2019-06-26 Jiri Vanek <jvanek@redhat.com>
+
+ Fixed bug when relative path (..) could leak up (even out of cache) - CVE-2019-10182
+ * netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash
+ * netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux
+ * tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: added test for .. in path. Added test
+ that verifies encoded .. (%2E%2E) do not leak from cahce
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with .. full url
+
2018-05-14 Jiri Vanek <jvanek@redhat.com>
* netx/net/sourceforge/jnlp/runtime/AppletEnvironment.java: getDocumentBase now returns codeBase as fallback when
diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
index 6b0cd256..5dbf2d69 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
@@ -135,6 +135,14 @@ public class CacheUtilTest {
File r = CacheUtil.urlToPath(u, "/tmp/");
Assert.assertEquals(expected, r);
}
+
+ @Test
+ public void testQueryGotHAshedToo() throws Exception {
+ final URL u = new URL("https://example2.com/something/my.jar?../../harm");
+ final File expected = new File("/tmp/https/example2.com/2844b3c690ea355159ed61de6e727f2e9169ab55bf58b8fa3f4b64f6a25bd7.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
@Test
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
index 2b28fb93..d86786ab 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
@@ -405,6 +405,8 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(true);
JNLPRuntime.setSecurityEnabled(false);
JNLPRuntime.setDebug(true);
+ String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE");
try {
final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
@@ -419,6 +421,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(trustBackup);
JNLPRuntime.setSecurityEnabled(securityBAckup);
JNLPRuntime.setDebug(verbose);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup);
as.stop();
}
@@ -451,6 +454,11 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(true);
JNLPRuntime.setSecurityEnabled(false);
JNLPRuntime.setDebug(true);
+ //fix of "All files, except signaturre files, are now checked for signatures" make this actually correctly failing ahead of time
+ String ignoreBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, "true");
+ String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE");
try {
//it is invalid jar, so we have to disable checks first
final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
@@ -488,10 +496,102 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(trustBackup);
JNLPRuntime.setSecurityEnabled(securityBAckup);
JNLPRuntime.setDebug(verbose);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, ignoreBackup);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup);
as.stop();
}
}
+ @Test(expected = Exception.class)
+ public void testDifferentSignatureInManifestMf() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ File jar = new File(dir,"jar03_dotdotN1.jar");
+ File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp");
+ InputStream is1 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp");
+ InputStream is2 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar");
+ OutputStream fos1 = new FileOutputStream(jnlp);
+ OutputStream fos2 = new FileOutputStream(jar);
+ StreamUtils.copyStream(is1, fos1);
+ StreamUtils.copyStream(is2, fos2);
+ fos1.flush();;
+ fos2.flush();
+ fos1.close();
+ fos2.close();
+ ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ String ignoreBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, "false");
+ try {
+ //it is invalid jar, so we have to disable checks first
+ final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
+ final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false);
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, ignoreBackup);
+ as.stop();
+ }
+
+ }
+
+ @Test
+ public void testEncodedPathIsNotDecodedForCache() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ dir = new File(dir,"base");
+ dir.mkdir();
+ File jar = new File(dir,"j1.jar");
+ File jnlp = new File(dir+"/a/b/upEncoded.jnlp");
+ jnlp.getParentFile().mkdirs();
+ InputStream is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/upEncoded.jnlp");
+ String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8");
+ is.close();
+ jnlpString = jnlpString.replaceAll("8080", ""+port);
+ is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar");
+ StreamUtils.copyStream(is, new FileOutputStream(jar));
+ Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8"));
+ ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ try {
+ final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/upEncoded.jnlp"));
+ final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
+ InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
+ is1.close();
+ is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
+ is1.close();
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/upEncoded.jnlp").exists());
+ //be aware; if decoding ever come in play here, thios will leak out of cache folder. Thus harm user system. See fix for " Fixed bug when relative path (..) could leak up (even out of cache)"
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/%2E%2E/%2E%2E/%2E%2E/base").exists());
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ as.stop();
+ }
+
+ }
}
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp
new file mode 100644
index 00000000..f0658bbc
--- /dev/null
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<jnlp spec="6.0+" codebase=".">
+
+ <information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
+
+
+ <resources>
+ <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
+ <!-- absolute url is a must -->
+ <jar href="http://localhost:8080/%2E%2E/%2E%2E/%2E%2E/base/j1.jar" version="2.0"/>
+ </resources>
+
+ <application-desc main-class="Hello1" />
+
+</jnlp>

47
SPECS/icedtea-web.spec
View File

@ -17,7 +17,7 @@
Name: icedtea-web
Version: 1.7.1
Release: 9%{?dist}
Release: 17%{?dist}
Summary: Additional Java components for OpenJDK - Java browser plug-in and Web Start implementation
# will become arched again with rust on board
BuildArch: noarch
@ -26,9 +26,16 @@ Group: Applications/Internet
License: LGPLv2+ and GPLv2 with exceptions
URL: http://icedtea.classpath.org/wiki/IcedTea-Web
Source0: http://icedtea.classpath.org/download/source/%{name}-%{version}.tar.gz
Patch0: 1473-1480.patch
Patch2: oracleForms.patch
Patch3: headlessCheckSoftening_rhbz1581598.patch
Patch9: 1473-1480.patch
Patch8: oracleForms.patch
Patch7: headlessCheckSoftening_rhbz1581598.patch
Patch1: issue1.patch
Patch2: issue2.patch
Patch3: issue3.patch
Patch4: PreventiveleQueue.patch
Patch11: issue1-bin.patch
Patch33: issue3-bin.patch
Patch5: testTuning.patch
BuildRequires: javapackages-tools
#for deprecated add_maven_depmap, see https://www.spinics.net/lists/fedora-devel/msg233211.html
@ -45,6 +52,8 @@ BuildRequires: hamcrest
BuildRequires: libappstream-glib
# new in 1.5 to have clean up for malformed XMLs
BuildRequires: tagsoup
# to apply binary tests for CVEs
BuildRequires: git
# For functionality and the OpenJDK dirs
Requires: %{preffered_java}
@ -105,9 +114,22 @@ This package contains ziped sources of the IcedTea-Web project.
%prep
%setup -q
%patch0 -p1
%patch9 -p1
%patch8 -p1
%patch7 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
if [ -e ../.git ] ; then
mv ../.git ../ggit
fi
git apply --no-index --binary -v %{PATCH11}
git apply --no-index --binary -v %{PATCH33}
if [ -e ../ggit ] ; then
mv ../ggit ../.git
fi
%build
autoreconf -vfi
@ -225,6 +247,21 @@ exit 0
%license COPYING
%changelog
* Thu Jul 18 2019 Jiri Vanek <jvanek@redhat.com> 1.7.1-16
- Added Patch5, testTuning.patch to make tests pass inclean envirnment
- Resolves: rhbz#1724958
* Thu Jul 18 2019 Jiri Vanek <jvanek@redhat.com> 1.7.1-16
- added patch1, patch4 and patch11 to fix CVE-2019-10182
- added patch2 to fix CVE-2019-10181
- added patch3 and patch33 to fix CVE-2019-10185
- Resolves: rhbz#1724958
- Resolves: rhbz#1725928
- Resolves: rhbz#1724989
* Fri Mar 22 2019 - Jiri Vanek <jvanek@redhat.com> -1.7.1-10
- added gating
* Mon Jul 16 2018 - Jiri Vanek <jvanek@redhat.com> -1.7.1-8
- removed rhino