diff --git a/SOURCES/altjava.patch b/SOURCES/altjava.patch new file mode 100644 index 0000000..32fc3bf --- /dev/null +++ b/SOURCES/altjava.patch @@ -0,0 +1,49 @@ +--- icedtea-web-1.7.1/launcher/launchers.in ++++ icedtea-web-1.7.1/launcher/launchers.in +@@ -70,6 +70,12 @@ + shift + done + ++java_dir="`dirname ${JAVA}`" ++alt_java="alt-java" ++if [ -e "$java_dir/$alt_java" ] ; then ++ JAVA="`dirname ${JAVA}`/$alt_java" ++fi ++ + k=0 + COMMAND[k]="${JAVA}" + k=$((k+1)) +--- icedtea-web-1.7.1/plugin/icedteanp/IcedTeaNPPlugin.cc ++++ icedtea-web-1.7.1/plugin/icedteanp/IcedTeaNPPlugin.cc +@@ -139,7 +139,8 @@ + static DIR *data_directory_descriptor; + + // Fully-qualified appletviewer default executable and rt.jar +-static const char* appletviewer_default_executable = ICEDTEA_WEB_JRE "/bin/java"; ++static const char* appletviewer_default_executable_main = ICEDTEA_WEB_JRE "/bin/java"; ++static const char* appletviewer_default_executable_alt = ICEDTEA_WEB_JRE "/bin/alt-java"; + static const char* appletviewer_default_rtjar = ICEDTEA_WEB_JRE "/lib/rt.jar"; + static const char* appletviewer_default_jfxrtjar = ICEDTEA_WEB_JRE "/lib/jfxrt.jar"; + static const char* appletviewer_default_nashonrjar = ICEDTEA_WEB_JRE "/lib/ext/nashorn.jar"; +@@ -285,13 +286,18 @@ + std::string custom_jre; + bool custom_jre_defined = find_custom_jre(custom_jre); + if (custom_jre_defined) { +- if (IcedTeaPluginUtilities::file_exists(custom_jre+"/bin/java")){ ++ if (IcedTeaPluginUtilities::file_exists(custom_jre+"/bin/alt-java")){ ++ return custom_jre+"/bin/alt-java"; ++ } else if (IcedTeaPluginUtilities::file_exists(custom_jre+"/bin/java")){ + return custom_jre+"/bin/java"; + } else { + PLUGIN_ERROR("Your custom jre (/bin/java check) %s is not valid. Please fix %s in your %s. In attempt to run using default one. \n", custom_jre.c_str(), custom_jre_key.c_str(), default_file_ITW_deploy_props_name.c_str()); + } + } +- return appletviewer_default_executable; ++ if (IcedTeaPluginUtilities::file_exists(appletviewer_default_executable_alt)){ ++ return appletviewer_default_executable_alt; ++ } ++ return appletviewer_default_executable_main; + } + + static std::string get_plugin_rt_jar(){ + diff --git a/SOURCES/testTuning.patch b/SOURCES/testTuning.patch new file mode 100644 index 0000000..eec6d83 --- /dev/null +++ b/SOURCES/testTuning.patch @@ -0,0 +1,210 @@ +diff --git a/ChangeLog b/ChangeLog +index 0c63dd98..d8e560e0 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,29 @@ ++2019-06-26 Jiri Vanek ++ ++ All files, except signaturre files, are now checked for signatures - CVE-2019-10181 ++ * b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not ++ checked for signature. Now only signature files are skipped ++ * tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from ++ signature check ++ ++2019-06-26 Jiri Vanek ++ ++ Nested jar, if by relative path point up, is stored as hashed - CVE-2019-10185 ++ * tests/netx/unit/net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar: crafted jar with hacked zip entries to be named like ".." ++ * tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp: jnlp to call jar03_dotdotN1.jar ++ * netx/net/sourceforge/jnlp/cache/CacheUtil.jsava: (hex) made public to be reused in JNLPClassLoader ++ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: if nested jar contains .. in path, is extracted as hashed ++ ++2019-06-26 Jiri Vanek ++ ++ Fixed bug when relative path (..) could leak up (even out of cache) - CVE-2019-10182 ++ * netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash ++ * netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux ++ * tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing ++ * tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: added test for .. in path. Added test ++ that verifies encoded .. (%2E%2E) do not leak from cahce ++ * tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with .. full url ++ + 2017-12-15 Jiri Vanek + + Pre-release tuning +diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java +index 6b0cd256..5dbf2d69 100644 +--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java ++++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java +@@ -135,6 +135,14 @@ public class CacheUtilTest { + File r = CacheUtil.urlToPath(u, "/tmp/"); + Assert.assertEquals(expected, r); + } ++ ++ @Test ++ public void testQueryGotHAshedToo() throws Exception { ++ final URL u = new URL("https://example2.com/something/my.jar?../../harm"); ++ final File expected = new File("/tmp/https/example2.com/2844b3c690ea355159ed61de6e727f2e9169ab55bf58b8fa3f4b64f6a25bd7.jar"); ++ File r = CacheUtil.urlToPath(u, "/tmp/"); ++ Assert.assertEquals(expected, r); ++ } + + + @Test +diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java +index 2b28fb93..d86786ab 100644 +--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java ++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java +@@ -405,6 +405,8 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest { + JNLPRuntime.setTrustAll(true); + JNLPRuntime.setSecurityEnabled(false); + JNLPRuntime.setDebug(true); ++ String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK); ++ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE"); + try { + final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp")); + final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false); +@@ -419,6 +421,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest { + JNLPRuntime.setTrustAll(trustBackup); + JNLPRuntime.setSecurityEnabled(securityBAckup); + JNLPRuntime.setDebug(verbose); ++ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup); + as.stop(); + } + +@@ -451,6 +454,11 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest { + JNLPRuntime.setTrustAll(true); + JNLPRuntime.setSecurityEnabled(false); + JNLPRuntime.setDebug(true); ++ //fix of "All files, except signaturre files, are now checked for signatures" make this actually correctly failing ahead of time ++ ++ ++ String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK); ++ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE"); + try { + //it is invalid jar, so we have to disable checks first + final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp")); +@@ -488,10 +496,102 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest { + JNLPRuntime.setTrustAll(trustBackup); + JNLPRuntime.setSecurityEnabled(securityBAckup); + JNLPRuntime.setDebug(verbose); ++ ++ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup); + as.stop(); + } + + } + ++ @Test(expected = Exception.class) ++ public void testDifferentSignatureInManifestMf() throws Exception { ++ CacheUtil.clearCache(); ++ int port = ServerAccess.findFreePort(); ++ File dir = FileTestUtils.createTempDirectory(); ++ dir.deleteOnExit(); ++ File jar = new File(dir,"jar03_dotdotN1.jar"); ++ File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp"); ++ InputStream is1 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp"); ++ InputStream is2 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar"); ++ OutputStream fos1 = new FileOutputStream(jnlp); ++ OutputStream fos2 = new FileOutputStream(jar); ++ StreamUtils.copyStream(is1, fos1); ++ StreamUtils.copyStream(is2, fos2); ++ fos1.flush();; ++ fos2.flush(); ++ fos1.close(); ++ fos2.close(); ++ ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port); ++ boolean verifyBackup = JNLPRuntime.isVerifying(); ++ boolean trustBackup= JNLPRuntime.isTrustAll(); ++ boolean securityBAckup= JNLPRuntime.isSecurityEnabled(); ++ boolean verbose= JNLPRuntime.isDebug(); ++ JNLPRuntime.setVerify(false); ++ JNLPRuntime.setTrustAll(true); ++ JNLPRuntime.setSecurityEnabled(false); ++ JNLPRuntime.setDebug(true); ++ ++ ++ try { ++ //it is invalid jar, so we have to disable checks first ++ final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp")); ++ final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false); ++ } finally { ++ JNLPRuntime.setVerify(verifyBackup); ++ JNLPRuntime.setTrustAll(trustBackup); ++ JNLPRuntime.setSecurityEnabled(securityBAckup); ++ JNLPRuntime.setDebug(verbose); ++ ++ as.stop(); ++ } ++ ++ } ++ ++ @Test ++ public void testEncodedPathIsNotDecodedForCache() throws Exception { ++ CacheUtil.clearCache(); ++ int port = ServerAccess.findFreePort(); ++ File dir = FileTestUtils.createTempDirectory(); ++ dir.deleteOnExit(); ++ dir = new File(dir,"base"); ++ dir.mkdir(); ++ File jar = new File(dir,"j1.jar"); ++ File jnlp = new File(dir+"/a/b/upEncoded.jnlp"); ++ jnlp.getParentFile().mkdirs(); ++ InputStream is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/upEncoded.jnlp"); ++ String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8"); ++ is.close(); ++ jnlpString = jnlpString.replaceAll("8080", ""+port); ++ is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar"); ++ StreamUtils.copyStream(is, new FileOutputStream(jar)); ++ Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8")); ++ ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port); ++ boolean verifyBackup = JNLPRuntime.isVerifying(); ++ boolean trustBackup= JNLPRuntime.isTrustAll(); ++ boolean securityBAckup= JNLPRuntime.isSecurityEnabled(); ++ boolean verbose= JNLPRuntime.isDebug(); ++ JNLPRuntime.setVerify(false); ++ JNLPRuntime.setTrustAll(true); ++ JNLPRuntime.setSecurityEnabled(false); ++ JNLPRuntime.setDebug(true); ++ try { ++ final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/upEncoded.jnlp")); ++ final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false); ++ InputStream is1 = classLoader1.getResourceAsStream("Hello1.class"); ++ is1.close(); ++ is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF"); ++ is1.close(); ++ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/upEncoded.jnlp").exists()); ++ //be aware; if decoding ever come in play here, thios will leak out of cache folder. Thus harm user system. See fix for " Fixed bug when relative path (..) could leak up (even out of cache)" ++ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/%2E%2E/%2E%2E/%2E%2E/base").exists()); ++ } finally { ++ JNLPRuntime.setVerify(verifyBackup); ++ JNLPRuntime.setTrustAll(trustBackup); ++ JNLPRuntime.setSecurityEnabled(securityBAckup); ++ JNLPRuntime.setDebug(verbose); ++ as.stop(); ++ } ++ ++ } + + } +diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp +new file mode 100644 +index 00000000..f0658bbc +--- /dev/null ++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp +@@ -0,0 +1,15 @@ ++ ++ ++ ++ 1965Nemzeti Ado- es Vamhivatal ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ diff --git a/SPECS/icedtea-web.spec b/SPECS/icedtea-web.spec index 9a31dfc..1d0098b 100644 --- a/SPECS/icedtea-web.spec +++ b/SPECS/icedtea-web.spec @@ -18,7 +18,7 @@ Name: icedtea-web Version: 1.7.1 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Additional Java components for OpenJDK - Java browser plug-in and Web Start implementation Group: Applications/Internet @@ -32,6 +32,8 @@ Patch3: issue3.patch Patch4: PreventiveleQueue.patch Patch11: issue1-bin.patch Patch33: issue3-bin.patch +Patch5: testTuning.patch +Patch6: altjava.patch BuildRequires: jpackage-utils BuildRequires: %{preffered_java}-devel @@ -118,6 +120,8 @@ This package contains ziped sources of the IcedTea-Web project. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 if [ -e ../.git ] ; then mv ../.git ../ggit fi @@ -257,7 +261,15 @@ exit 0 %license COPYING %changelog -* Thu Jul 18 2019 Jiri Vanek 1.7.2-16 +* Thu Nov 26 2020 Jiri Vanek 1.7.1-4 +- Added Patch6, altjava.patch to make usage of alt-java prefferd over java +- Resolves: rhbz#1901639 + +* Thu Jul 18 2019 Jiri Vanek 1.7.1-3 +- Added Patch5, testTuning.patch to make tests pass inclean envirnment +- Resolves: rhbz#1724958 + +* Thu Jul 18 2019 Jiri Vanek 1.7.1-2 - added patch1, patch4 and patch11 to fix CVE-2019-10182 - added patch2 to fix CVE-2019-10181 - added patch3 and patch33 to fix CVE-2019-10185