Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 659469 Details for
Bug 884705
CVE-2013-1927 icedtea-web: GIFAR issue
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
proposed patch
headerPositionVErification.patch (text/plain), 14.78 KB, created by
jiri vanek
on 2012-12-07 15:38:59 UTC
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
jiri vanek
Created:
2012-12-07 15:38:59 UTC
Size:
14.78 KB
patch
obsolete
>diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/Launcher.java >--- a/netx/net/sourceforge/jnlp/Launcher.java Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/Launcher.java Fri Dec 07 16:09:50 2012 +0100 >@@ -30,7 +30,7 @@ > import java.util.LinkedList; > import java.util.List; > import java.util.Map; >-import java.util.jar.JarFile; >+import net.sourceforge.jnlp.util.JarFile; > > import net.sourceforge.jnlp.cache.CacheUtil; > import net.sourceforge.jnlp.cache.UpdatePolicy; >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/resources/Messages.properties >--- a/netx/net/sourceforge/jnlp/resources/Messages.properties Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Fri Dec 07 16:09:50 2012 +0100 >@@ -96,7 +96,7 @@ > LNotVerified=Jars not verified. > LCancelOnUserRequest=Canceled on user request. > LFatalVerification=A fatal error occurred while trying to verify jars. >-LFatalVerificationInfo= >+LFatalVerificationInfo=Description > > LNotVerifiedDialog=Not all jars could be verified. > LAskToContinue=Would you still like to continue running this application? >@@ -188,6 +188,7 @@ > BOViewer = Shows the trusted certificate viewer. > BXnofork = Do not create another JVM. > BXclearcache= Clean the JNLP application cache. >+BXignoreheaders= Will skip jar header verification. > BOHelp = Print this message and exit. > > # Cache >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/resources/Messages_cs_CZ.properties >--- a/netx/net/sourceforge/jnlp/resources/Messages_cs_CZ.properties Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/resources/Messages_cs_CZ.properties Fri Dec 07 16:09:50 2012 +0100 >@@ -94,7 +94,7 @@ > LNotVerified=Soubory JAR nebyly ov\u011b\u0159eny. > LCancelOnUserRequest=Zru\u0161eno u\u017eivatelem. > LFatalVerification=P\u0159i ov\u011b\u0159ov\u00e1n\u00ed soubor\u016f JAR do\u0161lo k z\u00e1va\u017en\u00e9 chyb\u011b. >-LFatalVerificationInfo= >+LFatalVerificationInfo=Popis > > LNotVerifiedDialog=Nemohly b\u00fdt ov\u011b\u0159eny v\u0161echny soubory JAR. > LAskToContinue=Chcete p\u0159esto pokra\u010dovat ve spou\u0161t\u011bn\u00ed t\u00e9to aplikace? >@@ -186,6 +186,7 @@ > BOViewer= Zobraz\u00ed prohl\u00ed\u017ee\u010d d\u016fv\u011bryhodn\u00fdch certifik\u00e1t\u016f. > BXnofork= Zak\u00e1\u017ee vytv\u00e1\u0159en\u00ed jin\u00fdch prost\u0159ed\u00ed JVM. > BXclearcache= Vy\u010dist\u00ed vyrovn\u00e1vac\u00ed pam\u011b\u0165 aplikace JNLP. >+BXignoreheaders= Nebude prov\u00e1d\u011bt verifikaci hlavi\u010dek soubor\u016f jar. > BOHelp= Vyp\u00ed\u0161e zadanou zpr\u00e1vu do konzole a ukon\u010d\u00ed aplikaci. > > # Cache >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/runtime/Boot.java >--- a/netx/net/sourceforge/jnlp/runtime/Boot.java Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Fri Dec 07 16:09:50 2012 +0100 >@@ -102,6 +102,7 @@ > + " -strict " + R("BOStrict") + "\n" > + " -Xnofork " + R("BXnofork") + "\n" > + " -Xclearcache " + R("BXclearcache") + "\n" >+ + " -Xignoreheaders " + R("BXignoreheaders") + "\n" > + " -help " + R("BOHelp") + "\n"; > > private static final String doubleArgs = "-basedir -jnlp -arg -param -property -update"; >@@ -159,6 +160,9 @@ > if (null != getOption("-Xtrustall")) { > JNLPRuntime.setTrustAll(true); > } >+ if (null != getOption("-Xignoreheaders")) { >+ JNLPRuntime.setIgnoreHeaders(true); >+ } > > JNLPRuntime.setInitialArgments(Arrays.asList(argsIn)); > >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java >--- a/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Fri Dec 07 16:09:50 2012 +0100 >@@ -49,7 +49,7 @@ > import java.security.PrivilegedExceptionAction; > import java.util.Map; > import java.util.concurrent.ConcurrentHashMap; >-import java.util.jar.JarFile; >+import net.sourceforge.jnlp.util.JarFile; > > import net.sourceforge.jnlp.util.UrlUtils; > >@@ -81,7 +81,7 @@ > } > > @Override >- public JarFile retrieve(URL url) throws IOException { >+ public java.util.jar.JarFile retrieve(URL url) throws IOException { > URL localUrl = mapping.get(url); > > if (localUrl == null) { >@@ -122,8 +122,8 @@ > /* > * This method is a copy of URLJarFile.retrieve() without the callback check. > */ >- private JarFile cacheJarFile(URL url) throws IOException { >- JarFile result = null; >+ private java.util.jar.JarFile cacheJarFile(URL url) throws IOException { >+ java.util.jar.JarFile result = null; > > final int BUF_SIZE = 2048; > >@@ -132,9 +132,9 @@ > > try { > result = >- AccessController.doPrivileged(new PrivilegedExceptionAction<JarFile>() { >+ AccessController.doPrivileged(new PrivilegedExceptionAction<java.util.jar.JarFile>() { > @Override >- public JarFile run() throws IOException { >+ public java.util.jar.JarFile run() throws IOException { > OutputStream out = null; > File tmpFile = null; > try { >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java >--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Dec 07 16:09:50 2012 +0100 >@@ -56,7 +56,7 @@ > import java.util.Vector; > import java.util.concurrent.ConcurrentHashMap; > import java.util.jar.JarEntry; >-import java.util.jar.JarFile; >+import net.sourceforge.jnlp.util.JarFile; > import java.util.jar.Manifest; > > import net.sourceforge.jnlp.AppletDesc; >@@ -160,7 +160,7 @@ > /** all jars not yet part of classloader or active */ > private List<JARDesc> available = new ArrayList<JARDesc>(); > >- /** the jar cert verifier tool to verify our jars */ >+ /** the jar cert verifier tool to verifyZipHeader our jars */ > private final JarCertVerifier jcv; > > private boolean signing = false; >@@ -295,7 +295,7 @@ > /** > * When we're trying to load an applet, file.getSecurity() will return > * null since there is no jnlp file to specify permissions. We >- * determine security settings here, after trying to verify jars. >+ * determine security settings here, after trying to verifyZipHeader jars. > */ > if (file instanceof PluginBridge) { > if (signing == true) { >@@ -627,7 +627,7 @@ > //to read the cacerts or trusted.certs files. > e.printStackTrace(); > throw new LaunchException(null, null, R("LSFatal"), >- R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo")); >+ R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo") + ": " +e.getMessage()); > } > > //Case when at least one jar has some signing >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java >--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Fri Dec 07 16:09:50 2012 +0100 >@@ -87,7 +87,7 @@ > * @version $Revision: 1.19 $ > */ > public class JNLPRuntime { >- >+ > static { > loadResources(); > } >@@ -142,8 +142,16 @@ > /** set to false to indicate another JVM should not be spawned, even if necessary */ > private static boolean forksAllowed = true; > >- /** all security dialogs will be consumed and pretented as beeing verified by user and allowed.*/ >+ /** all security dialogs will be consumed and pretented as being verified by user and allowed.*/ > private static boolean trustAll=false; >+ /** >+ * Header is not checked and so eg. gifar exploit is possible >+ * @see http://en.wikipedia.org/wiki/Gifar for this kind of attack. >+ * However if jar file is a bit corrupted, then it sometimes can work so >+ * this switch can disable the header check. >+ * >+ */ >+ private static boolean ignoreHeaders=false; > > /** contains the arguments passed to the jnlp runtime */ > private static List<String> initialArguments; >@@ -776,4 +784,14 @@ > return trustAll; > } > >+ public static boolean isIgnoreHeaders() { >+ return ignoreHeaders; >+ } >+ >+ public static void setIgnoreHeaders(boolean ignoreHeaders) { >+ JNLPRuntime.ignoreHeaders = ignoreHeaders; >+ } >+ >+ >+ > } >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/tools/JarCertVerifier.java >--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Thu Dec 06 10:04:06 2012 -0500 >+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Fri Dec 07 16:09:50 2012 +0100 >@@ -41,7 +41,7 @@ > import java.util.Map; > import java.util.Vector; > import java.util.jar.JarEntry; >-import java.util.jar.JarFile; >+import net.sourceforge.jnlp.util.JarFile; > > import net.sourceforge.jnlp.JARDesc; > import net.sourceforge.jnlp.JNLPFile; >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/util/InvalidJarHeaderException.java >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/netx/net/sourceforge/jnlp/util/InvalidJarHeaderException.java Fri Dec 07 16:09:50 2012 +0100 >@@ -0,0 +1,45 @@ >+/* >+Copyright (C) 2012 Red Hat, Inc. >+ >+This file is part of IcedTea. >+ >+IcedTea is free software; you can redistribute it and/or modify >+it under the terms of the GNU General Public License as published by >+the Free Software Foundation; either version 2, or (at your option) >+any later version. >+ >+IcedTea is distributed in the hope that it will be useful, but >+WITHOUT ANY WARRANTY; without even the implied warranty of >+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >+General Public License for more details. >+ >+You should have received a copy of the GNU General Public License >+along with IcedTea; see the file COPYING. If not, write to the >+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA >+02110-1301 USA. >+ >+Linking this library statically or dynamically with other modules is >+making a combined work based on this library. Thus, the terms and >+conditions of the GNU General Public License cover the whole >+combination. >+ >+As a special exception, the copyright holders of this library give you >+permission to link this library with independent modules to produce an >+executable, regardless of the license terms of these independent >+modules, and to copy and distribute the resulting executable under >+terms of your choice, provided that you also meet, for each linked >+independent module, the terms and conditions of the license of that >+module. An independent module is a module which is not derived from >+or based on this library. If you modify this library, you may extend >+this exception to your version of the library, but you are not >+obligated to do so. If you do not wish to do so, delete this >+exception statement from your version. */ >+package net.sourceforge.jnlp.util; >+ >+public class InvalidJarHeaderException extends RuntimeException{ >+ >+ public InvalidJarHeaderException(String string) { >+ super(string); >+ } >+ >+} >diff -r dc00e6d5a2f9 netx/net/sourceforge/jnlp/util/JarFile.java >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/netx/net/sourceforge/jnlp/util/JarFile.java Fri Dec 07 16:09:50 2012 +0100 >@@ -0,0 +1,94 @@ >+/* >+ Copyright (C) 2012 Red Hat, Inc. >+ >+ This file is part of IcedTea. >+ >+ IcedTea is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 2, or (at your option) >+ any later version. >+ >+ IcedTea is distributed in the hope that it will be useful, but >+ WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >+ General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with IcedTea; see the file COPYING. If not, write to the >+ Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA >+ 02110-1301 USA. >+ >+ Linking this library statically or dynamically with other modules is >+ making a combined work based on this library. Thus, the terms and >+ conditions of the GNU General Public License cover the whole >+ combination. >+ >+ As a special exception, the copyright holders of this library give you >+ permission to link this library with independent modules to produce an >+ executable, regardless of the license terms of these independent >+ modules, and to copy and distribute the resulting executable under >+ terms of your choice, provided that you also meet, for each linked >+ independent module, the terms and conditions of the license of that >+ module. An independent module is a module which is not derived from >+ or based on this library. If you modify this library, you may extend >+ this exception to your version of the library, but you are not >+ obligated to do so. If you do not wish to do so, delete this >+ exception statement from your version. */ >+package net.sourceforge.jnlp.util; >+ >+import java.io.File; >+import java.io.FileInputStream; >+import java.io.IOException; >+import java.io.InputStream; >+import java.util.zip.ZipFile; >+import net.sourceforge.jnlp.runtime.JNLPRuntime; >+ >+public class JarFile extends java.util.jar.JarFile { >+ >+ public JarFile(String name) throws IOException { >+ super(new File(name), true, ZipFile.OPEN_READ); >+ verifyZipHeader(new File(name)); >+ } >+ >+ /** >+ */ >+ public JarFile(String name, boolean verify) throws IOException { >+ super(new File(name), verify, ZipFile.OPEN_READ); >+ verifyZipHeader(new File(name)); >+ } >+ >+ /** >+ */ >+ public JarFile(File file) throws IOException { >+ super(file, true, ZipFile.OPEN_READ); >+ verifyZipHeader(file); >+ } >+ >+ /** >+ */ >+ public JarFile(File file, boolean verify) throws IOException { >+ super(file, verify, ZipFile.OPEN_READ); >+ verifyZipHeader(file); >+ } >+ private static final byte[] MAGIC_PK_CONSTANT_BYTES = new byte[]{80, 75, 3, 4}; >+ >+ public static void verifyZipHeader(File file) throws IOException { >+ if (!JNLPRuntime.isIgnoreHeaders()) { >+ InputStream s = new FileInputStream(file); >+ try { >+ byte[] buffer = new byte[MAGIC_PK_CONSTANT_BYTES.length]; >+ s.read(buffer); >+ for (int i = 0; i < buffer.length; i++) { >+ if (buffer[i] != MAGIC_PK_CONSTANT_BYTES[i]) { >+ throw new InvalidJarHeaderException("Jar " + file.getName() + " do not heave valid header. You can skipp this check by -Xignoreheaders"); >+ } >+ } >+ } finally { >+ s.close(); >+ } >+ } >+ >+ >+ >+ } >+}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=659469">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 884705
:
659469
|
663002
|
663003