Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fixing CVEs 2019- 10181, 10182, 10185 found by Imre Rad - master #344

Merged
merged 5 commits into from Aug 2, 2019

Conversation

judovana
Copy link
Contributor

No description provided.

…VE-2019-10182

* netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash
* netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux
* tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing
* tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java:  added test for .. in path. Added test that verifies encoded .. (%2E%2E) do not leak from cahce
* tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with .. full url
* tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with encoded ..
…019-10185

* tests/netx/unit/net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar: crafted jar with hacked zip entries to be named like ".."
* tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp: jnlp to call jar03_dotdotN1.jar
* netx/net/sourceforge/jnlp/cache/CacheUtil.jsava: (hex) made public to be reused in JNLPClassLoader
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: if nested jar contains .. in path, is extracted as hashed
…VE-2019-10181

* netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not checked for signature. Now only signature files are skipped
* tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from signature check
* sts/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: splitted testRelativePathInNestedJars to itself without certificate chech testDifferentSignatureInManifestMf as the differetn signature
is now not passable
…odebase is suddenly no longer deducted by itw

Added explicit . codebase to the test jnlp file jar_03_dotdot_jarN1.jnlp
@judovana judovana changed the title fixing cves 181, 182, 185 found by Imre Rad fixing cves 10181, 10182, 10185 found by Imre Rad Jul 31, 2019
@judovana judovana changed the title fixing cves 10181, 10182, 10185 found by Imre Rad fixing cves 2019- 10181, 10182, 10185 found by Imre Rad Jul 31, 2019
@judovana judovana changed the title fixing cves 2019- 10181, 10182, 10185 found by Imre Rad fixing CVEs 2019- 10181, 10182, 10185 found by Imre Rad Jul 31, 2019
@judovana judovana changed the title fixing CVEs 2019- 10181, 10182, 10185 found by Imre Rad fixing cves 181, 182, 185 found by Imre Rad - master Jul 31, 2019
@judovana
Copy link
Contributor Author

btw the 140c981 is candidate for revert, and fix the regression to make this test pass. The default codebase absence will make many no longer maintained apps to die

@judovana judovana changed the title fixing cves 181, 182, 185 found by Imre Rad - master fixing CVEs 181, 182, 185 found by Imre Rad - master Jul 31, 2019
@judovana judovana changed the title fixing CVEs 181, 182, 185 found by Imre Rad - master fixing CVEs 2019- 10181, 10182, 10185 found by Imre Rad - master Jul 31, 2019
@judovana
Copy link
Contributor Author

judovana commented Aug 1, 2019

So good to commit tomorrow?

@sclassen sclassen merged commit 1054d59 into master Aug 2, 2019
@sclassen sclassen deleted the ImreCve181Cve182Cve185-master branch August 5, 2019 07:02
@karianna karianna added this to the 2.0.x milestone Aug 6, 2019
@karianna karianna added this to In progress in icedtea-web via automation Aug 6, 2019
@karianna karianna added the bug Something isn't working label Aug 6, 2019
@karianna karianna moved this from In progress to Done in icedtea-web Aug 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
icedtea-web
  
Done
Development

Successfully merging this pull request may close these issues.

None yet

3 participants