From 6491febf569a2eb3d32a96d69f839ff9a2e65c11 Mon Sep 17 00:00:00 2001
From: Deepak Bhole <dbhole@redhat.com>
Date: Tue, 15 Feb 2011 17:03:09 -0500
Subject: Fixed RH677332, CVE-2011-0706: IcedTea multiple signers privilege
 escalation

---
 ChangeLog                                              | 8 ++++++++
 NEWS                                                   | 1 +
 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 8 +++++++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 1a21151..56130c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,14 @@
 	(TimedHashMap): Moved to...
 	* netx/net/sourceforge/jnlp/util/TimedHashMap.java: New file.
 
+2011-02-11  Omair Majid  <omajid@redhat.com>
+
+	RH677332, CVE-2011-0706: IcedTea multiple signers privilege escalation
+	* NEWS: Updated.
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+	(initializeResources): Assign appropriate security descriptor based on
+	code signing.
+
 2011-02-11  Deepak Bhole <dbhole@redhat.com>
 
 	Fix S6983554, CVE-2010-4450: Launcher incorrect processing of empty
diff --git a/NEWS b/NEWS
index 6fbd247..60f4625 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 New in release 1.1 (2011-XX-XX):
 * Security updates
   - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries 
+  - RH677332, CVE-2011-0706: IcedTea multiple signers privilege escalation
 * NetX
   - Use Firefox's proxy settings if possible
   - RH669942: javaws fails to download version/packed files (missing support for jnlp.packEnabled and jnlp.versionEnabled)
diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
index 52db413..1822c01 100644
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
@@ -481,9 +481,15 @@ public class JNLPClassLoader extends URLClassLoader {
                         codebase = file.getResources().getMainJAR().getLocation();
                     }
 
-                    jarSecurity = new SecurityDesc(file,
+                    if (signing) {
+                        jarSecurity = new SecurityDesc(file,
                                                         SecurityDesc.ALL_PERMISSIONS,
                                                         codebase.getHost());
+                    } else {
+                        jarSecurity = new SecurityDesc(file,
+                                                        SecurityDesc.SANDBOX_PERMISSIONS,
+                                                        codebase.getHost());
+                    }
                 }
 
                 jarLocationSecurityMap.put(location, jarSecurity);
-- 
cgit v1.2.3