From 734d3800792d3b1825eb3101227eae519311871e Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Wed, 24 Nov 2010 14:15:11 -0500
Subject: CVE-2010-3860 IcedTea System property information leak via public
 static

2010-11-24  Omair Majid  <omajid@redhat.com>

    * netx/net/sourceforge/jnlp/runtime/Boot.java: Remove basedir
     option. Add NETX_ABOUT_FILE.
     (run): Remove call to JNLPRuntime.setBaseDir.
     (getAboutFile): Use the constant in this file, not JNLPRuntime.
     (getBaseDir): Remove obsolete method.
     * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java: Remove
     baseDir, USER, HOME_DIR, NETXRC_FILE, NETX_DIR, SECURITY_DIR,
     CERTFICIATES_FILE, JAVA_HOME_DIR, NETX_ABOUT_FILE.
     (initialize): Do not set baseDir.
     (getBaseDir): Remove method.
     (setBaseDir): Likewise.
     (getDefaultBaseDir): Likewise.
     (getProperties): Likewise.
     * netx/net/sourceforge/jnlp/security/SecurityUtil.java
     (getTrustedCertsFilename): Delegate to
     KeyStores.getKeyStoreLocation.
     * plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java
     (PluginAppletSecurityContext): Remove call to obsolete method.
---
 netx/net/sourceforge/jnlp/security/SecurityUtil.java | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

(limited to 'netx/net/sourceforge/jnlp/security/SecurityUtil.java')

diff --git a/netx/net/sourceforge/jnlp/security/SecurityUtil.java b/netx/net/sourceforge/jnlp/security/SecurityUtil.java
index 2a63a21..ebdab60 100644
--- a/netx/net/sourceforge/jnlp/security/SecurityUtil.java
+++ b/netx/net/sourceforge/jnlp/security/SecurityUtil.java
@@ -43,20 +43,15 @@ import java.io.FileOutputStream;
 import java.security.KeyStore;
 
 import net.sourceforge.jnlp.runtime.JNLPRuntime;
+import net.sourceforge.jnlp.security.KeyStores.Level;
+import net.sourceforge.jnlp.security.KeyStores.Type;
 
 public class SecurityUtil {
 
         private static final char[] password = "changeit".toCharArray();
 
         public static String getTrustedCertsFilename() throws Exception{
-
-                String homeDir = JNLPRuntime.HOME_DIR;
-
-                if (homeDir == null) {
-                        throw new Exception("Could not access home directory");
-                } else {
-                        return JNLPRuntime.CERTIFICATES_FILE;
-                }
+                return KeyStores.getKeyStoreLocation(Level.USER, Type.CERTS);
         }
 
         public static char[] getTrustedCertsPassword() {
-- 
cgit v1.2.3