New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
icedtea_web: 1.7.1 -> 1.8.3 (fixes CVE-2019-10185, CVE-2019-10181, CVE-2019-10182) #66422
Conversation
Use the new official repository on GitHub and build the new launcher written in Rust. Also fixes the following security vulnerabilities: - CVE-2019-10185: zip-slip attack during auto-extraction of a JAR file. - CVE-2019-10181: executable code could be injected in a JAR file without compromising the signature verification. - CVE-2019-10182: improper path sanitization from <jar/> elements in JNLP files. References: AdoptOpenJDK/IcedTea-Web#327
Note that this version of IcedTea-Web comes with a launcher written in Rust. I had to add a few patches to make this work and I don't know whether this can be achieved in a better way. |
WFM non-nixos linux x86_64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we install the desktop items in postInstall
?
there might be other things too.
Also we should update the homepage.
I'm noticing there's attributes like adoptopenjdk-jre-bin
. Perhaps we shouldn't touch this icedtea_web
expression and add an adoptopenjdk-icedtea-web
?
@worldofpeace thanks for the suggestions.
I can have a look, but FTR the main reason for the update was to patch the CVEs
Well spotted, I will fix that.
I am happy to add the Hope that this makes sense. |
For reference: https://logs.nix.samueldr.com/nixos-security/2019-08-05 |
I'm fine going with your preference then. The follow up should do the following:
|
Cool. I will remove the alias and force-push then. Thanks! |
@GrahamcOfBorg build icedtea_web |
I guess we should remove the |
ofborg will get that |
Built this manually on |
The dependency on GTK was removed in AdoptOpenJDK/IcedTea-Web@c7aae0e Also, remove that pesky commented-out line from `preConfigure` too!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've built this on NixOS
x86_64-linux
aarch64-linux
and ran all the Web Start examples.
Thanks for your well constructed PR @stefano-m, it was very easy to review. |
Use the new official repository on GitHub and build the new launcher written in
Rust.
Also fixes the following security vulnerabilities:
CVE-2019-10185: zip-slip attack during auto-extraction of a JAR file.
CVE-2019-10181: executable code could be injected in a JAR file without
compromising the signature verification.
CVE-2019-10182: improper path sanitization from elements in JNLP
files.
References:
AdoptOpenJDK/IcedTea-Web#327
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Manual testing:
./result/bin/javaws <path to JNLP file>
./result/bin/itweb-settings
launches with no errors./result/bin/policyeditor
launches with no errorsNotify maintainers
cc @grahamc (NixOS security team)