Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 6f7aca86f037
Choose a base ref
...
head repository: NixOS/nixpkgs
compare: e36f91fa8610
Choose a head ref
  • 4 commits
  • 1 file changed
  • 2 contributors

Commits on Aug 15, 2019

  1. icedtea_web: 1.7.1 -> 1.7.2 (plus CVE patches) 

    On Wed, 31 Jul 2019 it was announced that IcedTea-Web was affected by the below
security vulnerabilities:

- CVE-2019-10185: zip-slip attack during auto-extraction of a JAR file.

- CVE-2019-10181: executable code could be injected in a JAR file without
  compromising the signature verification.

- CVE-2019-10182: improper path sanitization from elements in JNLP
  files.

Version 1.7 was patched, but no release was made. Moreover, the patches apply
cleanly only to 1.7.2, not the current 1.7.1.

Rather than marking 1.7.1 as insecure, update to 1.7.2 and apply the official
patches.

References:

https://www.openwall.com/lists/oss-security/2019/07/31/2
AdoptOpenJDK/IcedTea-Web#327
AdoptOpenJDK/IcedTea-Web#346
    @stefano-m @worldofpeace
    stefano-m authored and worldofpeace committed Aug 15, 2019
    Copy the full SHA
    f864ddf View commit details
    Browse the repository at this point in the history

  2. icedtea-web: use glib build input instead of gtk2 

    gtk2 is not needed any more
    @stefano-m @worldofpeace
    stefano-m authored and worldofpeace committed Aug 15, 2019
    Copy the full SHA
    eb01d7a View commit details
    Browse the repository at this point in the history

  3. icedtea-web: remove sh extension from launchers for back compat 

    icedtea-web 1.7.2 builds its launchers shell scripts with the "sh" extension,
while version 1.7.1 did not.

For backwards-compatibility, remove the extension from the executable in
postInstall.

Note that version 1.7.2 also creates a file called itw-modularjdk.args in the
bin directory. This file is referenced by the shell launchers, so we leave it
there (it's not executable anyway).
    @stefano-m @worldofpeace
    stefano-m authored and worldofpeace committed Aug 15, 2019
    Copy the full SHA
    fc78b41 View commit details
    Browse the repository at this point in the history

  4. Merge pull request #66444 from stefano-m/icedtea-web-1.7.2-cvefixes 

    icedtea_web: 1.7.1 -> 1.7.2 (plus CVE patches)
    @worldofpeace
    worldofpeace committed Aug 15, 2019
    Copy the full SHA
    e36f91f View commit details
    Browse the repository at this point in the history