Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 6f7aca86f037
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: e36f91fa8610
Choose a head ref
  • 4 commits
  • 1 file changed
  • 2 contributors

Commits on Aug 15, 2019

  1. icedtea_web: 1.7.1 -> 1.7.2 (plus CVE patches) 

    On Wed, 31 Jul 2019 it was announced that IcedTea-Web was affected by the below
security vulnerabilities:

- CVE-2019-10185: zip-slip attack during auto-extraction of a JAR file.

- CVE-2019-10181: executable code could be injected in a JAR file without
  compromising the signature verification.

- CVE-2019-10182: improper path sanitization from elements in JNLP
  files.

Version 1.7 was patched, but no release was made. Moreover, the patches apply
cleanly only to 1.7.2, not the current 1.7.1.

Rather than marking 1.7.1 as insecure, update to 1.7.2 and apply the official
patches.

References:

https://www.openwall.com/lists/oss-security/2019/07/31/2
AdoptOpenJDK/IcedTea-Web#327
AdoptOpenJDK/IcedTea-Web#346
    @stefano-m @worldofpeace
    stefano-m authored and worldofpeace committed Aug 15, 2019
    Copy the full SHA
    f864ddf View commit details

  2. icedtea-web: use glib build input instead of gtk2 

    gtk2 is not needed any more
    @stefano-m @worldofpeace
    stefano-m authored and worldofpeace committed Aug 15, 2019

    Verified

    This commit was signed with the committer’s verified signature.
    caendesilva Caen De Silva
    GPG key ID: F1E5FB7C768BCE52
    Verified
    Learn about vigilant mode
    Copy the full SHA
    eb01d7a View commit details

  3. icedtea-web: remove sh extension from launchers for back compat 

    icedtea-web 1.7.2 builds its launchers shell scripts with the "sh" extension,
while version 1.7.1 did not.

For backwards-compatibility, remove the extension from the executable in
postInstall.

Note that version 1.7.2 also creates a file called itw-modularjdk.args in the
bin directory. This file is referenced by the shell launchers, so we leave it
there (it's not executable anyway).
    @stefano-m @worldofpeace
    stefano-m authored and worldofpeace committed Aug 15, 2019

    Verified

    This commit was signed with the committer’s verified signature.
    caendesilva Caen De Silva
    GPG key ID: F1E5FB7C768BCE52
    Verified
    Learn about vigilant mode
    Copy the full SHA
    fc78b41 View commit details

  4. Merge pull request #66444 from stefano-m/icedtea-web-1.7.2-cvefixes 

    icedtea_web: 1.7.1 -> 1.7.2 (plus CVE patches)
    @worldofpeace
    worldofpeace authored Aug 15, 2019

    Verified

    This commit was signed with the committer’s verified signature.
    caendesilva Caen De Silva
    GPG key ID: F1E5FB7C768BCE52
    Verified
    Learn about vigilant mode
    Copy the full SHA
    e36f91f View commit details
Showing with 29 additions and 5 deletions.
  1. +29 −5 pkgs/development/compilers/icedtea-web/default.nix
34 changes: 29 additions & 5 deletions pkgs/development/compilers/icedtea-web/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,44 @@
{ stdenv, fetchurl, jdk, gtk2, xulrunner, zip, pkgconfig, perl, npapi_sdk, bash, bc }:
{ stdenv, fetchurl, jdk, glib, xulrunner, zip, pkgconfig, perl, npapi_sdk, bash, bc, git }:
let

cveFixes = fetchurl {
# CVE-2019-10185: zip-slip attack during auto-extraction of a JAR file.
# CVE-2019-10181: executable code could be injected in a JAR file without
# compromising the signature verification.
# CVE-2019-10182: improper path sanitization from elements in JNLP
# files.
url = "https://patch-diff.githubusercontent.com/raw/AdoptOpenJDK/IcedTea-Web/pull/346.patch";
sha256 = "1lzwib5affz9nm3iyd0ij33km9k8ny9r6p9429zlgxfq4s6jdrqc";
};

in

stdenv.mkDerivation rec {
name = "icedtea-web-${version}";

version = "1.7.1";
version = "1.7.2";

src = fetchurl {
url = "http://icedtea.wildebeest.org/download/source/${name}.tar.gz";
sha256 = "1b9z0i9b1dsc2qpfdzbn2fi4vi3idrhm7ig45g1ny40ymvxcwwn9";
sha256 = "1gsgcf2h25kg12d4mzsw0kaf3i72bfqkr8vi70d0yq9lqinrfkl2";
};

nativeBuildInputs = [ pkgconfig bc perl ];
buildInputs = [ gtk2 xulrunner zip npapi_sdk ];
buildInputs = [ glib xulrunner zip npapi_sdk ];

postPatch = ''
# The patch includes binary blobs for tests so we must use `git apply`
# directly instead of relying on `git patch` from `patchPhase`
${git}/bin/git apply --verbose --exclude=ChangeLog ${cveFixes}
'';

postInstall = ''
mv $out/bin/itweb-settings{.sh,}
mv $out/bin/javaws{.sh,}
mv $out/bin/policyeditor{.sh,}
'';

preConfigure = ''
#patchShebangs javac.in
configureFlagsArray+=("BIN_BASH=${bash}/bin/bash")
'';