From e26a52a655f706b0d0b9bad32db10141870ee2ba Mon Sep 17 00:00:00 2001 From: Stefano Mazzucco Date: Sat, 10 Aug 2019 08:17:20 +0100 Subject: [PATCH 1/4] icedtea_web: 1.7.1 -> 1.8.3 Use the new official repository on GitHub and build the new launcher written in Rust. Also fixes the following security vulnerabilities: - CVE-2019-10185: zip-slip attack during auto-extraction of a JAR file. - CVE-2019-10181: executable code could be injected in a JAR file without compromising the signature verification. - CVE-2019-10182: improper path sanitization from elements in JNLP files. References: https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327 --- .../compilers/icedtea-web/default.nix | 35 +++++++++++--- ...e-cargo-work-with-nix-build-on-linux.patch | 46 +++++++++++++++++++ 2 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 pkgs/development/compilers/icedtea-web/patches/0001-make-cargo-work-with-nix-build-on-linux.patch diff --git a/pkgs/development/compilers/icedtea-web/default.nix b/pkgs/development/compilers/icedtea-web/default.nix index 9390cbde637..0876da6a16b 100644 --- a/pkgs/development/compilers/icedtea-web/default.nix +++ b/pkgs/development/compilers/icedtea-web/default.nix @@ -1,24 +1,45 @@ -{ stdenv, fetchurl, jdk, gtk2, xulrunner, zip, pkgconfig, perl, npapi_sdk, bash, bc }: +{ stdenv, fetchFromGitHub, cargo, rustc, autoreconfHook, jdk, gtk2, xulrunner, zip, pkgconfig, npapi_sdk, bash, bc }: stdenv.mkDerivation rec { name = "icedtea-web-${version}"; - version = "1.7.1"; + version = "1.8.3"; - src = fetchurl { - url = "http://icedtea.wildebeest.org/download/source/${name}.tar.gz"; - sha256 = "1b9z0i9b1dsc2qpfdzbn2fi4vi3idrhm7ig45g1ny40ymvxcwwn9"; + src = fetchFromGitHub { + owner = "AdoptOpenJDK"; + repo = "IcedTea-Web"; + rev = name; + sha256 = "0bm5k11i2vgb54ch1bawsmjbwnqnp04saadwm2f2mggmmdc6b1qq"; }; - nativeBuildInputs = [ pkgconfig bc perl ]; - buildInputs = [ gtk2 xulrunner zip npapi_sdk ]; + nativeBuildInputs = [ autoreconfHook pkgconfig bc ]; + buildInputs = [ cargo rustc gtk2 xulrunner zip npapi_sdk ]; preConfigure = '' #patchShebangs javac.in configureFlagsArray+=("BIN_BASH=${bash}/bin/bash") ''; + patches = [ ./patches/0001-make-cargo-work-with-nix-build-on-linux.patch ]; + + doCheck = true; + preCheck = '' + # Needed for the below rust-launcher tests to pass + # dirs_paths_helper::tests::check_config_files_paths + # dirs_paths_helper::tests::check_legacy_config_files_paths + + mkdir -p $HOME/.icedtea + touch $HOME/.icedtea/deployment.properties + + mkdir -p $XDG_CONFIG_HOME/icedtea-web + touch $XDG_CONFIG_HOME/icedtea-web/deployment.properties + ''; + + HOME = "/build"; + XDG_CONFIG_HOME = "/build"; + configureFlags = [ + "--with-itw-libs=DISTRIBUTION" "--with-jdk-home=${jdk.home}" "--disable-docs" ]; diff --git a/pkgs/development/compilers/icedtea-web/patches/0001-make-cargo-work-with-nix-build-on-linux.patch b/pkgs/development/compilers/icedtea-web/patches/0001-make-cargo-work-with-nix-build-on-linux.patch new file mode 100644 index 00000000000..85cad6cf467 --- /dev/null +++ b/pkgs/development/compilers/icedtea-web/patches/0001-make-cargo-work-with-nix-build-on-linux.patch @@ -0,0 +1,46 @@ +Subject: [PATCH] make cargo work with nix-build on linux + +--- + .cargo/config | 2 ++ + rust-launcher/Cargo.lock | 4 ++++ + rust-launcher/Cargo.toml | 7 ++++--- + 3 files changed, 10 insertions(+), 3 deletions(-) + create mode 100644 .cargo/config + create mode 100644 rust-launcher/Cargo.lock + +diff --git a/.cargo/config b/.cargo/config +new file mode 100644 +index 0000000..03ec4a2 +--- /dev/null ++++ b/.cargo/config +@@ -0,0 +1,2 @@ ++[net] ++offline=true +diff --git a/rust-launcher/Cargo.lock b/rust-launcher/Cargo.lock +new file mode 100644 +index 0000000..6055cc0 +--- /dev/null ++++ b/rust-launcher/Cargo.lock +@@ -0,0 +1,4 @@ ++[[package]] ++name = "launcher" ++version = "1.8.0" ++ +diff --git a/rust-launcher/Cargo.toml b/rust-launcher/Cargo.toml +index 61ee308..5e6e91b 100644 +--- a/rust-launcher/Cargo.toml ++++ b/rust-launcher/Cargo.toml +@@ -3,6 +3,7 @@ name = "launcher" + version = "1.8.0" + authors = ["https://icedtea.classpath.org/wiki/IcedTea-Web"] + +-[dependencies] +-[target.'cfg(windows)'.dependencies] +-dunce = "0.1.1" ++[workspace] ++# We need this too or cargo will fail. Some files seem to be copied around and ++# cargo thinks we are in a workspace, so let's exclude everything. ++exclude = ["*"] +-- +2.19.2 + From de14e5b951c845f2387b82fa91f7ee11bab74f13 Mon Sep 17 00:00:00 2001 From: Stefano Mazzucco Date: Sat, 10 Aug 2019 17:04:51 +0100 Subject: [PATCH 2/4] icedtea_web: update homepage --- pkgs/development/compilers/icedtea-web/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/icedtea-web/default.nix b/pkgs/development/compilers/icedtea-web/default.nix index 0876da6a16b..193ae0fa244 100644 --- a/pkgs/development/compilers/icedtea-web/default.nix +++ b/pkgs/development/compilers/icedtea-web/default.nix @@ -53,7 +53,7 @@ stdenv.mkDerivation rec { programming language and an implementation of Java Web Start, originally based on the NetX project. ''; - homepage = http://icedtea.classpath.org/wiki/IcedTea-Web; + homepage = https://github.com/adoptopenjdk/icedtea-web; maintainers = with stdenv.lib.maintainers; [ wizeman ]; platforms = stdenv.lib.platforms.linux; }; From ebde1ddd0e2a81ef860913ad93d8c0e3dc94399a Mon Sep 17 00:00:00 2001 From: Stefano Mazzucco Date: Sat, 10 Aug 2019 17:27:23 +0100 Subject: [PATCH 3/4] icedtea_web: install .destkop entries --- pkgs/development/compilers/icedtea-web/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/compilers/icedtea-web/default.nix b/pkgs/development/compilers/icedtea-web/default.nix index 193ae0fa244..38c93f1e4a0 100644 --- a/pkgs/development/compilers/icedtea-web/default.nix +++ b/pkgs/development/compilers/icedtea-web/default.nix @@ -46,6 +46,11 @@ stdenv.mkDerivation rec { mozillaPlugin = "/lib"; + postInstall = '' + mkdir -p $out/share/applications + cp javaws.desktop itweb-settings.desktop policyeditor.desktop $out/share/applications + ''; + meta = { description = "Java web browser plugin and an implementation of Java Web Start"; longDescription = '' From 2d4bdb87336ee7e36f9c4fa3574da0951ecadb67 Mon Sep 17 00:00:00 2001 From: Stefano Mazzucco Date: Tue, 13 Aug 2019 22:42:32 +0100 Subject: [PATCH 4/4] icedtea_web: use glib rather than gtk2 in buildInputs The dependency on GTK was removed in https://github.com/AdoptOpenJDK/IcedTea-Web/commit/c7aae0e400daf2939338963159038c9d07b5037b Also, remove that pesky commented-out line from `preConfigure` too! --- pkgs/development/compilers/icedtea-web/default.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/development/compilers/icedtea-web/default.nix b/pkgs/development/compilers/icedtea-web/default.nix index 38c93f1e4a0..73dd90ab4a1 100644 --- a/pkgs/development/compilers/icedtea-web/default.nix +++ b/pkgs/development/compilers/icedtea-web/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, cargo, rustc, autoreconfHook, jdk, gtk2, xulrunner, zip, pkgconfig, npapi_sdk, bash, bc }: +{ stdenv, fetchFromGitHub, cargo, rustc, autoreconfHook, jdk, glib, xulrunner, zip, pkgconfig, npapi_sdk, bash, bc }: stdenv.mkDerivation rec { name = "icedtea-web-${version}"; @@ -13,10 +13,9 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ autoreconfHook pkgconfig bc ]; - buildInputs = [ cargo rustc gtk2 xulrunner zip npapi_sdk ]; + buildInputs = [ cargo rustc glib xulrunner zip npapi_sdk ]; preConfigure = '' - #patchShebangs javac.in configureFlagsArray+=("BIN_BASH=${bash}/bin/bash") '';