Good catch Yuri -- please log it into JIRA.
Regards,
Tim
Yuri Dolgov wrote:
> Hello,
>
> I've made an investigation and found out the root of the problem.
>
> It seems that "eclipse" test in DaCapo benchmarks canges value of *
> java.home* system property to ".\scratch\dummyjre". It affects
> initialization of Security class in java.security module which loads
> java.security file from *java.home*/lib/security directory.
>
> This is potential security gap since a person could change *java.home*
> value
> before Security class initialization and load malicious java.security file.
>
> The following test demonstrates the described behavior:
>
>
> import java.security.MessageDigest;
> public class Test {
> public static void main (String[] args) {
> try {
> System.setProperty("java.home", "foo/path");
> MessageDigest md = MessageDigest.getInstance ("SHA-1");
> } catch (Exception e) {
> e.printStackTrace();
> }
> }
> }
>
> Yuri Dolgov
>
>
> On 11/10/06, Tim Ellison <[EMAIL PROTECTED]> wrote:
>>
>> Robin Garner wrote:
>> > Stefano Mazzocchi wrote:
>> >> from Robin's latest runs
>> >>
>> http://cs.anu.edu.au/people/Robin.Garner/dacapo/regression/results-20061110/DRLVM/eclipse.small.log
>>
>> >>
>> >>
>> >> there are a bunch of log messages that indicate that harmony doesn't
>> >> implement SHA-1.
>> >>
>> >> Is that true?
>> >>
>> >
>> > It can't be true, because _all_ the DaCapo benchmarks rely on SHA-1 for
>> > validation. I raised JIRA Harmony-2135 on this issue. Looks like
>> after
>> > eclipse has run, drlvm forgets how to access the SHA-1 algorithm :(
>>
>> Yep, the SHA-1 code is still there [1].
>>
>> [1]
>>
>> http://svn.apache.org/viewvc/incubator/harmony/enhanced/classlib/trunk/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1Impl.java?view=markup
>>
>>
>> Regards,
>> Tim
>>
>> --
>>
>> Tim Ellison ([EMAIL PROTECTED])
>> IBM Java technology centre, UK.
>>
>
--
Tim Ellison ([EMAIL PROTECTED])
IBM Java technology centre, UK.
