# Tuesday, 27 July 2010
IKVM.NET 0.44 Release Candidate 2

A new release candidate with two bug fixes.

Changes:

  • Changed version to 0.44.0.2
  • Fixed Field.set() bug #3033769.
  • When a protected or public member is accessed in a non-public base class in another assembly that is simultaneously compiled, we need to add an InternalsVisibleTo to the callee assembly for the caller assembly.

Binary available here: ikvmbin-0.44.0.2.zip

Sources: ikvmsrc-0.44.0.2.zip, openjdk6-b18-stripped.zip

The sources zip no longer contains any binaries.

Tuesday, 27 July 2010 08:59:53 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
IKVM.NET Security Update

Potential Security Vulnerability

There is a bug IKVM's implementation of java.lang.reflect.Field.set(). The dynamic method that is generated doesn't properly cast the value to the type of the field. This is obviously a bug, but it could also lead to a type safety vulnerability. It is not directly exploitable, because the unverifiable dynamic method will do a full trust security demand and when there is partially trusted code on the stack, that will fail.

However, if you have any code that indirectly exposes Field.set() to untrusted code, it may be exploitable. In particular, the following scenarios warrant careful attention:

  • Having an assembly in the GAC that has the AllowPartiallyTrustedCallerAttribute and exposes Field.set() functionality to partially trusted callers and uses a security assert to stop the stack walk.
  • If you load partially trusted code in your application and your code uses Field.set() on values controlled by the partially trusted code, without any partially trusted code being directly on the stack.
  • If you process data or a (lightweight) scripting language that somehow exposes Field.set() functionality to untrusted data/code.

Affected Versions

IKVM.NET version 0.38, 0.40, 0.42 and 0.44 are affected. Version 0.36 and earlier are not affected.

Update

There is an update of IKVM.NET 0.42, earlier versions will not be updated and there will be a new 0.44 release candidate later today.

IKVM.NET 0.42 Update 2

Changes:

  • Updated version to 0.42.0.7.
  • Fixed Field.set() bug #3033769.

Binaries available here: ikvmbin-0.42.0.7.zip

Sources: ikvm-0.42.0.7.zip, openjdk6-b16-stripped.zip

Credits

Thanks to Dawid Weiss for reporting this issue.

Tuesday, 27 July 2010 08:57:38 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Monday, 12 July 2010
IKVM.NET 0.44 Release Candidate 1

A new release candidate with two bug fixes.

Changes:

  • Changed version to 0.44.0.1
  • Fixed verifier regression introduced with try/fault handler changes. Thanks to Enrico Minack for reporting this.
  • When a protected field is accessed in a non-public base class in another assembly that is simultaneously compiled, we need to add an InternalsVisibleTo to the callee assembly for the caller assembly.

Binary available here: ikvmbin-0.44.0.1.zip

Sources: ikvmsrc-0.44.0.1.zip, openjdk6-b18-stripped.zip

The sources zip no longer contains any binaries.

Monday, 12 July 2010 09:09:49 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Wednesday, 07 July 2010
IKVM.NET 0.44 Release Candidate 0

The first 0.44 release candidate is available.

What's New (relative to IKVM.NET 0.42):

  • Integrated OpenJDK 6 build 18
  • Bug fixes
  • Code cleanup
  • Many AWT improvements (by Nat and Volker)
  • IKVM.Reflection
  • Ability to build from source targetting .NET 4.0
  • Reflection optimizations
  • Codegen optimizations
  • JNI optimizations
  • Introduced IKVM.OpenJDK.Tools.dll
  • Improved build process (removed dependency on shipping stub jar binaries)
  • Improved ikvmc parameter validation and error handling
  • Annotated all security critical code with .NET 4.0 security model custom attributes
  • Added -nostdlib option to ikvmstub and ikvmc to allow them to work with .NET 4.0 assemblies (while running on .NET 2.0)
  • Implemented RuntimeMXBean and OperatingSystemMXBean
  • Experimental (when built from source, targetting .NET 4.0) support for class GC

Binary available here: ikvmbin-0.44.0.0.zip

Sources: ikvmsrc-0.44.0.0.zip, openjdk6-b18-stripped.zip

The sources zip no longer contains any binaries.

Wednesday, 07 July 2010 15:54:40 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
Bug Reports

I've disabled the ability for anonymous users to post bug reports (and feature requests). Two useless duplicate reports (3026137 and 3026140) pushed me over the edge.

Some bug reporting tips:

  • Include all the (possibly) relevant information (IKVM.NET, .NET / Mono and Operating System version numbers, CPU architecture, error messages, warning messages).
  • Try to create a small repro that demonstrates the problem. Make sure it compiles, don't just include a non-compiling code snippet.
  • Clearly separate fact from speculation.
  • Read this excellent essay on How to Report Bugs Effectively by Simon Tatham.

P.S.  In the case of the above bug report, the poster tried to look at the code for ServerSocket.accept() with Reflector and Reflector crashed. This is a Reflector bug, it simply doesn't understand the code constructs that ikvmc generates (even though they are perfectly valid).

Wednesday, 07 July 2010 14:11:51 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]