Some new security tests failing (one by removing the j2sdk-image dir!) (Was: changeset in /hg/icedtea6...)

Mark Wielaard mark at klomp.org
Tue Dec 2 16:06:59 PST 2008 

Hi Lillian,
and Hi Jon, read below for a weird issue with jtreg,

On Tue, 2008-12-02 at 13:27 +0000, Lillian Angel wrote:
> changeset a599dbe81c3d in /hg/icedtea6
> details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=a599dbe81c3d
> description:
> 	2008-12-02  Lillian Angel  <langel at redhat.com>
> 
> 	        * Makefile.am
> 	        (ICEDTEA_PATCHES): Added new OpenJDK security patches.
> 	        * patches/icedtea-4486841.patch,
> 	        patches/icedtea-6484091.patch,
> 	        patches/icedtea-6497740.patch,
> 	        patches/icedtea-6588160.patch,
> 	        patches/icedtea-6592792.patch,
> 	        patches/icedtea-6721753.patch,
> 	        patches/icedtea-6726779.patch,
> 	        patches/icedtea-6733959.patch,
> 	        patches/icedtea-6734167.patch,
> 	        patches/icedtea-6755943.patch,
> 	        patches/icedtea-6766136.patch: New file

Thanks for getting these applied so quickly. It is good to see you are
on top of the security issues.

I did find some issues with the newly included tests though.

- closed/sun/security/rsa/TestLimits.java needs two pre-created keystore
files. It also describes how to create them. I added them to the overlay
(since you cannot easily add them to the patches files.)

- closed/java/io/File/createTempFile/GuessNext.java had a "@key
closed-security". closed-security isn't valid key according to our
TEST.ROOT, so I just removed it.

BTW. Both these new "closed" tests don't have a GPL header.

- tools/launcher/MultipleJRE.sh uses a class ZipMeUp, but was missing an
@build for that class. I added that.

Now that last issue looks innocent enough, but it isn't! It will DESTROY
your just build j2sdk-image build dir! Look at the following test script
fragment:

TestLongMainClass() {
   JVER=$1
   if [ "$JVER" = "mklink" ]; then
       JVER=XX
       JDKXX=jdk/j2re$JVER
       rm -rf jdk
       mkdir jdk
       ln -s $TESTJAVA $JDKXX
       JAVA_VERSION_PATH="`pwd`/jdk"
       export JAVA_VERSION_PATH
   fi
   $JAVAEXE -cp $TESTCLASSES ZipMeUp UglyBetty.jar 4097
   message="`$JAVAEXE -version:$JVER -jar UglyBetty.jar 2>&1`"
   echo $message | grep "Error: main-class: attribute exceeds system limits" > /dev/null 2>&1
   if [ $? -ne 0 ]; then
       printf "Long manifest test did not get expected error"
       exit 1
   fi
   unset JAVA_VERSION_PATH
   rm -rf jdk
}

where
$1 = "mklink"
$TESTJAVA = /path/to/your/just/build/j2sdk-image

What this will do is create a soft link in the JTwork/scratch dir called
jdk/j2reXX that points to your just build j2sdk-image. If the test
succeeds this jdk dir with the soft link in it will just be removed and
everything is fine. (rm -r doesn't follow soft links)

But if this fails (because of the missing ZipMeUp class) the script will
exit 1 prematurely without removing the softlink from the scratch dir.
On the next test run jtreg will remove the contents of the
JTwork/scratch dir. But jtreg does follow soft links!
So it will remove everything in your shiny new j2sdk-image build.

The fix makes the script not fail. But apparently having tests create
soft links is a pretty dangerous thing...

Fixed as follows:

2008-12-02  Mark Wielaard  <mark at klomp.org>

    * overlays/openjdk/jdk/test/closed/sun/security/rsa/keystore.bad,
    overlays/openjdk/jdk/test/closed/sun/security/rsa/keystore.good:
    New keystore files.
    * patches/icedtea-6497740.patch: Remove binary file diffs.
    * patches/icedtea-6721753.patch: Remove @key closed-security.
    * patches/icedtea-6733959.patch: Add @build ZipMeUp.

Cheers,

Mark

diff -r b7a8b3f766db -r 7eca1fba7ef1 patches/icedtea-6497740.patch
--- a/patches/icedtea-6497740.patch	Tue Dec 02 19:20:50 2008 +0100
+++ b/patches/icedtea-6497740.patch	Wed Dec 03 00:45:09 2008 +0100
@@ -1546,8 +1546,6 @@
 +        }
 +    }
 +}
-Binary files /tmp/dnlaqOr and new/test/closed/sun/security/rsa/keystore.bad differ
-Binary files /tmp/dxQaGis and new/test/closed/sun/security/rsa/keystore.good differ
 --- /dev/null	Fri Aug 22 18:59:31 2008
 +++ openjdk/jdk/test/closed/sun/security/rsa/sunpkcs11-solaris_enableSHA1withRSAsig.cfg	Fri Aug 22 18:59:29 2008
 @@ -0,0 +1,36 @@
diff -r b7a8b3f766db -r 7eca1fba7ef1 patches/icedtea-6721753.patch
--- a/patches/icedtea-6721753.patch	Tue Dec 02 19:20:50 2008 +0100
+++ b/patches/icedtea-6721753.patch	Wed Dec 03 00:45:09 2008 +0100
@@ -88,10 +88,9 @@
      /**
 --- /dev/null	Thu Oct  9 16:12:28 2008
 +++ openjdk/jdk/test/closed/java/io/File/createTempFile/GuessNext.java	Thu Oct  9 16:12:25 2008
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,25 @@
 +/* @test
 + * @bug 6721753
-+ * @key closed-security
 + * @summary Test that temporary files don't use incrementing counter
 + */
 +
diff -r b7a8b3f766db -r 7eca1fba7ef1 patches/icedtea-6733959.patch
--- a/patches/icedtea-6733959.patch	Tue Dec 02 19:20:50 2008 +0100
+++ b/patches/icedtea-6733959.patch	Wed Dec 03 00:45:09 2008 +0100
@@ -112,6 +112,14 @@
 +}
 --- MultipleJRE.sh	2008-11-21 14:18:54.000000000 -0500
 +++ openjdk/jdk/test/tools/launcher/MultipleJRE.sh	2008-11-21 14:23:48.000000000 -0500
+@@ -2,6 +2,7 @@
+ # @bug 4811102 4953711 4955505 4956301 4991229 4998210 5018605 6387069
+ # @build PrintVersion
+ # @build UglyPrintVersion
++# @build ZipMeUp
+ # @run shell MultipleJRE.sh
+ # @summary Verify Multiple JRE version support
+ # @author Joseph E. Kowalski
 @@ -48,10 +48,23 @@
    exit 1
  fi

More information about the distro-pkg-dev mailing list