changeset in /hg/icedtea: 2008-07-08 Lillian Angel <langel at red...
Lillian Angel
langel at redhat.com
Wed Jul 9 05:54:27 PDT 2008
changeset c7ade552e5cc in /hg/icedtea
details: http://icedtea.classpath.org/hg/icedtea?cmd=changeset;node=c7ade552e5cc
description:
2008-07-08 Lillian Angel <langel at redhat.com>
* patches/icedtea-security-updates.patch: New patch containing
security updates from Sun.
* Makefile.am: Added patch.
* Makefile.in: Regenerated.
diffstat:
5 files changed, 959 insertions(+), 4 deletions(-)
ChangeLog | 7
HACKING | 1
Makefile.am | 3
Makefile.in | 6
patches/icedtea-security-updates.patch | 946 ++++++++++++++++++++++++++++++++
diffs (truncated from 1018 to 500 lines):
diff -r 6afbe722b697 -r c7ade552e5cc ChangeLog
--- a/ChangeLog Tue Jul 08 22:18:23 2008 +0100
+++ b/ChangeLog Wed Jul 09 08:54:22 2008 -0400
@@ -1,3 +1,10 @@ 2008-07-08 Andrew John Hughes <gnu_and
+2008-07-08 Lillian Angel <langel at redhat.com>
+
+ * patches/icedtea-security-updates.patch: New patch containing
+ security updates from Sun.
+ * Makefile.am: Added patch.
+ * Makefile.in: Regenerated.
+
2008-07-08 Andrew John Hughes <gnu_andrew at member.fsf.org>
* patches/icedtea-zero-build.patch:
diff -r 6afbe722b697 -r c7ade552e5cc HACKING
--- a/HACKING Tue Jul 08 22:18:23 2008 +0100
+++ b/HACKING Wed Jul 09 08:54:22 2008 -0400
@@ -40,6 +40,7 @@ The following patches are currently appl
* icedtea-override-redirect-metacity.patch: Enable override redirect for Metacity window manager.
* icedtea-lsb-release.patch: Generate Debian LSB file.
* icedtea-rmi_amd64.patch: Build RMI binaries on all platforms not just 32-bit ones.
+* icedtea-security-updates.patch: OpenJDK security patches from Sun.
* icedtea-sparc.patch: Add support for GNU/Linux on SPARC (version in IcedTea includes only minimal build changes).
* icedtea-sparc64-linux.patch: Fixes needed to build the SPARC port on 32-bit SPARC as used by Fedora.
* icedtea-sparc-ptracefix.patch: Avoid importing asm-sparc/ptrace.h by including pt_regs directly.
diff -r 6afbe722b697 -r c7ade552e5cc Makefile.am
--- a/Makefile.am Tue Jul 08 22:18:23 2008 +0100
+++ b/Makefile.am Wed Jul 09 08:54:22 2008 -0400
@@ -211,7 +211,7 @@ dist-openjdk:
fi; \
fi
hg fclone -r jdk7-$(OPENJDK_VERSION) $(OPENJDK_URL) openjdk-dist/openjdk
- find -name \\.hg* | xargs rm -rf
+ find openjdk-dist/ -name \\.hg* | xargs rm -rf
cd openjdk-dist && $(ZIP) -r openjdk-$(OPENJDK_VERSION) openjdk/
mv openjdk-dist/openjdk-$(OPENJDK_VERSION).zip .
rm -rf openjdk-dist
@@ -348,6 +348,7 @@ ICEDTEA_PATCHES = \
patches/icedtea-jscheme.patch \
$(GCC_PATCH) \
$(DISTRIBUTION_PATCHES) \
+ patches/icedtea-security-updates.patch \
patches/icedtea-override.patch
if WITH_CACAO
diff -r 6afbe722b697 -r c7ade552e5cc Makefile.in
--- a/Makefile.in Tue Jul 08 22:18:23 2008 +0100
+++ b/Makefile.in Wed Jul 09 08:54:22 2008 -0400
@@ -427,8 +427,8 @@ ICEDTEA_PATCHES = patches/icedtea-copy-p
patches/icedtea-override-redirect-metacity.patch \
$(ZERO_PATCHES_COND) patches/icedtea-no-bcopy.patch \
patches/icedtea-jscheme.patch $(GCC_PATCH) \
- $(DISTRIBUTION_PATCHES) patches/icedtea-override.patch \
- $(am__append_7)
+ $(DISTRIBUTION_PATCHES) patches/icedtea-security-updates.patch \
+ patches/icedtea-override.patch $(am__append_7)
# Patch OpenJDK for plug replacements and ecj.
ICEDTEA_ECJ_PATCH = $(srcdir)/patches/icedtea-ecj.patch
@@ -819,7 +819,7 @@ dist-openjdk:
fi; \
fi
hg fclone -r jdk7-$(OPENJDK_VERSION) $(OPENJDK_URL) openjdk-dist/openjdk
- find -name \\.hg* | xargs rm -rf
+ find openjdk-dist/ -name \\.hg* | xargs rm -rf
cd openjdk-dist && $(ZIP) -r openjdk-$(OPENJDK_VERSION) openjdk/
mv openjdk-dist/openjdk-$(OPENJDK_VERSION).zip .
rm -rf openjdk-dist
diff -r 6afbe722b697 -r c7ade552e5cc patches/icedtea-security-updates.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-security-updates.patch Wed Jul 09 08:54:22 2008 -0400
@@ -0,0 +1,946 @@
+--- /dev/null Mon Jun 2 08:53:52 2008
++++ openjdk/jdk/src/share/classes/sun/management/jmxremote/LocalRMIServerSocketFactory.java Mon Jun 2 08:53:51 2008
+@@ -0,0 +1,110 @@
++/*
++ * Copyright 2007 Sun Microsystems, Inc. All Rights Reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Sun designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Sun in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
++ * CA 95054 USA or visit www.sun.com if you need additional information or
++ * have any questions.
++ */
++
++package sun.management.jmxremote;
++
++import java.io.IOException;
++import java.net.InetAddress;
++import java.net.NetworkInterface;
++import java.net.ServerSocket;
++import java.net.Socket;
++import java.net.SocketException;
++import java.rmi.server.RMIServerSocketFactory;
++import java.util.Enumeration;
++
++/**
++ * This RMI server socket factory creates server sockets that
++ * will only accept connection requests from clients running
++ * on the host where the RMI remote objects have been exported.
++ */
++public final class LocalRMIServerSocketFactory implements RMIServerSocketFactory {
++ /**
++ * Creates a server socket that only accepts connection requests from
++ * clients running on the host where the RMI remote objects have been
++ * exported.
++ */
++ public ServerSocket createServerSocket(int port) throws IOException {
++ return new ServerSocket(port) {
++ @Override
++ public Socket accept() throws IOException {
++ Socket socket = super.accept();
++ InetAddress remoteAddr = socket.getInetAddress();
++ final String msg = "The server sockets created using the " +
++ "LocalRMIServerSocketFactory only accept connections " +
++ "from clients running on the host where the RMI " +
++ "remote objects have been exported.";
++ // Retrieve all the network interfaces on this host.
++ Enumeration<NetworkInterface> nis;
++ try {
++ nis = NetworkInterface.getNetworkInterfaces();
++ } catch (SocketException e) {
++ try {
++ socket.close();
++ } catch (IOException ioe) {
++ // Ignore...
++ }
++ throw new IOException(msg, e);
++ }
++ // Walk through the network interfaces to see
++ // if any of them matches the client's address.
++ // If true, then the client's address is local.
++ while (nis.hasMoreElements()) {
++ NetworkInterface ni = nis.nextElement();
++ Enumeration<InetAddress> addrs = ni.getInetAddresses();
++ while (addrs.hasMoreElements()) {
++ InetAddress localAddr = addrs.nextElement();
++ if (localAddr.equals(remoteAddr)) {
++ return socket;
++ }
++ }
++ }
++ // The client's address is remote so refuse the connection.
++ try {
++ socket.close();
++ } catch (IOException ioe) {
++ // Ignore...
++ }
++ throw new IOException(msg);
++ }
++ };
++ }
++
++ /**
++ * Two LocalRMIServerSocketFactory objects
++ * are equal if they are of the same type.
++ */
++ @Override
++ public boolean equals(Object obj) {
++ return (obj instanceof LocalRMIServerSocketFactory);
++ }
++
++ /**
++ * Returns a hash code value for this LocalRMIServerSocketFactory.
++ */
++ @Override
++ public int hashCode() {
++ return getClass().hashCode();
++ }
++}
+--- old/src/share/lib/management/management.properties Mon Jun 2 08:53:52 2008
++++ openjdk/jdk/src/share/lib/management/management.properties Mon Jun 2 08:53:52 2008
+@@ -82,7 +82,7 @@
+ #
+ # com.sun.management.snmp.interface=<InetAddress>
+ # Specifies the local interface on which the SNMP agent will bind.
+-# This is usefull when running on machines which have several
++# This is useful when running on machines which have several
+ # interfaces defined. It makes it possible to listen to a specific
+ # subnet accessible through that interface.
+ # Default for this property is "localhost".
+@@ -144,6 +144,26 @@
+ #
+
+ #
++# ########## RMI connector settings for local management ##########
++#
++# com.sun.management.jmxremote.local.only=true|false
++# Default for this property is true. (Case for true/false ignored)
++# If this property is specified as true then the local JMX RMI connector
++# server will only accept connection requests from clients running on
++# the host where the out-of-the-box JMX management agent is running.
++# In order to ensure backwards compatibility this property could be
++# set to false. However, deploying the local management agent in this
++# way is discouraged because the local JMX RMI connector server will
++# accept connection requests from any client either local or remote.
++# For remote management the remote JMX RMI connector server should
++# be used instead with authentication and SSL/TLS encryption enabled.
++#
++
++# For allowing the local management agent accept local
++# and remote connection requests use the following line
++# com.sun.management.jmxremote.local.only=false
++
++#
+ # ###################### RMI SSL #############################
+ #
+ # com.sun.management.jmxremote.ssl=true|false
+No differences encountered
+--- old/src/share/classes/com/sun/org/apache/xerces/internal/impl/XMLDocumentScannerImpl.java Fri May 30 16:49:25 2008
++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/impl/XMLDocumentScannerImpl.java Fri May 30 16:49:25 2008
+@@ -185,9 +188,6 @@
+ /** Load external DTD. */
+ protected boolean fLoadExternalDTD = true;
+
+- /** Disallow doctype declaration. */
+- protected boolean fDisallowDoctype = false;
+-
+ // state
+
+ /** Seen doctype declaration. */
+@@ -227,8 +227,8 @@
+ /** String. */
+ private XMLString fString = new XMLString();
+
+- public static final char [] DOCTYPE = {'D','O','C','T','Y','P','E'};
+- public static final char [] COMMENTSTRING = {'-','-'};
++ private static final char [] DOCTYPE = {'D','O','C','T','Y','P','E'};
++ private static final char [] COMMENTSTRING = {'-','-'};
+
+ //
+ // Constructors
+@@ -708,6 +708,12 @@
+ //
+ // Private methods
+ //
++ /** Set the scanner state after scanning DTD */
++ protected void setEndDTDScanState() {
++ setScannerState(SCANNER_STATE_PROLOG);
++ setDriver(fPrologDriver);
++ fEntityManager.setEntityHandler(XMLDocumentScannerImpl.this);
++ }
+
+ /** Returns the scanner state name. */
+ protected String getScannerStateName(int state) {
+@@ -930,19 +936,21 @@
+ reportFatalError("AlreadySeenDoctype", null);
+ }
+ fSeenDoctypeDecl = true;
+- if(fDTDDriver == null){
+- fDTDDriver = new DTDDriver();
+- }
+
+ // scanDoctypeDecl() sends XNI doctypeDecl event that
+ // in SAX is converted to startDTD() event.
+ if (scanDoctypeDecl(fDisallowDoctype)) {
++ //allow parsing of entity decls to continue in order to stay well-formed
+ setScannerState(SCANNER_STATE_DTD_INTERNAL_DECLS);
+ fSeenInternalSubset = true;
++ if(fDTDDriver == null){
++ fDTDDriver = new DTDDriver();
++ }
+ setDriver(fContentDriver);
+- int dtdEvent = fDTDDriver.next();
++ //always return DTD event, the event however, will not contain any entities
++ return fDTDDriver.next();
+ // If no DTD support, ignore and continue parsing
+- return fDisallowDoctype ? next() : dtdEvent;
++ //return fDisallowDoctype ? next() : dtdEvent;
+ }
+
+ /** xxx:check this part again
+@@ -955,17 +963,18 @@
+ }
+ */
+
+- if (fDisallowDoctype) {
+- setScannerState(SCANNER_STATE_PROLOG);
+- return next();
+- }
+-
+ // handle external subset
+ if (fDoctypeSystemId != null) {
+ if (((fValidation || fLoadExternalDTD)
+ && (fValidationManager == null || !fValidationManager.isCachedDTD()))) {
+- setScannerState(SCANNER_STATE_DTD_EXTERNAL);
++ if (!fDisallowDoctype) {
++ setScannerState(SCANNER_STATE_DTD_EXTERNAL);
++ } else {
++ setScannerState(SCANNER_STATE_PROLOG);
++ }
+ setDriver(fContentDriver);
++ if(fDTDDriver == null)
++ fDTDDriver = new DTDDriver();
+ return fDTDDriver.next();
+
+ }
+@@ -976,8 +985,14 @@
+ // This handles the case of a DOCTYPE that had neither an internal subset or an external subset.
+ fDTDScanner.setInputSource(fExternalSubsetSource);
+ fExternalSubsetSource = null;
+- setScannerState(SCANNER_STATE_DTD_EXTERNAL_DECLS);
++ if (!fDisallowDoctype) {
++ setScannerState(SCANNER_STATE_DTD_EXTERNAL_DECLS);
++ } else {
++ setScannerState(SCANNER_STATE_PROLOG);
++ }
+ setDriver(fContentDriver);
++ if(fDTDDriver == null)
++ fDTDDriver = new DTDDriver();
+ return fDTDDriver.next();
+ }
+ }
+@@ -1117,19 +1132,21 @@
+ }
+ fMarkupDepth--;
+
+- // scan external subset next
+- if (!XMLDocumentScannerImpl.this.fDisallowDoctype &&
+- fDoctypeSystemId != null && (fValidation || fLoadExternalDTD)) {
+- setScannerState(SCANNER_STATE_DTD_EXTERNAL);
++ if (fDisallowDoctype) {
++ //simply reset the entity store without having to mess around
++ //with the DTD Scanner code
++ fEntityStore = fEntityManager.getEntityStore();
++ fEntityStore.reset();
++ } else {
++ // scan external subset next unless we are ignoring DTDs
++ if (fDoctypeSystemId != null && (fValidation || fLoadExternalDTD)) {
++ setScannerState(SCANNER_STATE_DTD_EXTERNAL);
++ break;
++ }
+ }
++ setEndDTDScanState();
+
+- // break out of here
+- else {
+- setScannerState(SCANNER_STATE_PROLOG);
+- setDriver(fPrologDriver);
+- fEntityManager.setEntityHandler(XMLDocumentScannerImpl.this);
+- return true;
+- }
++ return true;
+ }
+ break;
+ }
+@@ -1160,13 +1177,16 @@
+ boolean completeDTD = true;
+ boolean moreToScan = fDTDScanner.scanDTDExternalSubset(completeDTD);
+ if (!moreToScan) {
+- setScannerState(SCANNER_STATE_PROLOG);
+- setDriver(fPrologDriver);
+- fEntityManager.setEntityHandler(XMLDocumentScannerImpl.this);
++ setEndDTDScanState();
+ return true;
+ }
+ break;
+ }
++ case SCANNER_STATE_PROLOG : {
++ // skip entity decls
++ setEndDTDScanState();
++ return true;
++ }
+ default: {
+ throw new XNIException("DTDDriver#dispatch: scanner state="+fScannerState+" ("+getScannerStateName(fScannerState)+')');
+ }
+--- old/src/share/classes/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Fri May 30 16:49:29 2008
++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Fri May 30 16:49:29 2008
+@@ -289,6 +289,8 @@
+ protected boolean fReportCdataEvent = false ;
+ protected boolean fIsCoalesce = false ;
+ protected String fDeclaredEncoding = null;
++ /** Disallow doctype declaration. */
++ protected boolean fDisallowDoctype = false;
+
+ // drivers
+
+@@ -1852,6 +1854,11 @@
+ }
+ // start general entity
+ if (!fEntityStore.isDeclaredEntity(name)) {
++ //SUPPORT_DTD=false && ReplaceEntityReferences should throw exception
++ if (fDisallowDoctype && fReplaceEntityReferences) {
++ reportFatalError("EntityNotDeclared", new Object[]{name});
++ return;
++ }
+ //REVISIT: one more case needs to be included: external PE and standalone is no
+ if ( fHasExternalDTD && !fStandalone) {
+ if (fValidation)
+--- /dev/null Mon Jun 2 16:07:10 2008
++++ openjdk/jaxws/test/closed/javax/xml/stream/XMLStreamReaderTest/SupportDTD.java Mon Jun 2 16:07:26 2008
+@@ -0,0 +1,296 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright 1997-2007 Sun Microsystems, Inc. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License"). You
++ * may not use this file except in compliance with the License. You can obtain
++ * a copy of the License at https://glassfish.dev.java.net/public/CDDL+GPL.html
++ * or glassfish/bootstrap/legal/LICENSE.txt. See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
++ * Sun designates this particular file as subject to the "Classpath" exception
++ * as provided by Sun in the GPL Version 2 section of the License file that
++ * accompanied this code. If applicable, add the following below the License
++ * Header, with the fields enclosed by brackets [] replaced by your own
++ * identifying information: "Portions Copyrighted [year]
++ * [name of copyright owner]"
++ *
++ * Contributor(s):
++ *
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license." If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above. However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++/*
++ * @test @(#)SupportDTD.java 1.1 08/03/28
++ * @bug 6542088
++ * @key cte_test
++ * @summary JAX-WS server allows XXE attacks
++ * Fixed in JDK6u7
++ * @run main SupportDTD
++*/
++
++import java.io.StringReader;
++import java.io.File;
++import java.io.FileInputStream;
++import java.util.List;
++
++import javax.xml.stream.XMLEventReader;
++
++import javax.xml.stream.XMLInputFactory;
++import javax.xml.stream.XMLStreamConstants;
++import javax.xml.stream.XMLStreamReader;
++import javax.xml.stream.events.*;
++import javax.xml.stream.events.Characters;
++
++/**
++ *
++ * SUPPORT_DTD behavior:
++ * Regardless of supportDTD, always report a DTD event () and throw an
++ * exception if an entity reference is found when supportDTD is false
++ *
++ * The behavior is related to property IS_REPLACING_ENTITY_REFERENCES.
++ *
++ * SUPPORT_DTD Replace Entity DTD ENTITY_REFERENCE
++ * true (default) true (default) yes, has entities no, return Characters
++ * true (default) false yes, has entities yes, can print entity name
++ * false true (default) yes, but no entity Exception: Undeclared general entity
++ * false false yes, but no entity yes, can print entity name
++ *
++ * Two patches related:
++ * sjsxp issue 9: XMLDocumentScannerImpl.java rev 1.6
++ * If the supportDTD property is set to FALSE, external and internal subsets
++ * are now ignored, rather than an error being reported. In particular, with
++ * this property set to FALSE, no error is reported if an external subset cannot
++ * be found. Note that the internal subset is still parsed (and errors could be
++ * reported here) but no events are returned by the parser. This fixes SJSXP
++ * issue 9 from Java.net.
++ * Note: SAX and DOM report fatal errors:
++ * If either SAX or DOM is used, turning on http://apache.org/xml/features/disallow-doctype-decl [1] effectively disables DTD,
++ * according to the spec: A fatal error is thrown if the incoming document contains a DOCTYPE declaration.
++ * The current jaxp implementation actually throws a nullpointexception. A better error message could be used.
++ *
++ * This change is required by CR 6542088.
++ * @author joe.wang at sun.com
++ */
++public class SupportDTD {
++ static final boolean DEBUG = false;
++ static final String _file = "./tests/XMLStreamReader/ExternalDTD.xml";
++ static final String XML = "<?xml version='1.0' ?>"
++ +"<!DOCTYPE root [\n"
More information about the distro-pkg-dev
mailing list