[patch] fix buffer overflow in debugger's socket handler
Andrew John Hughes
gnu_andrew at member.fsf.org
Thu Aug 27 09:50:38 PDT 2009
2009/8/27 Kees Cook <kees at ubuntu.com>:
> Hi,
>
> On Thu, Aug 27, 2009 at 05:00:54PM +0100, Andrew John Hughes wrote:
>> 2009/8/27 Matthias Klose <doko at ubuntu.com>:
>> > Description: buffer not large enough for maximum size of debugger warning.
>> > (Largest error could be 73 bytes long: "handshake failed - received >Here's
>> > a poke < - excepted >JDWP-Handshake<")
>> > Ubuntu: https://launchpad.net/bugs/419018
>> > Upstream: https://bugs.openjdk.java.net/show_bug.cgi?id=100103
>> >
>> > This should go both to the IC6 trunk and the 1.6 branch.
>> >
>> > Matthias
>> >
>>
>> Patches should be approved before being committed to the release
>> branch, and ideally for HEAD as well. I don't see any comments on
>> this post, yet the patch was just pushed to both.
>
> I haven't seen the commit, but it should also probably match the very
> recent upstream commit, which is slightly different from my more minimal
> approach:
>
> http://cr.openjdk.java.net/~alanb/6432567/webrev.00/jdk.patch
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
Except that's not an upstream commit, just a webrev:
http://cr.openjdk.java.net/~alanb/6432567/webrev.00/
There is no upstream commit yet as far as I can see:
http://hg.openjdk.java.net/jdk7/tl/jdk
And the patch committed to IcedTea6 doesn't contain the test case. It
shoudl also use the Sun bug ID (6432567) which is how it will be
committed to tl.
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list