/hg/release/icedtea6-1.5: Add latest security updates.
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Mon Nov 9 08:54:59 PST 2009
changeset dc4494777bad in /hg/release/icedtea6-1.5
details: http://icedtea.classpath.org/hg/release/icedtea6-1.5?cmd=changeset;node=dc4494777bad
author: Andrew John Hughes <ahughes at redhat.com>
date: Mon Nov 09 16:58:51 2009 +0000
Add latest security updates.
2009-11-09 Andrew John Hughes <ahughes at redhat.com>
* Makefile.am: Add remaining security patches.
* NEWS: Updated with security patches.
* patches/security/icedtea-6631533.patch,
* patches/security/icedtea-6632445.patch,
* patches/security/icedtea-6636650.patch,
* patches/security/icedtea-6657026.patch,
* patches/security/icedtea-6657138.patch,
* patches/security/icedtea-6664512.patch,
* patches/security/icedtea-6822057.patch,
* patches/security/icedtea-6824265.patch,
* patches/security/icedtea-6861062.patch,
* patches/security/icedtea-6872358.patch: New security
patches.
diffstat:
13 files changed, 4731 insertions(+), 3 deletions(-)
ChangeLog | 18
Makefile.am | 16
NEWS | 18
patches/security/icedtea-6631533.patch | 184 +++
patches/security/icedtea-6632445.patch | 103 ++
patches/security/icedtea-6636650.patch | 139 ++
patches/security/icedtea-6657026.patch | 1609 ++++++++++++++++++++++++++++++++
patches/security/icedtea-6657138.patch | 745 ++++++++++++++
patches/security/icedtea-6664512.patch | 1227 ++++++++++++++++++++++++
patches/security/icedtea-6822057.patch | 32
patches/security/icedtea-6824265.patch | 142 ++
patches/security/icedtea-6861062.patch | 344 ++++++
patches/security/icedtea-6872358.patch | 157 +++
diffs (truncated from 4799 to 500 lines):
diff -r 662422897e63 -r dc4494777bad ChangeLog
--- a/ChangeLog Tue Nov 03 17:44:08 2009 +0100
+++ b/ChangeLog Mon Nov 09 16:58:51 2009 +0000
@@ -1,4 +1,22 @@ 2009-11-03 Martin Matejovic <mmatejov at re
+2009-11-09 Andrew John Hughes <ahughes at redhat.com>
+
+ * Makefile.am:
+ Add remaining security patches.
+ * NEWS: Updated with security patches.
+ * patches/security/icedtea-6631533.patch,
+ * patches/security/icedtea-6632445.patch,
+ * patches/security/icedtea-6636650.patch,
+ * patches/security/icedtea-6657026.patch,
+ * patches/security/icedtea-6657138.patch,
+ * patches/security/icedtea-6664512.patch,
+ * patches/security/icedtea-6822057.patch,
+ * patches/security/icedtea-6824265.patch,
+ * patches/security/icedtea-6861062.patch,
+ * patches/security/icedtea-6872358.patch:
+ New security patches.
+
2009-11-03 Martin Matejovic <mmatejov at redhat.com>
+
* patches/security/icedtea-6862968.patch
* patches/security/icedtea-6863503.patch
* patches/security/icedtea-6864911.patch
diff -r 662422897e63 -r dc4494777bad Makefile.am
--- a/Makefile.am Tue Nov 03 17:44:08 2009 +0100
+++ b/Makefile.am Mon Nov 09 16:58:51 2009 +0000
@@ -613,9 +613,19 @@ ICEDTEA_PATCHES = \
patches/security/icedtea-6863503.patch \
patches/security/icedtea-6864911.patch \
patches/security/icedtea-6872357.patch \
- patches/security/icedtea-6874643.patch
-
-f WITH_ALT_HSBUILD
+ patches/security/icedtea-6874643.patch \
+ patches/security/icedtea-6631533.patch \
+ patches/security/icedtea-6632445.patch \
+ patches/security/icedtea-6636650.patch \
+ patches/security/icedtea-6657026.patch \
+ patches/security/icedtea-6657138.patch \
+ patches/security/icedtea-6664512.patch \
+ patches/security/icedtea-6822057.patch \
+ patches/security/icedtea-6824265.patch \
+ patches/security/icedtea-6861062.patch \
+ patches/security/icedtea-6872358.patch
+
+if WITH_ALT_HSBUILD
ICEDTEA_PATCHES += \
patches/icedtea-format-warnings.patch \
patches/icedtea-fortify-source.patch \
diff -r 662422897e63 -r dc4494777bad NEWS
--- a/NEWS Tue Nov 03 17:44:08 2009 +0100
+++ b/NEWS Mon Nov 09 16:58:51 2009 +0000
@@ -1,3 +1,21 @@ New in release 1.5.2 (2009-09-04)
+New in release 1.5.3 (2009-11-09)
+- Latest security updates:
+ - (CVE-2009-3728) ICC_Profile file existence detection information leak (6631533)
+ - (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445)
+ - (CVE-2009-3881) resurrected classloaders can still have children (6636650)
+ - (CVE-2009-3882) Numerous static security flaws in Swing (findbugs) (6657026)
+ - (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138)
+ - (CVE-2009-3880) UI logging information leakage (6664512)
+ - (CVE-2009-3879) GraphicsConfiguration information leak (6822057)
+ - (CVE-2009-3884) zoneinfo file existence information leak (6824265)
+ - (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062)
+ - (CVE-2009-3873) JPEG Image Writer quantization problem (6862968)
+ - (CVE-2009-3875) MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)
+ - (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser denial of service (6864911)
+ - (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357)
+ - (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643
+ - (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358)
+
New in release 1.5.2 (2009-09-04)
- Timezone fix: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=377
- Stackoverflow error fix: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=381
diff -r 662422897e63 -r dc4494777bad patches/security/icedtea-6631533.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/icedtea-6631533.patch Mon Nov 09 16:58:51 2009 +0000
@@ -0,0 +1,184 @@
+--- old/src/share/classes/java/awt/color/ICC_Profile.java 2009-07-29 13:31:14.948600000 +0400
++++ openjdk/jdk/src/share/classes/java/awt/color/ICC_Profile.java 2009-07-29 13:31:14.153000000 +0400
+@@ -944,15 +944,15 @@
+ * and it does not permit read access to the given file.
+ */
+ public static ICC_Profile getInstance(String fileName) throws IOException {
+- ICC_Profile thisProfile;
+- FileInputStream fis;
++ ICC_Profile thisProfile;
++ FileInputStream fis = null;
+
+- SecurityManager security = System.getSecurityManager();
+- if (security != null) {
+- security.checkRead(fileName);
+- }
+
+- if ((fis = openProfile(fileName)) == null) {
++ File f = getProfileFile(fileName);
++ if (f != null) {
++ fis = new FileInputStream(f);
++ }
++ if (fis == null) {
+ throw new IOException("Cannot open file " + fileName);
+ }
+
+@@ -1064,13 +1064,24 @@
+
+
+ void activateDeferredProfile() {
+- byte profileData[];
+- FileInputStream fis;
+- String fileName = deferralInfo.filename;
++ byte profileData[];
++ FileInputStream fis;
++ final String fileName = deferralInfo.filename;
+
+ profileActivator = null;
+ deferralInfo = null;
+- if ((fis = openProfile(fileName)) == null) {
++ PrivilegedAction<FileInputStream> pa = new PrivilegedAction<FileInputStream>() {
++ public FileInputStream run() {
++ File f = getStandardProfileFile(fileName);
++ if (f != null) {
++ try {
++ return new FileInputStream(f);
++ } catch (FileNotFoundException e) {}
++ }
++ return null;
++ }
++ };
++ if ((fis = AccessController.doPrivileged(pa)) == null) {
+ throw new IllegalArgumentException("Cannot open file " + fileName);
+ }
+ try {
+@@ -1765,66 +1776,88 @@
+ * available, such as a profile for sRGB. Built-in profiles use .pf as
+ * the file name extension for profiles, e.g. sRGB.pf.
+ */
+- private static FileInputStream openProfile(final String fileName) {
+- return (FileInputStream)java.security.AccessController.doPrivileged(
+- new java.security.PrivilegedAction() {
+- public Object run() {
+- return privilegedOpenProfile(fileName);
+- }
+- });
+- }
+-
+- /*
+- * this version is called from doPrivileged in privilegedOpenProfile.
+- * the whole method is privileged!
+- */
+- private static FileInputStream privilegedOpenProfile(String fileName) {
+- FileInputStream fis = null;
++ private static File getProfileFile(String fileName) {
+ String path, dir, fullPath;
+
+ File f = new File(fileName); /* try absolute file name */
+-
++ if (f.isAbsolute()) {
++ /* Rest of code has little sense for an absolute pathname,
++ so return here. */
++ return f.isFile() ? f : null;
++ }
+ if ((!f.isFile()) &&
+ ((path = System.getProperty("java.iccprofile.path")) != null)){
+ /* try relative to java.iccprofile.path */
+- StringTokenizer st =
+- new StringTokenizer(path, File.pathSeparator);
+- while (st.hasMoreTokens() && (!f.isFile())) {
+- dir = st.nextToken();
+- fullPath = dir + File.separatorChar + fileName;
+- f = new File(fullPath);
++ StringTokenizer st =
++ new StringTokenizer(path, File.pathSeparator);
++ while (st.hasMoreTokens() && ((f == null) || (!f.isFile()))) {
++ dir = st.nextToken();
++ fullPath = dir + File.separatorChar + fileName;
++ f = new File(fullPath);
++ if (!isChildOf(f, dir)) {
++ f = null;
+ }
+ }
++ }
+
+- if ((!f.isFile()) &&
++ if (((f == null) || (!f.isFile())) &&
+ ((path = System.getProperty("java.class.path")) != null)) {
+ /* try relative to java.class.path */
+- StringTokenizer st =
+- new StringTokenizer(path, File.pathSeparator);
+- while (st.hasMoreTokens() && (!f.isFile())) {
+- dir = st.nextToken();
+- fullPath = dir + File.separatorChar + fileName;
+- f = new File(fullPath);
+- }
+- }
+-
+- if (!f.isFile()) { /* try the directory of built-in profiles */
+- dir = System.getProperty("java.home") +
+- File.separatorChar + "lib" + File.separatorChar + "cmm";
++ StringTokenizer st =
++ new StringTokenizer(path, File.pathSeparator);
++ while (st.hasMoreTokens() && ((f == null) || (!f.isFile()))) {
++ dir = st.nextToken();
+ fullPath = dir + File.separatorChar + fileName;
+ f = new File(fullPath);
++ if (!isChildOf(f, dir)) {
++ f = null;
++ }
+ }
++ }
++ if ((f == null) || (!f.isFile())) {
++ /* try the directory of built-in profiles */
++ f = getStandardProfileFile(fileName);
++ }
++ if (f != null && f.isFile()) {
++ return f;
++ }
++ return null;
++ }
+
+- if (f.isFile()) {
+- try {
+- fis = new FileInputStream(f);
+- } catch (FileNotFoundException e) {
++ /**
++ * Returns a file object corresponding to a built-in profile
++ * specified by fileName.
++ * If there is no built-in profile with such name, then the method
++ * returns null.
++ */
++ private static File getStandardProfileFile(String fileName) {
++ String dir = System.getProperty("java.home") +
++ File.separatorChar + "lib" + File.separatorChar + "cmm";
++ String fullPath = dir + File.separatorChar + fileName;
++ File f = new File(fullPath);
++ return (f.isFile() && isChildOf(f, dir)) ? f : null;
++ }
++
++ /**
++ * Checks whether given file resides inside give directory.
++ */
++ private static boolean isChildOf(File f, String dirName) {
++ try {
++ File dir = new File(dirName);
++ String canonicalDirName = dir.getCanonicalPath();
++ if (!canonicalDirName.endsWith(File.separator)) {
++ canonicalDirName += File.separator;
+ }
++ String canonicalFileName = f.getCanonicalPath();
++ return canonicalFileName.startsWith(canonicalDirName);
++ } catch (IOException e) {
++ /* we do not expect the IOException here, because invocation
++ * of this function is always preceeded by isFile() call.
++ */
++ return false;
+ }
+- return fis;
+ }
+
+-
+ /*
+ * Serialization support.
+ *
diff -r 662422897e63 -r dc4494777bad patches/security/icedtea-6632445.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/icedtea-6632445.patch Mon Nov 09 16:58:51 2009 +0000
@@ -0,0 +1,103 @@
+--- old/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java 2009-07-28 17:06:52.144000000 +0400
++++ openjdk/jdk/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java 2009-07-28 17:06:51.488000000 +0400
+@@ -62,6 +62,8 @@
+
+ import java.io.*;
+ import java.nio.*;
++import java.security.AccessController;
++import java.security.PrivilegedAction;
+ import java.util.ArrayList;
+ import java.util.Iterator;
+ import java.util.StringTokenizer;
+@@ -502,12 +504,18 @@
+ iis.reset();
+
+ try {
+- if (metadata.colorSpace == PROFILE_LINKED)
++ if (metadata.colorSpace == PROFILE_LINKED &&
++ isLinkedProfileAllowed() &&
++ !isUncOrDevicePath(profile))
++ {
++ String path = new String(profile, "windows-1252");
++
+ colorSpace =
+- new ICC_ColorSpace(ICC_Profile.getInstance(new String(profile)));
+- else
++ new ICC_ColorSpace(ICC_Profile.getInstance(path));
++ } else {
+ colorSpace =
+ new ICC_ColorSpace(ICC_Profile.getInstance(profile));
++ }
+ } catch (Exception e) {
+ colorSpace = ColorSpace.getInstance(ColorSpace.CS_sRGB);
+ }
+@@ -1745,4 +1753,69 @@
+ public void sequenceStarted(ImageReader src, int minIndex) {}
+ public void readAborted(ImageReader src) {}
+ }
++
++ private static Boolean isLinkedProfileDisabled = null;
++
++ private static boolean isLinkedProfileAllowed() {
++ if (isLinkedProfileDisabled == null) {
++ PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() {
++ public Boolean run() {
++ return Boolean.getBoolean("sun.imageio.plugins.bmp.disableLinkedProfiles");
++ }
++ };
++ isLinkedProfileDisabled = AccessController.doPrivileged(a);
++ }
++ return !isLinkedProfileDisabled;
++ }
++
++ private static Boolean isWindowsPlatform = null;
++
++ /**
++ * Verifies whether the byte array contans a unc path.
++ * Non-UNC path examples:
++ * c:\path\to\file - simple notation
++ * \\?\c:\path\to\file - long notation
++ *
++ * UNC path examples:
++ * \\server\share - a UNC path in simple notation
++ * \\?\UNC\server\share - a UNC path in long notation
++ * \\.\some\device - a path to device.
++ */
++ private static boolean isUncOrDevicePath(byte[] p) {
++ if (isWindowsPlatform == null) {
++ PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() {
++ public Boolean run() {
++ String osname = System.getProperty("os.name");
++ return (osname != null &&
++ osname.toLowerCase().startsWith("win"));
++ }
++ };
++ isWindowsPlatform = AccessController.doPrivileged(a);
++ }
++
++ if (!isWindowsPlatform) {
++ /* no need for the check on platforms except windows */
++ return false;
++ }
++
++ /* normalize prefix of the path */
++ if (p[0] == '/') p[0] = '\\';
++ if (p[1] == '/') p[1] = '\\';
++ if (p[3] == '/') p[3] = '\\';
++
++
++ if ((p[0] == '\\') && (p[1] == '\\')) {
++ if ((p[2] == '?') && (p[3] == '\\')) {
++ // long path: whether unc or local
++ return ((p[4] == 'U' || p[4] == 'u') &&
++ (p[5] == 'N' || p[5] == 'n') &&
++ (p[6] == 'C' || p[6] == 'c'));
++ } else {
++ // device path or short unc notation
++ return true;
++ }
++ } else {
++ return false;
++ }
++ }
+ }
diff -r 662422897e63 -r dc4494777bad patches/security/icedtea-6636650.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/icedtea-6636650.patch Mon Nov 09 16:58:51 2009 +0000
@@ -0,0 +1,139 @@
+--- old/src/share/classes/java/lang/ClassLoader.java Fri Jul 31 15:59:47 2009
++++ openjdk/jdk/src/share/classes/java/lang/ClassLoader.java Fri Jul 31 15:59:46 2009
+@@ -147,11 +147,6 @@
+ registerNatives();
+ }
+
+- // If initialization succeed this is set to true and security checks will
+- // succeed. Otherwise the object is not initialized and the object is
+- // useless.
+- private boolean initialized = false;
+-
+ // The parent class loader for delegation
+ private ClassLoader parent;
+
+@@ -177,6 +172,18 @@
+ // to its corresponding Package object.
+ private HashMap packages = new HashMap();
+
++ private static Void checkCreateClassLoader() {
++ SecurityManager security = System.getSecurityManager();
++ if (security != null) {
++ security.checkCreateClassLoader();
++ }
++ return null;
++ }
++
++ private ClassLoader(Void unused, ClassLoader parent) {
++ this.parent = parent;
++ }
++
+ /**
+ * Creates a new class loader using the specified parent class loader for
+ * delegation.
+@@ -197,12 +204,7 @@
+ * @since 1.2
+ */
+ protected ClassLoader(ClassLoader parent) {
+- SecurityManager security = System.getSecurityManager();
+- if (security != null) {
+- security.checkCreateClassLoader();
+- }
+- this.parent = parent;
+- initialized = true;
++ this(checkCreateClassLoader(), parent);
+ }
+
+ /**
+@@ -221,15 +223,9 @@
+ * of a new class loader.
+ */
+ protected ClassLoader() {
+- SecurityManager security = System.getSecurityManager();
+- if (security != null) {
+- security.checkCreateClassLoader();
+- }
+- this.parent = getSystemClassLoader();
+- initialized = true;
++ this(checkCreateClassLoader(), getSystemClassLoader());
+ }
+
+-
+ // -- Class --
+
+ /**
+@@ -611,7 +607,6 @@
+ ProtectionDomain protectionDomain)
+ throws ClassFormatError
+ {
+- check();
+ protectionDomain = preDefineClass(name, protectionDomain);
+
+ Class c = null;
+@@ -693,8 +688,6 @@
+ ProtectionDomain protectionDomain)
+ throws ClassFormatError
+ {
+- check();
+-
+ int len = b.remaining();
+
+ // Use byte[] if not a direct ByteBufer:
+@@ -842,7 +835,6 @@
+ * @see #defineClass(String, byte[], int, int)
+ */
+ protected final void resolveClass(Class<?> c) {
+- check();
+ resolveClass0(c);
+ }
+
+@@ -873,7 +865,6 @@
+ protected final Class<?> findSystemClass(String name)
+ throws ClassNotFoundException
+ {
+- check();
+ ClassLoader system = getSystemClassLoader();
+ if (system == null) {
+ if (!checkName(name))
+@@ -886,7 +877,6 @@
+ private Class findBootstrapClass0(String name)
+ throws ClassNotFoundException
+ {
+- check();
+ if (!checkName(name))
+ throw new ClassNotFoundException(name);
+ return findBootstrapClass(name);
+@@ -895,13 +885,6 @@
+ private native Class findBootstrapClass(String name)
+ throws ClassNotFoundException;
+
+- // Check to make sure the class loader has been initialized.
+- private void check() {
+- if (!initialized) {
+- throw new SecurityException("ClassLoader object not initialized");
+- }
+- }
+-
+ /**
+ * Returns the class with the given <a href="#name">binary name</a> if this
+ * loader has been recorded by the Java virtual machine as an initiating
+@@ -917,7 +900,6 @@
+ * @since 1.1
+ */
+ protected final Class<?> findLoadedClass(String name) {
+- check();
More information about the distro-pkg-dev
mailing list