IcedTea7 1.13 Released!

Dr Andrew John Hughes ahughes at redhat.com
Wed Jul 28 19:10:12 PDT 2010 

We are pleased to announce a new major release of IcedTea7, 1.13.

This update contains the following security updates:

* CVE-2010-2783, RH616895: IcedTea 'Extended JNLP Services' arbitrary file access
* CVE-2010-2548, RH616893: IcedTea Incomplete property access check for unsigned applications
* CVE-2010-0837, S6902299: JAR "unpack200" must verify input parameters
* CVE-2010-0845, S6894807: No ClassCastException for HashAttributeSet constructors if run with -Xcomp
* CVE-2010-0838, S6899653: CMM readMabCurveData Buffer Overflow Vulnerability
* CVE-2010-0082, S6626217: Loader-constraint table allows arrays instead of only the base-classes
* CVE-2010-0095, S6893954: Subclasses of InetAddress may incorrectly interpret network addresses
* CVE-2010-0085, S6736390: File TOCTOU deserialization vulnerability
* CVE-2010-0091, S6887703: Unsigned applet can retrieve the dragged information before drop action occurs
* CVE-2010-0088, S6745393: Inflater/Deflater clone issues
* CVE-2010-0084, S6633872: Policy/PolicyFile leak dynamic ProtectionDomains.
* CVE-2010-0092, S6888149: AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error
* CVE-2010-0094, S6893947: Deserialization of RMIConnectionImpl objects should enforce stricter checks
* CVE-2010-0093, S6892265: System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes
* CVE-2010-0840, S6904691: Applet Trusted Methods Chaining Privilege Escalation Vulnerability
* CVE-2010-0848, S6914823: AWT Library Invalid Index Vulnerability
* CVE-2010-0847, S6914866: ImagingLib arbitrary code execution vulnerability
* CVE-2009-3555, TLS: MITM attacks via session renegotiation

The IcedTea project provides a harness to build the source code from
OpenJDK6 using Free Software build tools. It also includes the only
Free Java plugin and Web Start implementation, and support for
additional architectures over and above x86, x86_64 and SPARC via the
Zero assembler port.

What’s New?
—————–

* Updated to OpenJDK7 milestone 7/b89.
* Removed VisualVM support; now hosted at http://icedtea.classpath.org/hg/visualvm.
* Removed old plugin.
* Bumped to CACAO 1.1.0 pre-release snapshot.
* libjpeg7 & libpng 1.4 supported.
* Latest security updates and hardening patches:
  - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299)
  - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807)
  - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
  - (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
  - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
  - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
  - (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
  - (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
  - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
  - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
  - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
  - (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
  - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
  - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
  - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
  - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
  - 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
  - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
  - 6910590: Application can modify command array in ProcessBuilder
  - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
  - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
  - (CVE-2010-2783, RH616895): IcedTea 'Extended JNLP Services' arbitrary file access
  - (CVE-2010-2548, RH616893): IcedTea Incomplete property access check for unsigned applications
* Bug fixes
  - PR179: Rhino bootclasspath issue
  - PR512: Extract jaxws getdtdtype patch to boot tree instead of main tree.
  - PR521: Don't hardlink the copy of generated.
  - S6963870: NPE in CompoundBorder.getInsets()
  - S6967533: Epoch bug: ExceptionInInitializerError on systems with uninitialized clock
  - S6944361: Missing CKR_ values in PKCS11Exception
* SystemTap
  - Added JNI call tracing using systemtap version 1.0+ when
    configuring with --enable-systemtap. See tapset/hotspot_jni.stp.
  - Add support for Zero build on Hitachi SH.
  - Removed the old plugin, replaced by the NPPlugin.
  - PR476: Enable building SystemTap support on GCC 4.5.
  - Fix hotspot tapset object_alloc size variable.
  - Workaround RH613824: Missing and wrong hotspot.* probepoint arguments
* Zero/Shark
  - Formatting changes and other fixes to match upstream
  - PR428: Shark on ARM precompiled header incls
  - Update Shark for LLVM r95390 API change.
  - S6927165: Zero S/390 fixes (from upstream)
  - Implemented Shark host CPU feature autotuner using LLVM 2.7 APIs.
  - Add s390 support to TCK setup helper script
  - Strip stupid options that llvm-config supplies
  - Update Shark for LLVM r94686 API change.
  - S6914622, S6909153, S6913869 upstream Zero fixes.
  - Fixed Shark sharkCompiler mattr memory corruption bug when using llvm 2.7.
  - PR525: Shark made not entrant deopt sigsegv regression after bump to b20 and hs17.
  - PR shark/483: Fix miscompilation of sun.misc.Unsafe::getByte.
  - PR icedtea/324, icedtea/481: Fix Shark VM crash.
  - Update Shark for LLVM 2.8 API change r100304
  - Shark calling static jni methods jclass argument fix.
  - PR484: Shark jit code block "0xcdcdcdcd" zombie wipeout Sigsegv crash
  - Backport new frame anchor and stack overflow code for Zero and Shark
  - Fix stack leak in Shark
  - PR494: Shark fails to catch Exception using catch (Throwable e)
* NPPlugin fixes
  - PR446: Use JDK_UPDATE_VERSION to set the jpi version.
  - Re-designed frame embedding code so that the applet is dynamically
    packed into given handle. This increases stability and breaks
    reliance on the assumption that the browser will always provide a
    handle in a certain sequence.
    - Encode new lines, carriage returns, and other special characters
    before sending them to Java side (de-coding code is already in
    effect on Java side).
    - Centralised and increased timeouts to give slow-loading applets
    enough time to load.
    - Fix security permissions related to get/set property, based on
    specifications.
  - Added support for JSObject.finalize()
  - Liveconnect message processing design changes.
  - Message protocol overhaul to fix race conditions
  - PR166: Create FIFO pies in temp dir instead of ~/.icedteaplugin
  - Profiled memory usage and implemented proper cleanup for C++ side.
  - Update debug output string and function/structure names to
    change 'GCJ' references to ITNP/IcedTea NP Plugin
  - PR461: plugin working for NSS enabled builds with firefox including a private NSS copy
  - Removed unncessary debug and trace output
  - PR474: Patch from Paulo Cesar Pereira de Andrade, incrementing malloc size to account for NULL terminator.
  - RH524387: javax.net.ssl.SSLKeyException: RSA premaster secret error
  - Set context classloader for all threads in an applet's threadgroup
  - PR436: Close all applet threads on exit
  - PR480: NPPlugin with NoScript extension.
  - PR488: Question mark changing into underscore in URL.
  - RH592553: Fix bug causing 100% CPU usage.
  - Don't generate a random pointer from a pthread_t in the debug output.
  - Add ForbiddenTargetException for legacy support.
  - Use variadic macro for plugin debug message printing.
  - Don't link the plugin with libxul libraries.
  - Fix race conditions in plugin initialization code that were causing hangs.
  - RH506730: BankID (Norwegian common online banking authentication system) applet fails to load.
  - PR491: pass java_{code,codebase,archive} parameters to Java.
  - Adds javawebstart.version property and give user permission to read that property.
* NetX:
  - Make path sanitization consistent; use a blacklisting approach.
  - Make the SingleInstanceServer thread a daemon thread.
  - Handle JNLP files which use native libraries but do not indicate it
  - Allow JNLP classloaders to share native libraries
  - Added encoding support
  - Do not use Look and Feel related methods for setting up security dialogs
  - Error out when unsigned jnlp applications request permissions
* PulseAudio:
  - Add missing .c file to PulseAudio build
  - Eliminate spurious exception throwing.

The tarball can be downloaded from:

* http://icedtea.classpath.org/download/source/icedtea-1.13.tar.gz

sha256sum: 4d65cfb55dbe2e2fa6b980c686b34ec9f45852d5eeafd0fec6f874524743ad15

The following people helped with this release:

Gary Benson, Deepak Bhole, Andrew John Hughes, Nobuhiro Iwamatsu,
Matthias Klose, Omair Majid, Edward Nevill, Xerxes Rånby, Stefan Ring,
Pavel Tisnovsky, Jon VanAlten, Mark Wielaard, Man Lung Wong

We would also like to thank the bug reporters and testers!

To get started:
$ tar xzf icedtea-1.13.tar.gz
$ cd icedtea-1.13

Full build requirements and instructions are in INSTALL:
$ ./configure [--enable-zero --with-openjdk --enable-pulse-java
--enable-systemtap ...]
$ make
-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list