/hg/release/icedtea6-1.11: 4 new changesets
omajid at icedtea.classpath.org
omajid at icedtea.classpath.org
Tue Feb 14 12:56:56 PST 2012
changeset bd80e87bed6c in /hg/release/icedtea6-1.11
details: http://icedtea.classpath.org/hg/release/icedtea6-1.11?cmd=changeset;node=bd80e87bed6c
author: Omair Majid <omajid at redhat.com>
date: Wed Feb 08 12:00:49 2012 -0500
Add latest round of security patches
changeset 91dfe171e1f3 in /hg/release/icedtea6-1.11
details: http://icedtea.classpath.org/hg/release/icedtea6-1.11?cmd=changeset;node=91dfe171e1f3
author: Omair Majid <omajid at redhat.com>
date: Wed Feb 08 12:02:26 2012 -0500
Bump version to 1.11.1
changeset 24db244df0f3 in /hg/release/icedtea6-1.11
details: http://icedtea.classpath.org/hg/release/icedtea6-1.11?cmd=changeset;node=24db244df0f3
author: Omair Majid <omajid at redhat.com>
date: Fri Feb 10 13:14:23 2012 -0500
Add CVE numbers.
changeset d197632e7751 in /hg/release/icedtea6-1.11
details: http://icedtea.classpath.org/hg/release/icedtea6-1.11?cmd=changeset;node=d197632e7751
author: Omair Majid <omajid at redhat.com>
date: Tue Feb 14 15:55:22 2012 -0500
Added tag icedtea6-1.11.1 for changeset 24db244df0f3
diffstat:
.hgtags | 1 +
ChangeLog | 26 +
Makefile.am | 13 +-
NEWS | 12 +-
configure.ac | 2 +-
patches/security/20120214/7082299.patch | 200 ++++++++
patches/security/20120214/7088367.patch | 43 +
patches/security/20120214/7110683.patch | 169 +++++++
patches/security/20120214/7110687.patch | 232 +++++++++
patches/security/20120214/7110700.patch | 41 +
patches/security/20120214/7110704.patch | 60 ++
patches/security/20120214/7112642.patch | 744 ++++++++++++++++++++++++++++++++
patches/security/20120214/7118283.patch | 26 +
patches/security/20120214/7126960.patch | 80 +++
14 files changed, 1646 insertions(+), 3 deletions(-)
diffs (truncated from 1756 to 500 lines):
diff -r 9ecd3246e68e -r d197632e7751 .hgtags
--- a/.hgtags Thu Feb 02 11:15:09 2012 -0500
+++ b/.hgtags Tue Feb 14 15:55:22 2012 -0500
@@ -23,3 +23,4 @@
24c5bd2e7d574441813bfb8f9e4636e50c5d7c28 icedtea6-1.11-branch
933c143b22a0acb6e5c72ac1315fd90a135275a8 icedtea6-1.11pre
746c78997ad9baaac7601686031f507936cebb88 icedtea6-1.11
+24db244df0f369a66d922e2e01f089de9e44f06d icedtea6-1.11.1
diff -r 9ecd3246e68e -r d197632e7751 ChangeLog
--- a/ChangeLog Thu Feb 02 11:15:09 2012 -0500
+++ b/ChangeLog Tue Feb 14 15:55:22 2012 -0500
@@ -1,3 +1,29 @@
+2012-02-10 Omair Majid <omajid at redhat.com>
+
+ * NEWS: Update with CVE numbers.
+
+2012-02-08 Omair Majid <omajid at redhat.com>
+
+ * configure.ac: Bump to 1.11.1.
+ * NEWS: Update with release date.
+
+2012-02-08 Omair Majid <omajid at redhat.com>
+
+ * NEWS: Update with security fixes.
+ * Makefile.am
+ (SECURITY_PATCHES): Add security patches.
+ (SPECIAL_SECURITY_PATCH): Add new variable.
+ (ICEDTEA_PATCHES): Add security patch that epends on backport.
+ * patches/security/20120214/7082299.patch,
+ * patches/security/20120214/7088367.patch,
+ * patches/security/20120214/7110683.patch,
+ * patches/security/20120214/7110687.patch,
+ * patches/security/20120214/7110700.patch,
+ * patches/security/20120214/7110704.patch,
+ * patches/security/20120214/7112642.patch,
+ * patches/security/20120214/7118283.patch,
+ * patches/security/20120214/7126960.patch: New security fixes.
+
2012-02-02 Omair Majid <omajid at redhat.com>
PR865: Patching fails with patches/ecj/jaxws-getdtdtype.patch
diff -r 9ecd3246e68e -r d197632e7751 Makefile.am
--- a/Makefile.am Thu Feb 02 11:15:09 2012 -0500
+++ b/Makefile.am Tue Feb 14 15:55:22 2012 -0500
@@ -201,7 +201,17 @@
ICEDTEA_FSG_PATCHES =
-SECURITY_PATCHES =
+SECURITY_PATCHES = \
+ patches/security/20120214/7082299.patch \
+ patches/security/20120214/7088367.patch \
+ patches/security/20120214/7110683.patch \
+ patches/security/20120214/7110687.patch \
+ patches/security/20120214/7110700.patch \
+ patches/security/20120214/7110704.patch \
+ patches/security/20120214/7118283.patch \
+ patches/security/20120214/7126960.patch
+
+SPECIAL_SECURITY_PATCH = patches/security/20120214/7112642.patch
ICEDTEA_PATCHES = \
$(SECURITY_PATCHES) \
@@ -218,6 +228,7 @@
patches/openjdk/6725214-direct3d-01.patch \
patches/openjdk/6748082-isDisplayLocal.patch \
patches/openjdk/6633275-shaped_translucent_windows.patch \
+ $(SPECIAL_SECURITY_PATCH) \
patches/openjdk/6769607-modal-hangs.patch \
patches/openjdk/6791612-opengl-jni-fix.patch \
patches/openjdk/6755274-glgetstring-crash.patch \
diff -r 9ecd3246e68e -r d197632e7751 NEWS
--- a/NEWS Thu Feb 02 11:15:09 2012 -0500
+++ b/NEWS Tue Feb 14 15:55:22 2012 -0500
@@ -10,8 +10,18 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.11.1 (2012-XX-XX):
+New in release 1.11.1 (2012-02-14):
+* Security fixes
+ - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
+ - S7088367, CVE-2011-3563: Fix issues in java sound
+ - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
+ - S7110687, CVE-2012-0503: Issues with TimeZone class
+ - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in ObjectStreamClass
+ - S7110704, CVE-2012-0506: Issues with some method in corba
+ - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
+ - S7118283, CVE-2012-0501: Better input parameter checking in zip file processing
+ - S7126960, CVE-2011-5035: (httpserver) Add property to limit number of request headers to the HTTP Server
* Bug fixes
- PR865: Patching fails with patches/ecj/jaxws-getdtdtype.patch
diff -r 9ecd3246e68e -r d197632e7751 configure.ac
--- a/configure.ac Thu Feb 02 11:15:09 2012 -0500
+++ b/configure.ac Tue Feb 14 15:55:22 2012 -0500
@@ -1,4 +1,4 @@
-AC_INIT([icedtea6],[1.11.1pre],[distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6],[1.11.1],[distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 9ecd3246e68e -r d197632e7751 patches/security/20120214/7082299.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/20120214/7082299.patch Tue Feb 14 15:55:22 2012 -0500
@@ -0,0 +1,201 @@
+# HG changeset patch
+# User robm
+# Date 1322691030 0
+# Node ID ee0f12b18cb8d20c3fb61e96817bde6318a29221
+# Parent dd8956e41b892ed7102e1d5668781f2c68ea9ac5
+7082299: AtomicReferenceArray should ensure that array is Object[]
+Summary: java.util.concurrent.AtomicReferenceArray needs to ensure that internal array is always Object[].
+Reviewed-by: chegar, coffeys
+
+diff --git a/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java b/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java
+--- openjdk/jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java
++++ openjdk/jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java
+@@ -34,8 +34,9 @@
+ */
+
+ package java.util.concurrent.atomic;
++import java.lang.reflect.Array;
++import java.util.Arrays;
+ import sun.misc.Unsafe;
+-import java.util.*;
+
+ /**
+ * An array of object references in which elements may be updated
+@@ -49,15 +50,37 @@ public class AtomicReferenceArray<E> imp
+ public class AtomicReferenceArray<E> implements java.io.Serializable {
+ private static final long serialVersionUID = -6209656149925076980L;
+
+- private static final Unsafe unsafe = Unsafe.getUnsafe();
+- private static final int base = unsafe.arrayBaseOffset(Object[].class);
+- private static final int scale = unsafe.arrayIndexScale(Object[].class);
+- private final Object[] array;
++ private static final Unsafe unsafe;
++ private static final int base;
++ private static final int shift;
++ private static final long arrayFieldOffset;
++ private final Object[] array; // must have exact type Object[]
+
+- private long rawIndex(int i) {
++ static {
++ int scale;
++ try {
++ unsafe = Unsafe.getUnsafe();
++ arrayFieldOffset = unsafe.objectFieldOffset
++ (AtomicReferenceArray.class.getDeclaredField("array"));
++ base = unsafe.arrayBaseOffset(Object[].class);
++ scale = unsafe.arrayIndexScale(Object[].class);
++ } catch (Exception e) {
++ throw new Error(e);
++ }
++ if ((scale & (scale - 1)) != 0)
++ throw new Error("data type scale not a power of two");
++ shift = 31 - Integer.numberOfLeadingZeros(scale);
++ }
++
++ private long checkedByteOffset(int i) {
+ if (i < 0 || i >= array.length)
+ throw new IndexOutOfBoundsException("index " + i);
+- return base + (long) i * scale;
++
++ return byteOffset(i);
++ }
++
++ private static long byteOffset(int i) {
++ return ((long) i << shift) + base;
+ }
+
+ /**
+@@ -66,9 +89,6 @@ public class AtomicReferenceArray<E> imp
+ */
+ public AtomicReferenceArray(int length) {
+ array = new Object[length];
+- // must perform at least one volatile write to conform to JMM
+- if (length > 0)
+- unsafe.putObjectVolatile(array, rawIndex(0), null);
+ }
+
+ /**
+@@ -79,18 +99,8 @@ public class AtomicReferenceArray<E> imp
+ * @throws NullPointerException if array is null
+ */
+ public AtomicReferenceArray(E[] array) {
+- if (array == null)
+- throw new NullPointerException();
+- int length = array.length;
+- this.array = new Object[length];
+- if (length > 0) {
+- int last = length-1;
+- for (int i = 0; i < last; ++i)
+- this.array[i] = array[i];
+- // Do the last write as volatile
+- E e = array[last];
+- unsafe.putObjectVolatile(this.array, rawIndex(last), e);
+- }
++ // Visibility guaranteed by final field guarantees
++ this.array = Arrays.copyOf(array, array.length, Object[].class);
+ }
+
+ /**
+@@ -109,7 +119,11 @@ public class AtomicReferenceArray<E> imp
+ * @return the current value
+ */
+ public final E get(int i) {
+- return (E) unsafe.getObjectVolatile(array, rawIndex(i));
++ return getRaw(checkedByteOffset(i));
++ }
++
++ private E getRaw(long offset) {
++ return (E) unsafe.getObjectVolatile(array, offset);
+ }
+
+ /**
+@@ -119,7 +133,7 @@ public class AtomicReferenceArray<E> imp
+ * @param newValue the new value
+ */
+ public final void set(int i, E newValue) {
+- unsafe.putObjectVolatile(array, rawIndex(i), newValue);
++ unsafe.putObjectVolatile(array, checkedByteOffset(i), newValue);
+ }
+
+ /**
+@@ -130,7 +144,7 @@ public class AtomicReferenceArray<E> imp
+ * @since 1.6
+ */
+ public final void lazySet(int i, E newValue) {
+- unsafe.putOrderedObject(array, rawIndex(i), newValue);
++ unsafe.putOrderedObject(array, checkedByteOffset(i), newValue);
+ }
+
+
+@@ -143,9 +157,10 @@ public class AtomicReferenceArray<E> imp
+ * @return the previous value
+ */
+ public final E getAndSet(int i, E newValue) {
++ long offset = checkedByteOffset(i);
+ while (true) {
+- E current = get(i);
+- if (compareAndSet(i, current, newValue))
++ E current = getRaw(offset);
++ if (compareAndSetRaw(offset, current, newValue))
+ return current;
+ }
+ }
+@@ -153,6 +168,7 @@ public class AtomicReferenceArray<E> imp
+ /**
+ * Atomically sets the element at position {@code i} to the given
+ * updated value if the current value {@code ==} the expected value.
++ *
+ * @param i the index
+ * @param expect the expected value
+ * @param update the new value
+@@ -160,8 +176,11 @@ public class AtomicReferenceArray<E> imp
+ * the actual value was not equal to the expected value.
+ */
+ public final boolean compareAndSet(int i, E expect, E update) {
+- return unsafe.compareAndSwapObject(array, rawIndex(i),
+- expect, update);
++ return compareAndSetRaw(checkedByteOffset(i), expect, update);
++ }
++
++ private boolean compareAndSetRaw(long offset, E expect, E update) {
++ return unsafe.compareAndSwapObject(array, offset, expect, update);
+ }
+
+ /**
+@@ -186,9 +205,33 @@ public class AtomicReferenceArray<E> imp
+ * @return the String representation of the current values of array.
+ */
+ public String toString() {
+- if (array.length > 0) // force volatile read
+- get(0);
+- return Arrays.toString(array);
++ int iMax = array.length - 1;
++ if (iMax == -1)
++ return "[]";
++
++ StringBuilder b = new StringBuilder();
++ b.append('[');
++ for (int i = 0; ; i++) {
++ b.append(getRaw(byteOffset(i)));
++ if (i == iMax)
++ return b.append(']').toString();
++ b.append(',').append(' ');
++ }
++ }
++
++ /**
++ * Reconstitutes the instance from a stream (that is, deserializes it).
++ * @param s the stream
++ */
++ private void readObject(java.io.ObjectInputStream s)
++ throws java.io.IOException, ClassNotFoundException {
++ // Note: This must be changed if any additional fields are defined
++ Object a = s.readFields().get("array", null);
++ if (a == null || !a.getClass().isArray())
++ throw new java.io.InvalidObjectException("Not array type");
++ if (a.getClass() != Object[].class)
++ a = Arrays.copyOf((Object[])a, Array.getLength(a), Object[].class);
++ unsafe.putObjectVolatile(this, arrayFieldOffset, a);
+ }
+
+ }
diff -r 9ecd3246e68e -r d197632e7751 patches/security/20120214/7088367.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/20120214/7088367.patch Tue Feb 14 15:55:22 2012 -0500
@@ -0,0 +1,45 @@
+# HG changeset patch
+# User amenkov
+# Date 1319622989 -14400
+# Node ID b34a3ed0c8f2f6b9121d38ed330430d913f8a385
+# Parent cdc68d7a17dd412402b100dc427abbe0a90cf2ab
+7088367: JavaSound security issue (12865443)
+Reviewed-by: denis
+
+diff --git a/src/share/classes/com/sun/media/sound/DirectAudioDevice.java b/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
+--- openjdk/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
++++ openjdk/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
+@@ -771,7 +771,7 @@ class DirectAudioDevice extends Abstract
+ if (off < 0) {
+ throw new ArrayIndexOutOfBoundsException(off);
+ }
+- if (off + len > b.length) {
++ if ((long)off + (long)len > (long)b.length) {
+ throw new ArrayIndexOutOfBoundsException(b.length);
+ }
+
+@@ -1000,7 +1000,7 @@ class DirectAudioDevice extends Abstract
+ if (off < 0) {
+ throw new ArrayIndexOutOfBoundsException(off);
+ }
+- if (off + len > b.length) {
++ if ((long)off + (long)len > (long)b.length) {
+ throw new ArrayIndexOutOfBoundsException(b.length);
+ }
+ if (!isActive() && doIO) {
+diff --git a/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java b/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
+--- openjdk/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
++++ openjdk/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
+@@ -130,6 +130,12 @@ public class SoftMixingSourceDataLine ex
+ if (len % framesize != 0)
+ throw new IllegalArgumentException(
+ "Number of bytes does not represent an integral number of sample frames.");
++ if (off < 0) {
++ throw new ArrayIndexOutOfBoundsException(off);
++ }
++ if ((long)off + (long)len > (long)b.length) {
++ throw new ArrayIndexOutOfBoundsException(b.length);
++ }
+
+ byte[] buff = cycling_buffer;
+ int buff_len = cycling_buffer.length;
diff -r 9ecd3246e68e -r d197632e7751 patches/security/20120214/7110683.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/20120214/7110683.patch Tue Feb 14 15:55:22 2012 -0500
@@ -0,0 +1,170 @@
+# HG changeset patch
+# User skoppar
+# Date 1324575564 28800
+# Node ID e05eb7bee1ce0a44f3e414454e44cd49d77ba9de
+# Parent bfaa99d5bef813217cdbc6eddcdd511cf53327e7
+7110683: Issues with some KeyboardFocusManager method
+7116384: backout the unallowed changes in the KeyboardFocusManager.java javadoc
+Reviewed-by: ant
+
+diff --git a/src/share/classes/java/awt/KeyboardFocusManager.java b/src/share/classes/java/awt/KeyboardFocusManager.java
+--- openjdk/jdk/src/share/classes/java/awt/KeyboardFocusManager.java
++++ openjdk/jdk/src/share/classes/java/awt/KeyboardFocusManager.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2007, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -476,14 +476,8 @@ public abstract class KeyboardFocusManag
+ */
+ protected Component getGlobalFocusOwner() throws SecurityException {
+ synchronized (KeyboardFocusManager.class) {
+- if (this == getCurrentKeyboardFocusManager()) {
+- return focusOwner;
+- } else {
+- if (focusLog.isLoggable(Level.FINER)) {
+- focusLog.log(Level.FINER, "This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+- }
+- throw new SecurityException(notPrivileged);
+- }
++ checkCurrentKFMSecurity();
++ return focusOwner;
+ }
+ }
+
+@@ -517,6 +511,7 @@ public abstract class KeyboardFocusManag
+
+ if (focusOwner == null || focusOwner.isFocusable()) {
+ synchronized (KeyboardFocusManager.class) {
++ checkCurrentKFMSecurity();
+ oldFocusOwner = getFocusOwner();
+
+ try {
+@@ -566,6 +561,10 @@ public abstract class KeyboardFocusManag
+ * @see java.awt.event.FocusEvent#FOCUS_LOST
+ */
+ public void clearGlobalFocusOwner() {
++ synchronized (KeyboardFocusManager.class) {
++ checkCurrentKFMSecurity();
++ }
++
+ if (!GraphicsEnvironment.isHeadless()) {
+ // Toolkit must be fully initialized, otherwise
+ // _clearGlobalFocusOwner will crash or throw an exception
+@@ -645,14 +644,8 @@ public abstract class KeyboardFocusManag
+ throws SecurityException
+ {
+ synchronized (KeyboardFocusManager.class) {
+- if (this == getCurrentKeyboardFocusManager()) {
+- return permanentFocusOwner;
+- } else {
+- if (focusLog.isLoggable(Level.FINER)) {
+- focusLog.log(Level.FINER, "This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+- }
+- throw new SecurityException(notPrivileged);
+- }
++ checkCurrentKFMSecurity();
++ return permanentFocusOwner;
+ }
+ }
+
+@@ -688,6 +681,7 @@ public abstract class KeyboardFocusManag
+
+ if (permanentFocusOwner == null || permanentFocusOwner.isFocusable()) {
+ synchronized (KeyboardFocusManager.class) {
++ checkCurrentKFMSecurity();
+ oldPermanentFocusOwner = getPermanentFocusOwner();
+
+ try {
+@@ -753,14 +747,8 @@ public abstract class KeyboardFocusManag
+ */
+ protected Window getGlobalFocusedWindow() throws SecurityException {
+ synchronized (KeyboardFocusManager.class) {
+- if (this == getCurrentKeyboardFocusManager()) {
+- return focusedWindow;
+- } else {
+- if (focusLog.isLoggable(Level.FINER)) {
+- focusLog.log(Level.FINER, "This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+- }
+- throw new SecurityException(notPrivileged);
+- }
++ checkCurrentKFMSecurity();
++ return focusedWindow;
+ }
+ }
+
+@@ -791,6 +779,7 @@ public abstract class KeyboardFocusManag
+
+ if (focusedWindow == null || focusedWindow.isFocusableWindow()) {
+ synchronized (KeyboardFocusManager.class) {
++ checkCurrentKFMSecurity();
+ oldFocusedWindow = getFocusedWindow();
+
+ try {
+@@ -857,14 +846,8 @@ public abstract class KeyboardFocusManag
+ */
+ protected Window getGlobalActiveWindow() throws SecurityException {
+ synchronized (KeyboardFocusManager.class) {
+- if (this == getCurrentKeyboardFocusManager()) {
+- return activeWindow;
+- } else {
+- if (focusLog.isLoggable(Level.FINER)) {
+- focusLog.log(Level.FINER, "This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+- }
+- throw new SecurityException(notPrivileged);
+- }
++ checkCurrentKFMSecurity();
++ return activeWindow;
+ }
+ }
+
+@@ -893,6 +876,7 @@ public abstract class KeyboardFocusManag
+ protected void setGlobalActiveWindow(Window activeWindow) {
+ Window oldActiveWindow;
+ synchronized (KeyboardFocusManager.class) {
++ checkCurrentKFMSecurity();
+ oldActiveWindow = getActiveWindow();
+ if (focusLog.isLoggable(Level.FINER)) {
+ focusLog.log(Level.FINER, "Setting global active window to " + activeWindow + ", old active " + oldActiveWindow);
+@@ -1187,14 +1171,8 @@ public abstract class KeyboardFocusManag
+ throws SecurityException
+ {
+ synchronized (KeyboardFocusManager.class) {
+- if (this == getCurrentKeyboardFocusManager()) {
+- return currentFocusCycleRoot;
+- } else {
+- if (focusLog.isLoggable(Level.FINER)) {
+- focusLog.log(Level.FINER, "This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
More information about the distro-pkg-dev
mailing list