[1.10, 1.11, 2.1 & 2.2 APPROVAL] jar uf support broken with 7143606 security fix

Andrew Hughes gnu.andrew at redhat.com
Mon Oct 15 06:17:00 PDT 2012

See http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-June/010712.html
which applied the fix to 8 and 7u6 (thus the fix is in 2.3).

The jar bug rears its head in OpenJDK builds as HotSpot updates sa-jdi.jar with
a service META-INF file, changing its permissions to 600.  It's pretty simple
to replicate with any old jar file:

$ jar cf crap.jar crap
$ ll crap.jar 
-rw-r--r-- 1 andrew staff 924 Oct 15 14:03 crap.jar
$ /mnt/builder/jdk6/j2sdk-image/bin/jar uf crap.jar -C /mnt/builder/icedtea6-1.11/openjdk/hotspot/agent/src/share/classes META-INF/services/com.sun.jdi.connect.Connector
$ ll crap.jar 
-rw------- 1 andrew staff 1.2K Oct 15 14:04 crap.jar


For 1.10 & 1.11, we can "fix" this by simply dropping the native2ascii & jar parts
of that security fix.  For 6-HEAD, 2.1 & 2.2, those parts of the patch actually need
to be reverted.  I'll also push the 6 fix upstream to OpenJDK6.

Ok for 1.10, 1.11, 2.1 & 2.2?
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the distro-pkg-dev mailing list