[1.10, 1.11, 2.1 & 2.2 APPROVAL] jar uf support broken with 7143606 security fix
Andrew Hughes
gnu.andrew at redhat.com
Mon Oct 15 16:34:31 PDT 2012
----- Original Message -----
>
>
> ----- Original Message -----
> > On 10/15/2012 09:36 AM, Andrew Hughes wrote:
> > > Even better, they are already in 6 too:
> > >
> > > http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/2366192c7fcb
> > > http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/0e34d4326386
> > >
> > > So we just need these changesets in 1.10 & 1.11.
> > >
> >
> > If the original jar had locked down permissions, will the 'updated'
> > jar
> > now have more relaxed permissions? But I suppose this is how the
> > jar
> > command has always behaved.
> >
>
> It's already in 2.3.
>
> The updated jar has the permissions the original jar had. They don't
> suddenly change behind the user's back.
>
> > We don't know how much testing has been done on this, do we?
> > Looking
> > at
> > the test case, it wont even compile: it uses PosixFilePermission
> > (added
> > in 1.7) and try-with-resources.
>
> I'll look into this. The changesets are from 6 so this is Oracle's
> screw-up.
>
Yeah, as I thought I remembered, they spotted the screw-up in rolling b26:
http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/0abac47de6d1
I'll add that too.
> >
> > Cheers,
> > Omair
> >
> > --
> > PGP Key: 66484681 (http://pgp.mit.edu/)
> > Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
> >
>
> --
> Andrew :)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
>
>
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the distro-pkg-dev
mailing list