/hg/release/icedtea6-1.6: Add remaining security patches.
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
/hg/release/icedtea6-1.6: Add remaining security patches.
by andrew-127
::
Rate this Message:
changeset 15ba41d0ff2e in /hg/release/icedtea6-1.6
details: http://icedtea.classpath.org/hg/release/icedtea6-1.6?cmd=changeset;node=15ba41d0ff2e author: Andrew John Hughes <ahughes@...> date: Mon Nov 09 17:42:27 2009 +0000 Add remaining security patches. 2009-11-09 Andrew John Hughes <ahughes@...> * Makefile.am: Add remaining security patches. * NEWS: Updated with security patches. * patches/security/icedtea-6631533.patch, * patches/security/icedtea-6632445.patch, * patches/security/icedtea-6636650.patch, * patches/security/icedtea-6657026.patch, * patches/security/icedtea-6657138.patch, * patches/security/icedtea-6664512.patch, * patches/security/icedtea-6822057.patch, * patches/security/icedtea-6824265.patch, * patches/security/icedtea-6861062.patch, * patches/security/icedtea-6872358.patch: New security patches. diffstat: 13 files changed, 4729 insertions(+) ChangeLog | 18 Makefile.am | 11 NEWS | 18 patches/security/icedtea-6631533.patch | 184 +++ patches/security/icedtea-6632445.patch | 103 ++ patches/security/icedtea-6636650.patch | 139 ++ patches/security/icedtea-6657026.patch | 1609 ++++++++++++++++++++++++++++++++ patches/security/icedtea-6657138.patch | 745 ++++++++++++++ patches/security/icedtea-6664512.patch | 1227 ++++++++++++++++++++++++ patches/security/icedtea-6822057.patch | 32 patches/security/icedtea-6824265.patch | 142 ++ patches/security/icedtea-6861062.patch | 344 ++++++ patches/security/icedtea-6872358.patch | 157 +++ diffs (truncated from 4794 to 500 lines): diff -r 2c854193cc9d -r 15ba41d0ff2e ChangeLog --- a/ChangeLog Tue Nov 03 17:50:20 2009 +0100 +++ b/ChangeLog Mon Nov 09 17:42:27 2009 +0000 @@ -1,4 +1,22 @@ 2009-11-03 Martin Matejovic <mmatejov@re +2009-11-09 Andrew John Hughes <ahughes@...> + + * Makefile.am: + Add remaining security patches. + * NEWS: Updated with security patches. + * patches/security/icedtea-6631533.patch, + * patches/security/icedtea-6632445.patch, + * patches/security/icedtea-6636650.patch, + * patches/security/icedtea-6657026.patch, + * patches/security/icedtea-6657138.patch, + * patches/security/icedtea-6664512.patch, + * patches/security/icedtea-6822057.patch, + * patches/security/icedtea-6824265.patch, + * patches/security/icedtea-6861062.patch, + * patches/security/icedtea-6872358.patch: + New security patches. + 2009-11-03 Martin Matejovic <mmatejov@...> + * patches/security/icedtea-6862968.patch * patches/security/icedtea-6863503.patch * patches/security/icedtea-6864911.patch diff -r 2c854193cc9d -r 15ba41d0ff2e Makefile.am --- a/Makefile.am Tue Nov 03 17:50:20 2009 +0100 +++ b/Makefile.am Mon Nov 09 17:42:27 2009 +0000 @@ -631,6 +631,17 @@ ICEDTEA_PATCHES = \ patches/security/icedtea-6864911.patch \ patches/security/icedtea-6872357.patch \ patches/security/icedtea-6874643.patch \ + patches/security/icedtea-6874643.patch \ + patches/security/icedtea-6631533.patch \ + patches/security/icedtea-6632445.patch \ + patches/security/icedtea-6636650.patch \ + patches/security/icedtea-6657026.patch \ + patches/security/icedtea-6657138.patch \ + patches/security/icedtea-6664512.patch \ + patches/security/icedtea-6822057.patch \ + patches/security/icedtea-6824265.patch \ + patches/security/icedtea-6861062.patch \ + patches/security/icedtea-6872358.patch \ patches/icedtea-jar-misc.patch if WITH_ALT_HSBUILD diff -r 2c854193cc9d -r 15ba41d0ff2e NEWS --- a/NEWS Tue Nov 03 17:50:20 2009 +0100 +++ b/NEWS Mon Nov 09 17:42:27 2009 +0000 @@ -1,3 +1,21 @@ New in release 1.6.1: +New in release 1.6.2 (2009-11-09) +- Latest security updates: + - (CVE-2009-3728) ICC_Profile file existence detection information leak (6631533) + - (CVE-2009-3885) BMP parsing DoS with UNC ICC links (6632445) + - (CVE-2009-3881) resurrected classloaders can still have children (6636650) + - (CVE-2009-3882) Numerous static security flaws in Swing (findbugs) (6657026) + - (CVE-2009-3883) Mutable statics in Windows PL&F (findbugs) (6657138) + - (CVE-2009-3880) UI logging information leakage (6664512) + - (CVE-2009-3879) GraphicsConfiguration information leak (6822057) + - (CVE-2009-3884) zoneinfo file existence information leak (6824265) + - (CVE-2009-2409) deprecate MD2 in SSL cert validation (Kaminsky) (6861062) + - (CVE-2009-3873) JPEG Image Writer quantization problem (6862968) + - (CVE-2009-3875) MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) + - (CVE-2009-3876, CVE-2009-3877) OpenJDK ASN.1/DER input stream parser denial of service (6864911) + - (CVE-2009-3869) JRE AWT setDifflCM stack overflow (6872357) + - (CVE-2009-3874) ImageI/O JPEG heap overflow (6874643 + - (CVE-2009-3871) JRE AWT setBytePixels heap overflow (6872358) + New in release 1.6.1: - Fix tarball error in 1.6 - Improve jar performance, diff -r 2c854193cc9d -r 15ba41d0ff2e patches/security/icedtea-6631533.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/icedtea-6631533.patch Mon Nov 09 17:42:27 2009 +0000 @@ -0,0 +1,184 @@ +--- old/src/share/classes/java/awt/color/ICC_Profile.java 2009-07-29 13:31:14.948600000 +0400 ++++ openjdk/jdk/src/share/classes/java/awt/color/ICC_Profile.java 2009-07-29 13:31:14.153000000 +0400 +@@ -944,15 +944,15 @@ + * and it does not permit read access to the given file. + */ + public static ICC_Profile getInstance(String fileName) throws IOException { +- ICC_Profile thisProfile; +- FileInputStream fis; ++ ICC_Profile thisProfile; ++ FileInputStream fis = null; + +- SecurityManager security = System.getSecurityManager(); +- if (security != null) { +- security.checkRead(fileName); +- } + +- if ((fis = openProfile(fileName)) == null) { ++ File f = getProfileFile(fileName); ++ if (f != null) { ++ fis = new FileInputStream(f); ++ } ++ if (fis == null) { + throw new IOException("Cannot open file " + fileName); + } + +@@ -1064,13 +1064,24 @@ + + + void activateDeferredProfile() { +- byte profileData[]; +- FileInputStream fis; +- String fileName = deferralInfo.filename; ++ byte profileData[]; ++ FileInputStream fis; ++ final String fileName = deferralInfo.filename; + + profileActivator = null; + deferralInfo = null; +- if ((fis = openProfile(fileName)) == null) { ++ PrivilegedAction<FileInputStream> pa = new PrivilegedAction<FileInputStream>() { ++ public FileInputStream run() { ++ File f = getStandardProfileFile(fileName); ++ if (f != null) { ++ try { ++ return new FileInputStream(f); ++ } catch (FileNotFoundException e) {} ++ } ++ return null; ++ } ++ }; ++ if ((fis = AccessController.doPrivileged(pa)) == null) { + throw new IllegalArgumentException("Cannot open file " + fileName); + } + try { +@@ -1765,66 +1776,88 @@ + * available, such as a profile for sRGB. Built-in profiles use .pf as + * the file name extension for profiles, e.g. sRGB.pf. + */ +- private static FileInputStream openProfile(final String fileName) { +- return (FileInputStream)java.security.AccessController.doPrivileged( +- new java.security.PrivilegedAction() { +- public Object run() { +- return privilegedOpenProfile(fileName); +- } +- }); +- } +- +- /* +- * this version is called from doPrivileged in privilegedOpenProfile. +- * the whole method is privileged! +- */ +- private static FileInputStream privilegedOpenProfile(String fileName) { +- FileInputStream fis = null; ++ private static File getProfileFile(String fileName) { + String path, dir, fullPath; + + File f = new File(fileName); /* try absolute file name */ +- ++ if (f.isAbsolute()) { ++ /* Rest of code has little sense for an absolute pathname, ++ so return here. */ ++ return f.isFile() ? f : null; ++ } + if ((!f.isFile()) && + ((path = System.getProperty("java.iccprofile.path")) != null)){ + /* try relative to java.iccprofile.path */ +- StringTokenizer st = +- new StringTokenizer(path, File.pathSeparator); +- while (st.hasMoreTokens() && (!f.isFile())) { +- dir = st.nextToken(); +- fullPath = dir + File.separatorChar + fileName; +- f = new File(fullPath); ++ StringTokenizer st = ++ new StringTokenizer(path, File.pathSeparator); ++ while (st.hasMoreTokens() && ((f == null) || (!f.isFile()))) { ++ dir = st.nextToken(); ++ fullPath = dir + File.separatorChar + fileName; ++ f = new File(fullPath); ++ if (!isChildOf(f, dir)) { ++ f = null; + } + } ++ } + +- if ((!f.isFile()) && ++ if (((f == null) || (!f.isFile())) && + ((path = System.getProperty("java.class.path")) != null)) { + /* try relative to java.class.path */ +- StringTokenizer st = +- new StringTokenizer(path, File.pathSeparator); +- while (st.hasMoreTokens() && (!f.isFile())) { +- dir = st.nextToken(); +- fullPath = dir + File.separatorChar + fileName; +- f = new File(fullPath); +- } +- } +- +- if (!f.isFile()) { /* try the directory of built-in profiles */ +- dir = System.getProperty("java.home") + +- File.separatorChar + "lib" + File.separatorChar + "cmm"; ++ StringTokenizer st = ++ new StringTokenizer(path, File.pathSeparator); ++ while (st.hasMoreTokens() && ((f == null) || (!f.isFile()))) { ++ dir = st.nextToken(); + fullPath = dir + File.separatorChar + fileName; + f = new File(fullPath); ++ if (!isChildOf(f, dir)) { ++ f = null; ++ } + } ++ } ++ if ((f == null) || (!f.isFile())) { ++ /* try the directory of built-in profiles */ ++ f = getStandardProfileFile(fileName); ++ } ++ if (f != null && f.isFile()) { ++ return f; ++ } ++ return null; ++ } + +- if (f.isFile()) { +- try { +- fis = new FileInputStream(f); +- } catch (FileNotFoundException e) { ++ /** ++ * Returns a file object corresponding to a built-in profile ++ * specified by fileName. ++ * If there is no built-in profile with such name, then the method ++ * returns null. ++ */ ++ private static File getStandardProfileFile(String fileName) { ++ String dir = System.getProperty("java.home") + ++ File.separatorChar + "lib" + File.separatorChar + "cmm"; ++ String fullPath = dir + File.separatorChar + fileName; ++ File f = new File(fullPath); ++ return (f.isFile() && isChildOf(f, dir)) ? f : null; ++ } ++ ++ /** ++ * Checks whether given file resides inside give directory. ++ */ ++ private static boolean isChildOf(File f, String dirName) { ++ try { ++ File dir = new File(dirName); ++ String canonicalDirName = dir.getCanonicalPath(); ++ if (!canonicalDirName.endsWith(File.separator)) { ++ canonicalDirName += File.separator; + } ++ String canonicalFileName = f.getCanonicalPath(); ++ return canonicalFileName.startsWith(canonicalDirName); ++ } catch (IOException e) { ++ /* we do not expect the IOException here, because invocation ++ * of this function is always preceeded by isFile() call. ++ */ ++ return false; + } +- return fis; + } + +- + /* + * Serialization support. + * diff -r 2c854193cc9d -r 15ba41d0ff2e patches/security/icedtea-6632445.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/icedtea-6632445.patch Mon Nov 09 17:42:27 2009 +0000 @@ -0,0 +1,103 @@ +--- old/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java 2009-07-28 17:06:52.144000000 +0400 ++++ openjdk/jdk/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java 2009-07-28 17:06:51.488000000 +0400 +@@ -62,6 +62,8 @@ + + import java.io.*; + import java.nio.*; ++import java.security.AccessController; ++import java.security.PrivilegedAction; + import java.util.ArrayList; + import java.util.Iterator; + import java.util.StringTokenizer; +@@ -502,12 +504,18 @@ + iis.reset(); + + try { +- if (metadata.colorSpace == PROFILE_LINKED) ++ if (metadata.colorSpace == PROFILE_LINKED && ++ isLinkedProfileAllowed() && ++ !isUncOrDevicePath(profile)) ++ { ++ String path = new String(profile, "windows-1252"); ++ + colorSpace = +- new ICC_ColorSpace(ICC_Profile.getInstance(new String(profile))); +- else ++ new ICC_ColorSpace(ICC_Profile.getInstance(path)); ++ } else { + colorSpace = + new ICC_ColorSpace(ICC_Profile.getInstance(profile)); ++ } + } catch (Exception e) { + colorSpace = ColorSpace.getInstance(ColorSpace.CS_sRGB); + } +@@ -1745,4 +1753,69 @@ + public void sequenceStarted(ImageReader src, int minIndex) {} + public void readAborted(ImageReader src) {} + } ++ ++ private static Boolean isLinkedProfileDisabled = null; ++ ++ private static boolean isLinkedProfileAllowed() { ++ if (isLinkedProfileDisabled == null) { ++ PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() { ++ public Boolean run() { ++ return Boolean.getBoolean("sun.imageio.plugins.bmp.disableLinkedProfiles"); ++ } ++ }; ++ isLinkedProfileDisabled = AccessController.doPrivileged(a); ++ } ++ return !isLinkedProfileDisabled; ++ } ++ ++ private static Boolean isWindowsPlatform = null; ++ ++ /** ++ * Verifies whether the byte array contans a unc path. ++ * Non-UNC path examples: ++ * c:\path\to\file - simple notation ++ * \\?\c:\path\to\file - long notation ++ * ++ * UNC path examples: ++ * \\server\share - a UNC path in simple notation ++ * \\?\UNC\server\share - a UNC path in long notation ++ * \\.\some\device - a path to device. ++ */ ++ private static boolean isUncOrDevicePath(byte[] p) { ++ if (isWindowsPlatform == null) { ++ PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() { ++ public Boolean run() { ++ String osname = System.getProperty("os.name"); ++ return (osname != null && ++ osname.toLowerCase().startsWith("win")); ++ } ++ }; ++ isWindowsPlatform = AccessController.doPrivileged(a); ++ } ++ ++ if (!isWindowsPlatform) { ++ /* no need for the check on platforms except windows */ ++ return false; ++ } ++ ++ /* normalize prefix of the path */ ++ if (p[0] == '/') p[0] = '\\'; ++ if (p[1] == '/') p[1] = '\\'; ++ if (p[3] == '/') p[3] = '\\'; ++ ++ ++ if ((p[0] == '\\') && (p[1] == '\\')) { ++ if ((p[2] == '?') && (p[3] == '\\')) { ++ // long path: whether unc or local ++ return ((p[4] == 'U' || p[4] == 'u') && ++ (p[5] == 'N' || p[5] == 'n') && ++ (p[6] == 'C' || p[6] == 'c')); ++ } else { ++ // device path or short unc notation ++ return true; ++ } ++ } else { ++ return false; ++ } ++ } + } diff -r 2c854193cc9d -r 15ba41d0ff2e patches/security/icedtea-6636650.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/icedtea-6636650.patch Mon Nov 09 17:42:27 2009 +0000 @@ -0,0 +1,139 @@ +--- old/src/share/classes/java/lang/ClassLoader.java Fri Jul 31 15:59:47 2009 ++++ openjdk/jdk/src/share/classes/java/lang/ClassLoader.java Fri Jul 31 15:59:46 2009 +@@ -147,11 +147,6 @@ + registerNatives(); + } + +- // If initialization succeed this is set to true and security checks will +- // succeed. Otherwise the object is not initialized and the object is +- // useless. +- private boolean initialized = false; +- + // The parent class loader for delegation + private ClassLoader parent; + +@@ -177,6 +172,18 @@ + // to its corresponding Package object. + private HashMap packages = new HashMap(); + ++ private static Void checkCreateClassLoader() { ++ SecurityManager security = System.getSecurityManager(); ++ if (security != null) { ++ security.checkCreateClassLoader(); ++ } ++ return null; ++ } ++ ++ private ClassLoader(Void unused, ClassLoader parent) { ++ this.parent = parent; ++ } ++ + /** + * Creates a new class loader using the specified parent class loader for + * delegation. +@@ -197,12 +204,7 @@ + * @since 1.2 + */ + protected ClassLoader(ClassLoader parent) { +- SecurityManager security = System.getSecurityManager(); +- if (security != null) { +- security.checkCreateClassLoader(); +- } +- this.parent = parent; +- initialized = true; ++ this(checkCreateClassLoader(), parent); + } + + /** +@@ -221,15 +223,9 @@ + * of a new class loader. + */ + protected ClassLoader() { +- SecurityManager security = System.getSecurityManager(); +- if (security != null) { +- security.checkCreateClassLoader(); +- } +- this.parent = getSystemClassLoader(); +- initialized = true; ++ this(checkCreateClassLoader(), getSystemClassLoader()); + } + +- + // -- Class -- + + /** +@@ -611,7 +607,6 @@ + ProtectionDomain protectionDomain) + throws ClassFormatError + { +- check(); + protectionDomain = preDefineClass(name, protectionDomain); + + Class c = null; +@@ -693,8 +688,6 @@ + ProtectionDomain protectionDomain) + throws ClassFormatError + { +- check(); +- + int len = b.remaining(); + + // Use byte[] if not a direct ByteBufer: +@@ -842,7 +835,6 @@ + * @see #defineClass(String, byte[], int, int) + */ + protected final void resolveClass(Class<?> c) { +- check(); + resolveClass0(c); + } + +@@ -873,7 +865,6 @@ + protected final Class<?> findSystemClass(String name) + throws ClassNotFoundException + { +- check(); + ClassLoader system = getSystemClassLoader(); + if (system == null) { + if (!checkName(name)) +@@ -886,7 +877,6 @@ + private Class findBootstrapClass0(String name) + throws ClassNotFoundException + { +- check(); + if (!checkName(name)) + throw new ClassNotFoundException(name); + return findBootstrapClass(name); +@@ -895,13 +885,6 @@ + private native Class findBootstrapClass(String name) + throws ClassNotFoundException; + +- // Check to make sure the class loader has been initialized. +- private void check() { +- if (!initialized) { +- throw new SecurityException("ClassLoader object not initialized"); +- } +- } +- + /** + * Returns the class with the given <a href="#name">binary name</a> if this + * loader has been recorded by the Java virtual machine as an initiating +@@ -917,7 +900,6 @@ + * @since 1.1 + */ + protected final Class<?> findLoadedClass(String name) { +- check(); + if (!checkName(name)) + return null; + return findLoadedClass0(name); +@@ -938,11 +920,9 @@ + * @since 1.1 |
| Free embeddable forum powered by Nabble | Forum Help |
