Mercurial > hg > release > icedtea6-1.12

changeset 2994:db270ea37a50

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
RH952389: Restrict temp file permissions. 2013-04-17 Andrew John Hughes <gnu.andrew@redhat.com> * ChangeLog: Move Elliott's entry to correct position. * Makefile.am: (ICEDTEA_PATCHES): Fix path to previous patch. * patches/openjdk/jaxws-tempfiles-ioutils-6.patch: Moved from here to... * patches/jaxws-tempfiles-ioutils-6.patch: ...here as not an upstream OpenJDK patch. 2013-04-17 Elliott Baron <ebaron@redhat.com> * patches/openjdk/jaxws-tempfiles-ioutils-6.patch: Restrict temp file permissions. * Makefile.am: (ICEDTEA_PATCHES): Added new patch. * NEWS: Updated.
author Andrew John Hughes <gnu.andrew@redhat.com>
date Wed, 24 Apr 2013 09:09:25 +0100
parents 6b16bd8e8e34
children 2e7ef54df229
files ChangeLog Makefile.am NEWS patches/jaxws-tempfiles-ioutils-6.patch
diffstat 4 files changed, 199 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Wed Apr 24 08:26:15 2013 +0100
+++ b/ChangeLog	Wed Apr 24 09:09:25 2013 +0100
@@ -1,3 +1,22 @@
+2013-04-17  Andrew John Hughes  <gnu.andrew@redhat.com>
+
+	* ChangeLog:
+	Move Elliott's entry to correct position.
+	* Makefile.am:
+	(ICEDTEA_PATCHES): Fix path to previous patch.
+	* patches/openjdk/jaxws-tempfiles-ioutils-6.patch:
+	Moved from here to...
+	* patches/jaxws-tempfiles-ioutils-6.patch:
+	...here as not an upstream OpenJDK patch.
+
+2013-04-17  Elliott Baron  <ebaron@redhat.com>
+
+	* patches/openjdk/jaxws-tempfiles-ioutils-6.patch:
+	Restrict temp file permissions.
+	* Makefile.am:
+	(ICEDTEA_PATCHES): Added new patch.
+	* NEWS: Updated.
+
 2013-04-17  Andrew John Hughes  <gnu.andrew@redhat.com>
 
 	* patches/aarch64.patch:
--- a/Makefile.am	Wed Apr 24 08:26:15 2013 +0100
+++ b/Makefile.am	Wed Apr 24 09:09:25 2013 +0100
@@ -568,10 +568,9 @@
 	patches/openjdk/8007393.patch \
 	patches/openjdk/8007611.patch \
 	patches/fix_get_stack_bounds_leak.patch \
-	patches/openjdk/7197906-handle_32_bit_shifts.patch
-
-# Needs to be after the addition of SH support to the original HotSpot
-ICEDTEA_PATCHES += patches/aarch64.patch
+	patches/openjdk/7197906-handle_32_bit_shifts.patch \
+	patches/aarch64.patch \
+	patches/jaxws-tempfiles-ioutils-6.patch
 
 if WITH_RHINO
 ICEDTEA_PATCHES += \
--- a/NEWS	Wed Apr 24 08:26:15 2013 +0100
+++ b/NEWS	Wed Apr 24 09:09:25 2013 +0100
@@ -46,6 +46,7 @@
   - S8009699, CVE-2013-2421: Methodhandle lookup
   - S8009814, CVE-2013-1488: Better driver management
   - S8009857, CVE-2013-2422: Problem with plugin
+  - RH952389: Temporary files created with insecure permissions
 * Backports
   - S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
   - S7036559: ConcurrentHashMap footprint and contention improvements
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/jaxws-tempfiles-ioutils-6.patch	Wed Apr 24 09:09:25 2013 +0100
@@ -0,0 +1,176 @@
+diff -ru openjdk/jaxws/drop_included/jaxws_src/src/com/sun/xml/internal/org/jvnet/mimepull/TempFiles.java openjdk.new/jaxws/drop_included/jaxws_src/src/com/sun/xml/internal/org/jvnet/mimepull/TempFiles.java
+--- openjdk/jaxws/drop_included/jaxws_src/src/com/sun/xml/internal/org/jvnet/mimepull/TempFiles.java	2013-04-17 13:14:56.952315541 -0400
++++ openjdk.new/jaxws/drop_included/jaxws_src/src/com/sun/xml/internal/org/jvnet/mimepull/TempFiles.java	2013-04-17 13:14:20.578155775 -0400
+@@ -44,25 +44,47 @@
+     private static final Class<?> CLASS_PATH;
+     private static final Class<?> CLASS_FILE_ATTRIBUTE;
+     private static final Class<?> CLASS_FILE_ATTRIBUTES;
++    private static final Class<?> CLASS_IOUTILS;
+     private static final Method METHOD_FILE_TO_PATH;
+     private static final Method METHOD_FILES_CREATE_TEMP_FILE;
+     private static final Method METHOD_FILES_CREATE_TEMP_FILE_WITHPATH;
+-
++    private static final Method METHOD_IOUTILS_CREATE_TEMP_FILE;
++    private static final Method METHOD_IOUTILS_CREATE_TEMP_FILE_WITHDIR;
+     private static final Method METHOD_PATH_TO_FILE;
+ 
+     private static boolean useJdk6API;
++    private static boolean useFileAPI;
+ 
+     static {
+         useJdk6API = isJdk6();
+-
+-        CLASS_FILES = safeGetClass("java.nio.file.Files");
+-        CLASS_PATH = safeGetClass("java.nio.file.Path");
+-        CLASS_FILE_ATTRIBUTE = safeGetClass("java.nio.file.attribute.FileAttribute");
+-        CLASS_FILE_ATTRIBUTES = safeGetClass("[Ljava.nio.file.attribute.FileAttribute;");
+-        METHOD_FILE_TO_PATH = safeGetMethod(File.class, "toPath");
+-        METHOD_FILES_CREATE_TEMP_FILE = safeGetMethod(CLASS_FILES, "createTempFile", String.class, String.class, CLASS_FILE_ATTRIBUTES);
+-        METHOD_FILES_CREATE_TEMP_FILE_WITHPATH = safeGetMethod(CLASS_FILES, "createTempFile", CLASS_PATH, String.class, String.class, CLASS_FILE_ATTRIBUTES);
+-        METHOD_PATH_TO_FILE = safeGetMethod(CLASS_PATH, "toFile");
++        useFileAPI = false;
++        
++        if (useJdk6API) {
++            CLASS_IOUTILS = safeGetClass("sun.misc.IOUtils");
++            METHOD_IOUTILS_CREATE_TEMP_FILE = safeGetMethod(CLASS_IOUTILS, "createTempFile", String.class, String.class);
++            METHOD_IOUTILS_CREATE_TEMP_FILE_WITHDIR = safeGetMethod(CLASS_IOUTILS, "createTempFile", String.class, String.class, File.class);
++            CLASS_FILES = null;
++            CLASS_PATH = null;
++            CLASS_FILE_ATTRIBUTE = null;
++            CLASS_FILE_ATTRIBUTES = null;
++            METHOD_FILE_TO_PATH = null;
++            METHOD_FILES_CREATE_TEMP_FILE = null;
++            METHOD_FILES_CREATE_TEMP_FILE_WITHPATH = null;
++            METHOD_PATH_TO_FILE = null;
++        }
++        else {
++            CLASS_FILES = safeGetClass("java.nio.file.Files");
++            CLASS_PATH = safeGetClass("java.nio.file.Path");
++            CLASS_FILE_ATTRIBUTE = safeGetClass("java.nio.file.attribute.FileAttribute");
++            CLASS_FILE_ATTRIBUTES = safeGetClass("[Ljava.nio.file.attribute.FileAttribute;");
++            METHOD_FILE_TO_PATH = safeGetMethod(File.class, "toPath");
++            METHOD_FILES_CREATE_TEMP_FILE = safeGetMethod(CLASS_FILES, "createTempFile", String.class, String.class, CLASS_FILE_ATTRIBUTES);
++            METHOD_FILES_CREATE_TEMP_FILE_WITHPATH = safeGetMethod(CLASS_FILES, "createTempFile", CLASS_PATH, String.class, String.class, CLASS_FILE_ATTRIBUTES);
++            METHOD_PATH_TO_FILE = safeGetMethod(CLASS_PATH, "toFile");
++            CLASS_IOUTILS = null;
++            METHOD_IOUTILS_CREATE_TEMP_FILE = null;
++            METHOD_IOUTILS_CREATE_TEMP_FILE_WITHDIR = null;
++        }
+     }
+ 
+     private static boolean isJdk6() {
+@@ -72,27 +94,27 @@
+     }
+ 
+     private static Class<?> safeGetClass(String className) {
+-        // it is jdk 6 or something failed already before
+-        if (useJdk6API) return null;
++        // Something failed already before
++        if (useFileAPI) return null;
+         try {
+             return Class.forName(className);
+         } catch (ClassNotFoundException e) {
+             LOGGER.log(Level.SEVERE, "Exception cought", e);
+             LOGGER.log(Level.WARNING, "Class {0} not found. Temp files will be created using old java.io API.", className);
+-            useJdk6API = true;
++            useFileAPI = true;
+             return null;
+         }
+     }
+ 
+     private static Method safeGetMethod(Class<?> clazz, String methodName, Class<?>... parameterTypes) {
+-        // it is jdk 6 or something failed already before
+-        if (useJdk6API) return null;
++        // Something failed already before
++        if (useFileAPI) return null;
+         try {
+             return clazz.getMethod(methodName, parameterTypes);
+         } catch (NoSuchMethodException e) {
+             LOGGER.log(Level.SEVERE, "Exception cought", e);
+             LOGGER.log(Level.WARNING, "Method {0} not found. Temp files will be created using old java.io API.", methodName);
+-            useJdk6API = true;
++            useFileAPI = true;
+             return null;
+         }
+     }
+@@ -107,37 +129,53 @@
+     }
+ 
+     static File createTempFile(String prefix, String suffix, File dir) throws IOException {
+-
+-        if (useJdk6API) {
+-            LOGGER.log(Level.FINEST, "Jdk6 detected, temp file (prefix:{0}, suffix:{1}) being created using old java.io API.", new Object[]{prefix, suffix});
+-            return File.createTempFile(prefix, suffix, dir);
+-
+-        } else {
+-
+-            try {
+-                if (dir != null) {
+-                    Object path = toPath(dir);
+-                    LOGGER.log(Level.FINEST, "Temp file (path: {0}, prefix:{1}, suffix:{2}) being created using NIO API.", new Object[]{dir.getAbsolutePath(), prefix, suffix});
+-                    return toFile(METHOD_FILES_CREATE_TEMP_FILE_WITHPATH.invoke(null, path, prefix, suffix, Array.newInstance(CLASS_FILE_ATTRIBUTE, 0)));
+-                } else {
+-                    LOGGER.log(Level.FINEST, "Temp file (prefix:{0}, suffix:{1}) being created using NIO API.", new Object[]{prefix, suffix});
+-                    return toFile(METHOD_FILES_CREATE_TEMP_FILE.invoke(null, prefix, suffix, Array.newInstance(CLASS_FILE_ATTRIBUTE, 0)));
++        if (!useFileAPI) {
++            if (useJdk6API) { // Use IOUtils
++                LOGGER.log(Level.FINEST, "Jdk6 detected, temp file (prefix:{0}, suffix:{1}) being created using sun.misc.IOUtils.", new Object[]{prefix, suffix});
++                try {
++                    if (dir != null) {
++                        LOGGER.log(Level.FINEST, "Temp file (path: {0}, prefix:{1}, suffix:{2}) being created using sun.misc.IOUtils.", new Object[]{dir.getAbsolutePath(), prefix, suffix});
++                        return (File) METHOD_IOUTILS_CREATE_TEMP_FILE_WITHDIR.invoke(null, prefix, suffix, dir);
++                    }
++                    else {
++                        LOGGER.log(Level.FINEST, "Temp file (prefix:{0}, suffix:{1}) being created using sun.misc.IOUtils.", new Object[]{prefix, suffix});
++                        return (File) METHOD_IOUTILS_CREATE_TEMP_FILE.invoke(null, prefix, suffix);
++                    }
++                } catch (IllegalAccessException e) {
++                    LOGGER.log(Level.SEVERE, "Exception caught", e);
++                    LOGGER.log(Level.WARNING, "Error invoking sun.misc.IOUtils.createTempFile, temp file (path: {0}, prefix:{1}, suffix:{2}) being created using old java.io API.",
++                            new Object[]{dir != null ? dir.getAbsolutePath() : null, prefix, suffix});
++                } catch (InvocationTargetException e) {
++                    LOGGER.log(Level.SEVERE, "Exception caught", e);
++                    LOGGER.log(Level.WARNING, "Error invoking sun.misc.IOUtils.createTempFile, temp file (path: {0}, prefix:{1}, suffix:{2}) being created using old java.io API.",
++                            new Object[]{dir != null ? dir.getAbsolutePath() : null, prefix, suffix});
+                 }
++            } else { // Use NIO API
+ 
+-            } catch (IllegalAccessException e) {
+-                LOGGER.log(Level.SEVERE, "Exception caught", e);
+-                LOGGER.log(Level.WARNING, "Error invoking java.nio API, temp file (path: {0}, prefix:{1}, suffix:{2}) being created using old java.io API.",
+-                        new Object[]{dir != null ? dir.getAbsolutePath() : null, prefix, suffix});
+-                return File.createTempFile(prefix, suffix, dir);
+-
+-            } catch (InvocationTargetException e) {
+-                LOGGER.log(Level.SEVERE, "Exception caught", e);
+-                LOGGER.log(Level.WARNING, "Error invoking java.nio API, temp file (path: {0}, prefix:{1}, suffix:{2}) being created using old java.io API.",
+-                        new Object[]{dir != null ? dir.getAbsolutePath() : null, prefix, suffix});
+-                return File.createTempFile(prefix, suffix, dir);
++                try {
++                    if (dir != null) {
++                        Object path = toPath(dir);
++                        LOGGER.log(Level.FINEST, "Temp file (path: {0}, prefix:{1}, suffix:{2}) being created using NIO API.", new Object[]{dir.getAbsolutePath(), prefix, suffix});
++                        return toFile(METHOD_FILES_CREATE_TEMP_FILE_WITHPATH.invoke(null, path, prefix, suffix, Array.newInstance(CLASS_FILE_ATTRIBUTE, 0)));
++                    } else {
++                        LOGGER.log(Level.FINEST, "Temp file (prefix:{0}, suffix:{1}) being created using NIO API.", new Object[]{prefix, suffix});
++                        return toFile(METHOD_FILES_CREATE_TEMP_FILE.invoke(null, prefix, suffix, Array.newInstance(CLASS_FILE_ATTRIBUTE, 0)));
++                    }
++
++                } catch (IllegalAccessException e) {
++                    LOGGER.log(Level.SEVERE, "Exception caught", e);
++                    LOGGER.log(Level.WARNING, "Error invoking java.nio API, temp file (path: {0}, prefix:{1}, suffix:{2}) being created using old java.io API.",
++                            new Object[]{dir != null ? dir.getAbsolutePath() : null, prefix, suffix});
++                } catch (InvocationTargetException e) {
++                    LOGGER.log(Level.SEVERE, "Exception caught", e);
++                    LOGGER.log(Level.WARNING, "Error invoking java.nio API, temp file (path: {0}, prefix:{1}, suffix:{2}) being created using old java.io API.",
++                            new Object[]{dir != null ? dir.getAbsolutePath() : null, prefix, suffix});
++                }
+             }
+         }
+-
++        
++        // Use IO API
++        return File.createTempFile(prefix, suffix, dir);
+     }
+ 
+