# HG changeset patch # User Andrew John Hughes # Date 1297439737 0 # Node ID 2d84b6988fe11c4ee53d0b79b66adf6aea68372e # Parent 5dad2e76dcf9d1de32be1a71f3d495484f246bec Add patch finally supplied in third Oracle bundle. 2011-02-11 Andrew John Hughes * Makefile.am: Add additional patch. * NEWS: Updated. * patches/security/20110215/6927050.patch, Add patch for 6927050 missing from first two Oracle bundles. diff -r 5dad2e76dcf9 -r 2d84b6988fe1 ChangeLog --- a/ChangeLog Thu Feb 10 09:25:31 2011 +0000 +++ b/ChangeLog Fri Feb 11 15:55:37 2011 +0000 @@ -1,3 +1,11 @@ +2011-02-11 Andrew John Hughes + + * Makefile.am: Add additional patch. + * NEWS: Updated. + * patches/security/20110215/6927050.patch, + Add patch for 6927050 missing from first two + Oracle bundles. + 2011-02-10 Andrew John Hughes * Makefile.am: Add additional patch. diff -r 5dad2e76dcf9 -r 2d84b6988fe1 Makefile.am --- a/Makefile.am Thu Feb 10 09:25:31 2011 +0000 +++ b/Makefile.am Fri Feb 11 15:55:37 2011 +0000 @@ -267,7 +267,8 @@ patches/security/20110215/6981922.patch \ patches/security/20110215/6983554.patch \ patches/security/20110215/6994263.patch \ - patches/security/20110215/6985453.patch + patches/security/20110215/6985453.patch \ + patches/security/20110215/6927050.patch ICEDTEA_PATCHES = \ $(SECURITY_PATCHES) \ diff -r 5dad2e76dcf9 -r 2d84b6988fe1 NEWS --- a/NEWS Thu Feb 10 09:25:31 2011 +0000 +++ b/NEWS Fri Feb 11 15:55:37 2011 +0000 @@ -17,6 +17,7 @@ - S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries - S6985453, CVE-2010-4471: Java2D font-related system property leak + - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation New in release 1.7.9 (2011-02-09): diff -r 5dad2e76dcf9 -r 2d84b6988fe1 patches/security/20110215/6927050.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110215/6927050.patch Fri Feb 11 15:55:37 2011 +0000 @@ -0,0 +1,307 @@ +diff -Nru openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/AbstractXMLSchema.java openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/AbstractXMLSchema.java +--- openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/AbstractXMLSchema.java 2009-10-14 18:13:40.000000000 +0100 ++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/AbstractXMLSchema.java 2011-02-11 14:47:40.473195808 +0000 +@@ -20,6 +20,8 @@ + + package com.sun.org.apache.xerces.internal.jaxp.validation; + ++import java.util.HashMap; ++ + import javax.xml.validation.Schema; + import javax.xml.validation.Validator; + import javax.xml.validation.ValidatorHandler; +@@ -32,6 +34,16 @@ + abstract class AbstractXMLSchema extends Schema implements + XSGrammarPoolContainer { + ++ /** ++ * Map containing the initial values of features for ++ * validators created using this grammar pool container. ++ */ ++ private final HashMap fFeatures; ++ ++ public AbstractXMLSchema() { ++ fFeatures = new HashMap(); ++ } ++ + /* + * Schema methods + */ +@@ -50,4 +62,26 @@ + return new ValidatorHandlerImpl(this); + } + ++ /* ++ * XSGrammarPoolContainer methods ++ */ ++ ++ /** ++ * Returns the initial value of a feature for validators created ++ * using this grammar pool container or null if the validators ++ * should use the default value. ++ */ ++ public final Boolean getFeature(String featureId) { ++ return fFeatures.get(featureId); ++ } ++ ++ /* ++ * Other methods ++ */ ++ ++ final void setFeature(String featureId, boolean state) { ++ fFeatures.put(featureId, state ? Boolean.TRUE : Boolean.FALSE); ++ } ++ ++ + } // AbstractXMLSchema +diff -Nru openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/EmptyXMLSchema.java openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/EmptyXMLSchema.java +--- openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/EmptyXMLSchema.java 2009-10-14 18:13:41.000000000 +0100 ++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/EmptyXMLSchema.java 2011-02-11 14:45:05.089335597 +0000 +@@ -32,17 +32,10 @@ + */ + final class EmptyXMLSchema extends AbstractXMLSchema implements XMLGrammarPool { + +- private static EmptyXMLSchema EMPTY_XML_SCHEMA_INSTANCE = new EmptyXMLSchema(); +- + /** Zero length grammar array. */ + private static final Grammar [] ZERO_LENGTH_GRAMMAR_ARRAY = new Grammar [0]; + +- /** Returns the one and only instance of this class. */ +- public static EmptyXMLSchema getInstance() { +- return EMPTY_XML_SCHEMA_INSTANCE; +- } +- +- private EmptyXMLSchema() {} ++ public EmptyXMLSchema() {} + + /* + * XMLGrammarPool methods +diff -Nru openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java +--- openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java 2009-10-14 18:13:41.000000000 +0100 ++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java 2011-02-11 14:49:13.981887138 +0000 +@@ -228,21 +228,26 @@ + + // Select Schema implementation based on grammar count. + final int grammarCount = pool.getGrammarCount(); ++ AbstractXMLSchema schema = null; + if (grammarCount > 1) { +- return new XMLSchema(new ReadOnlyGrammarPool(pool)); ++ schema = new XMLSchema(new ReadOnlyGrammarPool(pool)); + } + else if (grammarCount == 1) { + Grammar[] grammars = pool.retrieveInitialGrammarSet(XMLGrammarDescription.XML_SCHEMA); +- return new SimpleXMLSchema(grammars[0]); ++ schema = new SimpleXMLSchema(grammars[0]); + } + else { +- return EmptyXMLSchema.getInstance(); ++ schema = new EmptyXMLSchema(); + } ++ propagateFeatures(schema); ++ return schema; + } + + public Schema newSchema() throws SAXException { + // Use a Schema that uses the system id as the equality source. +- return new WeakReferenceXMLSchema(); ++ AbstractXMLSchema schema = new WeakReferenceXMLSchema(); ++ propagateFeatures(schema); ++ return schema; + } + + public boolean getFeature(String name) +@@ -367,6 +372,15 @@ + } + } + ++ private void propagateFeatures(AbstractXMLSchema schema) { ++ schema.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, fSecurityManager != null); ++ String[] features = fXMLSchemaLoader.getRecognizedFeatures(); ++ for (int i = 0; i < features.length; ++i) { ++ boolean state = fXMLSchemaLoader.getFeature(features[i]); ++ schema.setFeature(features[i], state); ++ } ++ } ++ + /** + * Extension of XMLGrammarPoolImpl which exposes the number of + * grammars stored in the grammar pool. +diff -Nru openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java +--- openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java 2009-10-14 18:13:41.000000000 +0100 ++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java 2011-02-11 14:55:32.916354724 +0000 +@@ -21,6 +21,8 @@ + package com.sun.org.apache.xerces.internal.jaxp.validation; + + import java.util.HashMap; ++import java.util.Iterator; ++import java.util.Map; + + import javax.xml.XMLConstants; + +@@ -147,6 +149,19 @@ + private ValidationManager fValidationManager; + + // ++ // Configuration ++ // ++ ++ /** Stores initial feature values for validator reset. */ ++ private final HashMap fInitFeatures = new HashMap(); ++ ++ /** Stores initial property values for validator reset. */ ++ private final HashMap fInitProperties = new HashMap(); ++ ++ /** Stores the initial security manager. */ ++ private final SecurityManager fInitSecurityManager; ++ ++ // + // User Objects + // + +@@ -188,9 +203,20 @@ + fErrorReporter.putMessageFormatter(XSMessageFormatter.SCHEMA_DOMAIN, new XSMessageFormatter()); + + // add all recognized features and properties and apply their defaults +- addRecognizedParamsAndSetDefaults(fEntityManager); +- addRecognizedParamsAndSetDefaults(fErrorReporter); +- addRecognizedParamsAndSetDefaults(fSchemaValidator); ++ addRecognizedParamsAndSetDefaults(fEntityManager, grammarContainer); ++ addRecognizedParamsAndSetDefaults(fErrorReporter, grammarContainer); ++ addRecognizedParamsAndSetDefaults(fSchemaValidator, grammarContainer); ++ ++ // if the secure processing feature is set to true, add a security manager to the configuration ++ Boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING); ++ if (Boolean.TRUE.equals(secureProcessing)) { ++ fInitSecurityManager = new SecurityManager(); ++ } ++ else { ++ fInitSecurityManager = null; ++ } ++ fComponents.put(SECURITY_MANAGER, fInitSecurityManager); ++ + } + + /** +@@ -240,14 +266,18 @@ + else if (USE_GRAMMAR_POOL_ONLY.equals(featureId) && value != fUseGrammarPoolOnly) { + throw new XMLConfigurationException(XMLConfigurationException.NOT_SUPPORTED, featureId); + } +- fConfigUpdated = true; + if (XMLConstants.FEATURE_SECURE_PROCESSING.equals(featureId)) { + setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null); + return; + } ++ fConfigUpdated = true; + fEntityManager.setFeature(featureId, value); + fErrorReporter.setFeature(featureId, value); + fSchemaValidator.setFeature(featureId, value); ++ if (!fInitFeatures.containsKey(featureId)) { ++ boolean current = super.getFeature(featureId); ++ fInitFeatures.put(featureId, current ? Boolean.TRUE : Boolean.FALSE); ++ } + super.setFeature(featureId, value); + } + +@@ -299,6 +329,9 @@ + fComponents.put(propertyId, value); + return; + } ++ if (!fInitProperties.containsKey(propertyId)) { ++ fInitProperties.put(propertyId, super.getProperty(propertyId)); ++ } + super.setProperty(propertyId, value); + } + +@@ -311,7 +344,7 @@ + * @param component The component whose recognized features + * and properties will be added to the configuration + */ +- public void addRecognizedParamsAndSetDefaults(XMLComponent component) { ++ public void addRecognizedParamsAndSetDefaults(XMLComponent component, XSGrammarPoolContainer grammarContainer) { + + // register component's recognized features + final String[] recognizedFeatures = component.getRecognizedFeatures(); +@@ -322,7 +355,7 @@ + addRecognizedProperties(recognizedProperties); + + // set default values +- setFeatureDefaults(component, recognizedFeatures); ++ setFeatureDefaults(component, recognizedFeatures, grammarContainer); + setPropertyDefaults(component, recognizedProperties); + } + +@@ -360,29 +393,46 @@ + void restoreInitialState() { + fConfigUpdated = true; + +- // Clear feature and property tables. +- fFeatures.clear(); +- fProperties.clear(); +- + // Remove error resolver and error handler + fComponents.put(ENTITY_RESOLVER, null); + fComponents.put(ERROR_HANDLER, null); + +- // Restore component defaults. +- setFeatureDefaults(fEntityManager, fEntityManager.getRecognizedFeatures()); +- setPropertyDefaults(fEntityManager, fEntityManager.getRecognizedProperties()); +- setFeatureDefaults(fErrorReporter, fErrorReporter.getRecognizedFeatures()); +- setPropertyDefaults(fErrorReporter, fErrorReporter.getRecognizedProperties()); +- setFeatureDefaults(fSchemaValidator, fSchemaValidator.getRecognizedFeatures()); +- setPropertyDefaults(fSchemaValidator, fSchemaValidator.getRecognizedProperties()); ++ // Restore initial security manager ++ fComponents.put(SECURITY_MANAGER, fInitSecurityManager); ++ ++ // Reset feature and property values to their initial values ++ if (!fInitFeatures.isEmpty()) { ++ Iterator> iter = fInitFeatures.entrySet().iterator(); ++ while (iter.hasNext()) { ++ Map.Entry entry = iter.next(); ++ String name = entry.getKey(); ++ boolean value = entry.getValue().booleanValue(); ++ super.setFeature(name, value); ++ } ++ fInitFeatures.clear(); ++ } ++ if (!fInitProperties.isEmpty()) { ++ Iterator> iter = fInitProperties.entrySet().iterator(); ++ while (iter.hasNext()) { ++ Map.Entry entry = iter.next(); ++ String name = entry.getKey(); ++ Object value = entry.getValue(); ++ super.setProperty(name, value); ++ } ++ fInitProperties.clear(); ++ } + } + + /** Sets feature defaults for the given component on this configuration. */ +- private void setFeatureDefaults(final XMLComponent component, final String [] recognizedFeatures) { ++ private void setFeatureDefaults(final XMLComponent component, ++ final String [] recognizedFeatures, XSGrammarPoolContainer grammarContainer) { + if (recognizedFeatures != null) { + for (int i = 0; i < recognizedFeatures.length; ++i) { + String featureId = recognizedFeatures[i]; +- Boolean state = component.getFeatureDefault(featureId); ++ Boolean state = grammarContainer.getFeature(featureId); ++ if (state == null) { ++ state = component.getFeatureDefault(featureId); ++ } + if (state != null) { + // Do not overwrite values already set on the configuration. + if (!fFeatures.containsKey(featureId)) { +diff -Nru openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XSGrammarPoolContainer.java openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XSGrammarPoolContainer.java +--- openjdk.orig/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XSGrammarPoolContainer.java 2009-10-14 18:13:41.000000000 +0100 ++++ openjdk/jaxp/src/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/XSGrammarPoolContainer.java 2011-02-11 14:45:27.387593932 +0000 +@@ -47,4 +47,11 @@ + */ + public boolean isFullyComposed(); + ++ /** ++ * Returns the initial value of a feature for validators created ++ * using this grammar pool container or null if the validators ++ * should use the default value. ++ */ ++ public Boolean getFeature(String featureId); ++ + }