# HG changeset patch # User Andrew John Hughes # Date 1297329931 0 # Node ID 5dad2e76dcf9d1de32be1a71f3d495484f246bec # Parent d063b76189d8f472224aab9dc0ff89a4481825d2 Add 6985453 patch which was missing from first Oracle bundle. S6985453, CVE-2010-4471: Java2D font-related system property leak 2011-02-10 Andrew John Hughes * Makefile.am: Add additional patch. * NEWS: Updated. * patches/security/20110215/6985453.patch: Add patch for 6985453 missing from first Oracle bundle. diff -r d063b76189d8 -r 5dad2e76dcf9 ChangeLog --- a/ChangeLog Wed Feb 09 18:54:34 2011 +0000 +++ b/ChangeLog Thu Feb 10 09:25:31 2011 +0000 @@ -1,3 +1,11 @@ +2011-02-10 Andrew John Hughes + + * Makefile.am: Add additional patch. + * NEWS: Updated. + * patches/security/20110215/6985453.patch: + Add patch for 6985453 missing from first Oracle + bundle. + 2011-02-09 Andrew John Hughes * Makefile.am: Add new patches. diff -r d063b76189d8 -r 5dad2e76dcf9 Makefile.am --- a/Makefile.am Wed Feb 09 18:54:34 2011 +0000 +++ b/Makefile.am Thu Feb 10 09:25:31 2011 +0000 @@ -266,7 +266,8 @@ patches/security/20110215/6907662.patch \ patches/security/20110215/6981922.patch \ patches/security/20110215/6983554.patch \ - patches/security/20110215/6994263.patch + patches/security/20110215/6994263.patch \ + patches/security/20110215/6985453.patch ICEDTEA_PATCHES = \ $(SECURITY_PATCHES) \ diff -r d063b76189d8 -r 5dad2e76dcf9 NEWS --- a/NEWS Wed Feb 09 18:54:34 2011 +0000 +++ b/NEWS Thu Feb 10 09:25:31 2011 +0000 @@ -16,6 +16,7 @@ - S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation - S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries + - S6985453, CVE-2010-4471: Java2D font-related system property leak New in release 1.7.9 (2011-02-09): diff -r d063b76189d8 -r 5dad2e76dcf9 patches/security/20110215/6985453.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110215/6985453.patch Thu Feb 10 09:25:31 2011 +0000 @@ -0,0 +1,104 @@ +# HG changeset patch +# User bae +# Date 1288382134 -14400 +# Node ID 5e70dbac6a7d3743e64e19399552a60d25ba5cff +# Parent f3dff5c1b9c2cc8d38fde74c3661786f6332a3eb +6985453: Font.createFont may expose some system properties in exception text +Reviewed-by: prr, hawtin + +diff --git a/src/share/classes/sun/font/FileFont.java b/src/share/classes/sun/font/FileFont.java +--- openjdk/jdk/src/share/classes/sun/font/FileFont.java ++++ openjdk/jdk/src/share/classes/sun/font/FileFont.java +@@ -48,6 +48,9 @@ import java.util.HashSet; + import java.util.HashSet; + import java.util.HashMap; + import java.awt.Font; ++import java.security.AccessController; ++import java.security.PrivilegedActionException; ++import java.security.PrivilegedExceptionAction; + + public abstract class FileFont extends PhysicalFont { + +@@ -284,4 +287,49 @@ public abstract class FileFont extends P + }); + } + } ++ ++ protected String getPublicFileName() { ++ SecurityManager sm = System.getSecurityManager(); ++ if (sm == null) { ++ return platName; ++ } ++ boolean canReadProperty = true; ++ ++ try { ++ sm.checkPropertyAccess("java.io.tmpdir"); ++ } catch (SecurityException e) { ++ canReadProperty = false; ++ } ++ ++ if (canReadProperty) { ++ return platName; ++ } ++ ++ final File f = new File(platName); ++ ++ Boolean isTmpFile = Boolean.FALSE; ++ try { ++ isTmpFile = AccessController.doPrivileged( ++ new PrivilegedExceptionAction() { ++ public Boolean run() { ++ File tmp = new File(System.getProperty("java.io.tmpdir")); ++ try { ++ String tpath = tmp.getCanonicalPath(); ++ String fpath = f.getCanonicalPath(); ++ ++ return (fpath == null) || fpath.startsWith(tpath); ++ } catch (IOException e) { ++ return Boolean.TRUE; ++ } ++ } ++ } ++ ); ++ } catch (PrivilegedActionException e) { ++ // unable to verify whether value of java.io.tempdir will be ++ // exposed, so return only a name of the font file. ++ isTmpFile = Boolean.TRUE; ++ } ++ ++ return isTmpFile ? "temp file" : platName; ++ } + } +diff --git a/src/share/classes/sun/font/TrueTypeFont.java b/src/share/classes/sun/font/TrueTypeFont.java +--- openjdk/jdk/src/share/classes/sun/font/TrueTypeFont.java ++++ openjdk/jdk/src/share/classes/sun/font/TrueTypeFont.java +@@ -504,7 +504,8 @@ public class TrueTypeFont extends FileFo + break; + + default: +- throw new FontFormatException("Unsupported sfnt " + platName); ++ throw new FontFormatException("Unsupported sfnt " + ++ getPublicFileName()); + } + + /* Now have the offset of this TT font (possibly within a TTC) +@@ -1369,6 +1370,6 @@ public class TrueTypeFont extends FileFo + + public String toString() { + return "** TrueType Font: Family="+familyName+ " Name="+fullName+ +- " style="+style+" fileName="+platName; ++ " style="+style+" fileName="+getPublicFileName(); + } + } +diff --git a/src/share/classes/sun/font/Type1Font.java b/src/share/classes/sun/font/Type1Font.java +--- openjdk/jdk/src/share/classes/sun/font/Type1Font.java ++++ openjdk/jdk/src/share/classes/sun/font/Type1Font.java +@@ -677,7 +677,7 @@ public class Type1Font extends FileFont + + public String toString() { + return "** Type1 Font: Family="+familyName+ " Name="+fullName+ +- " style="+style+" fileName="+platName; ++ " style="+style+" fileName="+getPublicFileName(); + } + + }