Mercurial > hg > release > icedtea6-1.9

--- a/ChangeLog	Thu Oct 13 17:02:32 2011 +0100
+++ b/ChangeLog	Fri Oct 14 11:37:14 2011 +0100
@@ -1,3 +1,12 @@
+2011-10-14  Andrew John Hughes  <ahughes@redhat.com>
+
+	* Makefile.am: Add additional patches.
+	* NEWS: List JAXWS fix.
+	* patches/icedtea-xjc.patch: Update against 7046794.
+	* patches/security/20111018/7046794.patch,
+	* patches/security/20111018/7077466.patch:
+	Additional security patches.
+
 2011-10-13  Andrew John Hughes  <ahughes@redhat.com>

 	* patches/security/20111018/7070134.patch:
--- a/Makefile.am	Thu Oct 13 17:02:32 2011 +0100
+++ b/Makefile.am	Fri Oct 14 11:37:14 2011 +0100
@@ -246,7 +246,9 @@
 	patches/security/20111018/7064341.patch \
 	patches/security/20111018/7070134-${HSBUILD}.patch \
 	patches/security/20111018/7083012.patch \
-	patches/security/20111018/7096936.patch
+	patches/security/20111018/7096936.patch \
+	patches/security/20111018/7046794.patch \
+	patches/security/20111018/7077466.patch

 ICEDTEA_PATCHES = \
 	$(SECURITY_PATCHES) \
--- a/NEWS	Thu Oct 13 17:02:32 2011 +0100
+++ b/NEWS	Fri Oct 14 11:37:14 2011 +0100
@@ -15,6 +15,7 @@
   - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
   - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
   - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
+  - S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
   - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
   - S7055902, CVE-2011-3521: IIOP deserialization code execution
   - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
--- a/patches/icedtea-xjc.patch	Thu Oct 13 17:02:32 2011 +0100
+++ b/patches/icedtea-xjc.patch	Fri Oct 14 11:37:14 2011 +0100
@@ -5,8 +5,8 @@
  patches.dir=patches

  # Patches to apply
--jaxws_src.patch.list=7013971.patch
-+jaxws_src.patch.list=7013971.patch xjc.patch
+-jaxws_src.patch.list=7013971.patch 7046794.patch
++jaxws_src.patch.list=7013971.patch 7046794.patch xjc.patch

  # Sanity information
  sanity.info= Sanity Settings:${line.separator}\
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/20111018/7046794.patch	Fri Oct 14 11:37:14 2011 +0100
@@ -0,0 +1,40 @@
+diff -Nru jaxws.old/build.properties jaxws/build.properties
+--- openjdk.orig/jaxws/build.properties	2011-10-13 17:21:36.000000000 +0100
++++ openjdk/jaxws/build.properties	2011-10-14 03:09:28.000000000 +0100
+@@ -78,7 +78,7 @@
+ patches.dir=patches
+
+ # Patches to apply
+-jaxws_src.patch.list=7013971.patch
++jaxws_src.patch.list=7013971.patch 7046794.patch
+
+ # Sanity information
+ sanity.info= Sanity Settings:${line.separator}\
+diff -Nru jaxws.old/patches/jaxws_src/7046794.patch jaxws/patches/jaxws_src/7046794.patch
+--- openjdk.orig/jaxws/patches/jaxws_src/7046794.patch	1970-01-01 01:00:00.000000000 +0100
++++ openjdk/jaxws/patches/jaxws_src/7046794.patch	2011-10-14 03:08:45.000000000 +0100
+@@ -0,0 +1,24 @@
++diff -Nru src.old/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java src/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java
++--- src.old/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java	2010-06-04 22:01:07.000000000 +0100
+++++ src/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java	2011-10-14 03:08:04.238126095 +0100
++@@ -1,5 +1,5 @@
++ /*
++- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+++ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
++  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++  *
++  * This code is free software; you can redistribute it and/or modify it
++@@ -520,11 +520,11 @@
++      */
++     public static boolean captureStackTrace;
++
++-    /*package*/ static final String CAPTURE_STACK_TRACE_PROPERTY = SOAPFaultBuilder.class.getName()+".disableCaptureStackTrace";
+++    /*package*/ static final String CAPTURE_STACK_TRACE_PROPERTY = SOAPFaultBuilder.class.getName()+".captureStackTrace";
++
++     static {
++         try {
++-            captureStackTrace = System.getProperty(CAPTURE_STACK_TRACE_PROPERTY)==null;
+++            captureStackTrace = Boolean.getBoolean(CAPTURE_STACK_TRACE_PROPERTY);
++         } catch (SecurityException e) {
++             // ignore
++         }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/20111018/7077466.patch	Fri Oct 14 11:37:14 2011 +0100
@@ -0,0 +1,31 @@
+# HG changeset patch
+# User coffeys
+# Date 1316425951 -3600
+# Node ID 92ab8bb7ff22127aa61442019bd53f3eb19166d3
+# Parent  ce3948d7981089ddc960d1191b3fa8ff32ccf165
+7077466: fix for RMI DGC
+Reviewed-by: smarks
+
+diff --git a/src/share/classes/sun/rmi/server/UnicastServerRef.java b/src/share/classes/sun/rmi/server/UnicastServerRef.java
+--- openjdk/jdk/src/share/classes/sun/rmi/server/UnicastServerRef.java
++++ openjdk/jdk/src/share/classes/sun/rmi/server/UnicastServerRef.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1996, 2005, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -390,6 +390,12 @@ public class UnicastServerRef extends Un
+             ObjectInput in;
+             try {
+                 in = call.getInputStream();
++                try {
++                    Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
++                    if (clazz.isAssignableFrom(skel.getClass())) {
++                        ((MarshalInputStream)in).useCodebaseOnly();
++                    }
++                } catch (ClassNotFoundException ignore) { }
+                 hash = in.readLong();
+             } catch (Exception readEx) {
+                 throw new UnmarshalException("error unmarshalling call header",