From 0389c0810effbe38de6d05d68e3ab6bb08a8aaef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Fri, 11 Nov 2011 08:23:22 +0200 Subject: main/openjdk6: security upgrade icedtea6 to 1.10.4 ref #802 icedtea6 1.10.4 includes patches for the following security issues: CVE-2011-3547: InputStream skip() information leak CVE-2011-3548: mutable static AWTKeyStroke.ctor CVE-2011-3551: Java2D TransformHelper integer overflow CVE-2011-3552: excessive default UDP socket limit under SecurityManager CVE-2011-3553: JAX-WS stack-traces information leak CVE-2011-3544: missing SecurityManager checks in scripting engine CVE-2011-3521: IIOP deserialization code execution CVE-2011-3554: insufficient pack200 JAR files uncompress error checks CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer CVE-2011-3556: RMI DGC server remote code execution CVE-2011-3557: RMI registry privileged code execution CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer icedtea6 1.10.2 security patches (since upgrading from icedtea6 1.10.1): CVE-2011-0872: (so) non-blocking sockets with TCP urgent disabled get still selected for read ops (win) CVE-2011-0865: Vulnerability in deserialization CVE-2011-0815: Heap overflow vulnerability in FileDialog.show() CVE-2011-0822, CVE-2011-0862: Integer overflows in 2D code CVE-2011-0867: NetworkInterface.toString can reveal bindings CVE-2011-0869: Vulnerability in SAAJ CVE-2011-0870: Vulnerability in SAAJ CVE-2011-0868: Crash in Java 2D transforming an image with scale close to zero CVE-2011-0871: ImageIcon creates Component with null acc CVE-2011-0864: JSR rewriting can overflow memory address size variables --- main/openjdk6/APKBUILD | 23 +++++++++++++++-------- main/openjdk6/build-paxctl.patch | 10 ++++++++++ 2 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 main/openjdk6/build-paxctl.patch (limited to 'main/openjdk6') diff --git a/main/openjdk6/APKBUILD b/main/openjdk6/APKBUILD index 07c642ac1d..e38f48cff5 100644 --- a/main/openjdk6/APKBUILD +++ b/main/openjdk6/APKBUILD @@ -2,15 +2,15 @@ # Maintainer: Timo Teras pkgname=openjdk6 pkgver=1.6.0_p22 -icedteaver=1.10.1 -pkgrel=1 +icedteaver=1.10.4 +pkgrel=2 pkgdesc="Sun OpenJDK 6 via IcedTea" url="http://icedtea.classpath.org/" arch="all" license="GPL-2 with Classpath" depends="$pkgname-jre" -makedepends="java-gcj-compat findutils tar zip gawk pkgconfig util-linux-ng - nss-dev cups-dev jpeg-dev giflib-dev libpng-dev libxt-dev +makedepends="java-gcj-compat findutils tar zip paxctl gawk pkgconfig util-linux-ng + autoconf automake nss-dev cups-dev jpeg-dev giflib-dev libpng-dev libxt-dev libxp-dev libxtst-dev libxinerama-dev libiconv-dev libxrender-dev alsa-lib-dev freetype-dev xulrunner-dev gtk+2.0-dev" @@ -22,7 +22,7 @@ OPENJDK_VERSION=b22 OPENJDK_DATE=28_feb_2011 XALAN2_VER=2_7_1 XERCES_VER=2.9.0 -RHINO_VER=1_7R2 +RHINO_VER=1_7R3 ANT_VER=1.8.2 JAXWS_DROP_ZIP=jdk6-jaxws-b20.zip JAXP_DROP_ZIP=jaxp144_01.zip @@ -36,6 +36,7 @@ source="http://download.java.net/openjdk/jdk6/promoted/$OPENJDK_VERSION/openjdk- http://icedtea.classpath.org/download/drops/$JAXWS_DROP_ZIP http://icedtea.classpath.org/download/drops/$JAXP_DROP_ZIP http://icedtea.classpath.org/download/drops/$JAF_DROP_ZIP + build-paxctl.patch icedtea-hotspot-uclibc-fixes.patch icedtea-jdk-iconv-uclibc.patch icedtea-jdk-execinfo.patch @@ -64,9 +65,10 @@ prepare() { cd "$_builddir" # Busybox sha256 does not support longopts - sed -e "s/--check/-c/g" -i Makefile.in + sed -e "s/--check/-c/g" -i Makefile.am cp ../icedtea-*.patch patches + patch -p0 < ../build-paxctl.patch } build() { @@ -138,6 +140,10 @@ jrebase() { # rest of the jre subdir (which were not taken by -jre subpkg) mv "$pkgdir"/$INSTALL_BASE/jre "$subpkgdir"/$INSTALL_BASE + + # java vm needs mprotect disabled + paxctl -c -m "$subpkgdir"/$INSTALL_BASE/bin/java + paxctl -c -m "$subpkgdir"/$INSTALL_BASE/jre/bin/java } jre() { @@ -164,14 +170,15 @@ doc() { } md5sums="2d2bbbb0f9b81f1fec41ec730da8a933 openjdk-6-src-b22-28_feb_2011.tar.gz -f3b31b9f591afc752372addacb1eb335 icedtea6-1.10.1.tar.gz +c381d987f8d2facece8c54e98fd547f8 icedtea6-1.10.4.tar.gz afb0c7950a663f94e65da9f3be676d8f apache-ant-1.8.2-bin.tar.gz 3ccda39bcd08b780436dfd2f22fb23d5 xalan-j_2_7_1-bin-2jars.tar.gz 138f2d1cddd823281d5dfb700f2bd7d4 Xerces-J-bin.2.9.0.tar.gz -40d0a9abec8169e42920214b37fa8e0e rhino1_7R2.zip +99d94103662a8d0b571e247a77432ac5 rhino1_7R3.zip 91adfd41e6f001add4f92ae31216b1e3 jdk6-jaxws-b20.zip ef7a8b3624ea904bf584bc46d79b5e75 jaxp144_01.zip bc95c133620bd68c161cac9891592901 jdk6-jaf-b20.zip +6379a15ae0f4c374c34b908d80e8e4a1 build-paxctl.patch dc6a1e28a97d897d7a1057c11696727d icedtea-hotspot-uclibc-fixes.patch 7c0814181e5adc0763c5c0a24b01d4cb icedtea-jdk-iconv-uclibc.patch dae2ba8b87e2106b53974ace07e4ca72 icedtea-jdk-execinfo.patch diff --git a/main/openjdk6/build-paxctl.patch b/main/openjdk6/build-paxctl.patch new file mode 100644 index 0000000000..9cd4eebda3 --- /dev/null +++ b/main/openjdk6/build-paxctl.patch @@ -0,0 +1,10 @@ +--- Makefile.am.orig ++++ Makefile.am +@@ -1334,6 +1334,7 @@ + mkdir -p bootstrap + rm -f $(BOOT_DIR) + ln -sf $(ICEDTEA_HOME) $(BOOT_DIR); \ ++ paxctl -c -m $(BOOT_DIR)/bin/java ; \ + if ! $(BOOT_DIR)/bin/java -version ; \ + then \ + echo "$(BOOT_DIR)/bin/java" \ -- cgit v1.2.3