Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Sebastiaan Couwenberg 
Control: tags -1 pending

On 02/01/2017 10:08 AM, Bas Couwenberg wrote:
> On 2017-02-01 09:35, Bas Couwenberg wrote:
>> Including the JOSM developers (josm-...@openstreetmap.org) is also a
>> good idea, they (and Vincent Privat in particular) have contributed
>> patches to svgSalamander recently.
>>
>> I'll report the issue in the JOSM Trac since it also affects the
>> embedded copy in their upstream SVN repo.
> 
> JOSM issue: https://josm.openstreetmap.de/ticket/14319

Vicent Privat has fixed the issue for JOSM, and I've added a patch to
the svgsalamander Debian package with his changes.

We may want to include the regression test too, but I'm not sure how
that works in svgsalamander.

If we can't do that easily, we should just keep the patch as-is without
the regression tests that are included for JOSM.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: CVE-2017-5617: svgSalamander

2017-02-01 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 pending
Bug #853134 [src:svgsalamander] svgsalamander: CVE-2017-5617
Ignoring request to alter tags of bug #853134 to the same tags previously set

-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Pending fixes for bugs in the svgsalamander package

2017-02-01 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tag 853134 + pending
Bug #853134 [src:svgsalamander] svgsalamander: CVE-2017-5617
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
853134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: Pending fixes for bugs in the svgsalamander package

2017-02-01 Thread pkg-java-maintainers 
tag 853134 + pending
thanks

Some bugs in the svgsalamander package are closed in revision
1831801120fe371f2c19b8fffc11d4188d9ea51c in branch 'master' by Bas
Couwenberg

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/svgsalamander.git/commit/?id=1831801

Commit message:

Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).

(closes: #853134)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for ant-contrib

2017-02-01 Thread Reproducible builds folks 
2017-02-01 13:28 
https://tests.reproducible-builds.org/debian/unstable/amd64/ant-contrib changed 
from FTBFS -> reproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

libjide-oss-java_3.6.17+dfsg-1_source.changes ACCEPTED into experimental

2017-02-01 Thread Debian FTP Masters 


Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 01 Feb 2017 23:30:38 +0100
Source: libjide-oss-java
Binary: libjide-oss-java libjide-oss-java-doc
Architecture: source
Version: 3.6.17+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libjide-oss-java - extensible Swing component library for Java
 libjide-oss-java-doc - extensible Swing component library for Java -- 
documentation
Changes:
 libjide-oss-java (3.6.17+dfsg-1) experimental; urgency=medium
 .
   * New upstream version 3.6.17+dfsg.
Checksums-Sha1:
 1cca77eb5cdc38923c0bc403cbae8a157ce59777 2354 
libjide-oss-java_3.6.17+dfsg-1.dsc
 777632b423c3729c403baa6a884ad10f851c70cf 3305260 
libjide-oss-java_3.6.17+dfsg.orig.tar.xz
 3d6950ef3b60806c4e953879e8293fa2d251a768 7164 
libjide-oss-java_3.6.17+dfsg-1.debian.tar.xz
 2e855b1efdf8e478bd40089d567676293b822887 10464 
libjide-oss-java_3.6.17+dfsg-1_source.buildinfo
Checksums-Sha256:
 aaa65197b364733180a92fee7c67f3a810e08c864bd1b30fe2d7363442c4717b 2354 
libjide-oss-java_3.6.17+dfsg-1.dsc
 193b524999551b38bee5417d5f59ea6364d094a9a36aebcb421876ffe24a1a27 3305260 
libjide-oss-java_3.6.17+dfsg.orig.tar.xz
 2625390150150cf4f8d7e3a9618585498ca4dba18bc17dfe69e9e9ba02a7f2b6 7164 
libjide-oss-java_3.6.17+dfsg-1.debian.tar.xz
 1a4618fc853662b1f92cbfa684e36c5a8b4989a88ae065dc15a0d7f870a99eae 10464 
libjide-oss-java_3.6.17+dfsg-1_source.buildinfo
Files:
 a3230fc5e4134ee02e9ad1579dc3f32f 2354 java optional 
libjide-oss-java_3.6.17+dfsg-1.dsc
 64ec0502abb651005e8feb996411a0a6 3305260 java optional 
libjide-oss-java_3.6.17+dfsg.orig.tar.xz
 679f6befa2a844e0bc65966ce5825920 7164 java optional 
libjide-oss-java_3.6.17+dfsg-1.debian.tar.xz
 571fc858d44fcd51b5b403178302eb31 10464 java optional 
libjide-oss-java_3.6.17+dfsg-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAliSZi5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkqSAP/2Bmlg4g8qs/BqDcBxhXj+U11nD153v4NtpS
ll2DrgagKa9HVuqbhaP1Bq8HlavtZzWvQlKBrWYPy1Dptz2gr+C/7wup4s1m+0dB
8/GQr6V0fHQg1hAAGsW+S1rw3/PINrga0Y6QAZ6qqnjK06zttsEsNgQY1IXzARf1
QevISoJTiimF+43N3vv7Vz8anzbr9/1CTV7pUuhRHMaJEdBShREv9AwXB184pnhn
QAFEynyFzAklxgWga2Nen8dDUi18UbbA2teabbJMTfwgqvJzcNTa1TszRld1db6r
76+1hBlqJizwto99h60zaWeTNaSQ1asLq4SatGKnoxI6owYjL7AiVS8ckkkiF9Rr
dhEEWwe7863cm9jSRkVUZFaTGM0efGTy4ytl353r/DyJ9i1lMRbuDtK8jZc9EMV/
coRZ0VG4ihpJSZYjHbW6H5KsFpNGMdl9IYvKZ888TSRxUii0M33bqmHILQlMKSFk
lJVoD7kq+2MMJETzhVztyyzgwBOTxYdpIupWWopDLpaWU4h1zliD1mSLdaHEjo7a
LTPjWPF3OqIZ9JQKeCXaJgzYO2HfOBHfD12k5wYyEq2kD/6j6TxeaVerrWxISBtZ
rGQlSuvmFclrbKlymTcW9YjWN89uATs668iZRTCmd9zdBBg5XKrbA3gkFpEQGxzV
TC63utk9
=O6Ha
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of libjide-oss-java_3.6.17+dfsg-1_source.changes

2017-02-01 Thread Debian FTP Masters 
libjide-oss-java_3.6.17+dfsg-1_source.changes uploaded successfully to localhost
along with the files:
  libjide-oss-java_3.6.17+dfsg-1.dsc
  libjide-oss-java_3.6.17+dfsg.orig.tar.xz
  libjide-oss-java_3.6.17+dfsg-1.debian.tar.xz
  libjide-oss-java_3.6.17+dfsg-1_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

ecj 3.11.1-1 MIGRATED to testing

2017-02-01 Thread Debian testing watch 
FYI: The status of the ecj source package
in Debian's testing distribution has changed.

  Previous version: 3.11.0-7
  Current version:  3.11.1-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

ant 1.9.8-3 MIGRATED to testing

2017-02-01 Thread Debian testing watch 
FYI: The status of the ant source package
in Debian's testing distribution has changed.

  Previous version: 1.9.7-3
  Current version:  1.9.8-3

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

[Branch ~openjdk/openjdk/openjdk8] Rev 697: * Fix 8164293: HotSpot leaking memory in long-running requests.

2017-02-01 Thread noreply 

revno: 697
committer: Matthias Klose 
branch nick: openjdk8
timestamp: Wed 2017-02-01 12:54:31 +0100
message:
* Fix 8164293: HotSpot leaking memory in long-running requests.
  Closes: #853758.
added:
  debian/patches/8164293.diff
modified:
  debian/changelog
  debian/rules


--
lp:~openjdk/openjdk/openjdk8
https://code.launchpad.net/~openjdk/openjdk/openjdk8

Your team Debian Java Maintainers is subscribed to branch 
lp:~openjdk/openjdk/openjdk8.
To unsubscribe from this branch go to 
https://code.launchpad.net/~openjdk/openjdk/openjdk8/+edit-subscription
=== modified file 'debian/changelog'
--- debian/changelog	2017-01-26 14:36:02 +
+++ debian/changelog	2017-02-01 11:54:31 +
@@ -1,8 +1,10 @@
 openjdk-8 (8u121-b13-3) UNRELEASED; urgency=medium
 
   * Really don't build the JamVM VM.
+  * Fix 8164293: HotSpot leaking memory in long-running requests.
+Closes: #853758.
 
- -- Matthias Klose   Tue, 24 Jan 2017 14:38:38 +0100
+ -- Matthias Klose   Wed, 01 Feb 2017 12:52:19 +0100
 
 openjdk-8 (8u121-b13-2) unstable; urgency=medium
 

=== added file 'debian/patches/8164293.diff'
--- debian/patches/8164293.diff	1970-01-01 00:00:00 +
+++ debian/patches/8164293.diff	2017-02-01 11:54:31 +
@@ -0,0 +1,49 @@
+
+# HG changeset patch
+# User jcm
+# Date 1484137609 28800
+# Node ID 8dfbb002197a8e9dfa2881d33ec282fd7a449c25
+# Parent  c7140a91e56a846a9691f81c744fd26609de093c
+8164293: HotSpot leaking memory in long-running requests
+Summary: Applied RMs in sweep_code_cache and related codes.
+Reviewed-by: kvn, thartmann
+
+diff -r c7140a91e56a -r 8dfbb002197a src/share/vm/code/nmethod.cpp
+--- a/hotspot/src/share/vm/code/nmethod.cpp	Thu Jan 05 18:55:20 2017 -0500
 b/hotspot/src/share/vm/code/nmethod.cpp	Wed Jan 11 04:26:49 2017 -0800
+@@ -1151,6 +1151,7 @@
+ // Clear ICStubs of all compiled ICs
+ void nmethod::clear_ic_stubs() {
+   assert_locked_or_safepoint(CompiledIC_lock);
++  ResourceMark rm;
+   RelocIterator iter(this);
+   while(iter.next()) {
+ if (iter.type() == relocInfo::virtual_call_type) {
+diff -r c7140a91e56a -r 8dfbb002197a src/share/vm/runtime/sweeper.cpp
+--- a/hotspot/src/share/vm/runtime/sweeper.cpp	Thu Jan 05 18:55:20 2017 -0500
 b/hotspot/src/share/vm/runtime/sweeper.cpp	Wed Jan 11 04:26:49 2017 -0800
+@@ -319,6 +319,7 @@
+ }
+ 
+ void NMethodSweeper::sweep_code_cache() {
++  ResourceMark rm;
+   Ticks sweep_start_counter = Ticks::now();
+ 
+   _flushed_count= 0;
+@@ -626,6 +627,7 @@
+ // state of the code cache if it's requested.
+ void NMethodSweeper::log_sweep(const char* msg, const char* format, ...) {
+   if (PrintMethodFlushing) {
++ResourceMark rm;
+ stringStream s;
+ // Dump code cache state into a buffer before locking the tty,
+ // because log_state() will use locks causing lock conflicts.
+@@ -643,6 +645,7 @@
+   }
+ 
+   if (LogCompilation && (xtty != NULL)) {
++ResourceMark rm;
+ stringStream s;
+ // Dump code cache state into a buffer before locking the tty,
+ // because log_state() will use locks causing lock conflicts.
+

=== modified file 'debian/rules'
--- debian/rules	2017-01-26 14:36:02 +
+++ debian/rules	2017-02-01 11:54:31 +
@@ -395,6 +395,7 @@
 	openjdk-ppc64el-S8170153.patch \
 	jdk-ppc64el-S8170153.patch \
 	jdk-841269-filechooser.patch \
+	8164293.diff \
 
 #	jdk-derived-font-size.diff \
 # FIXME: update patches

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

[Branch ~openjdk/openjdk/openjdk8] Rev 698: - bump debhelper level

2017-02-01 Thread noreply 

revno: 698
committer: Matthias Klose 
branch nick: openjdk8
timestamp: Wed 2017-02-01 12:54:55 +0100
message:
   - bump debhelper level
modified:
  debian/compat


--
lp:~openjdk/openjdk/openjdk8
https://code.launchpad.net/~openjdk/openjdk/openjdk8

Your team Debian Java Maintainers is subscribed to branch 
lp:~openjdk/openjdk/openjdk8.
To unsubscribe from this branch go to 
https://code.launchpad.net/~openjdk/openjdk/openjdk8/+edit-subscription
=== modified file 'debian/compat'
--- debian/compat	2014-05-29 08:50:43 +
+++ debian/compat	2017-02-01 11:54:55 +
@@ -1,1 +1,1 @@
-5
+9

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Bas Couwenberg 

On 2017-02-01 09:35, Bas Couwenberg wrote:

Including the JOSM developers (josm-...@openstreetmap.org) is also a
good idea, they (and Vincent Privat in particular) have contributed
patches to svgSalamander recently.

I'll report the issue in the JOSM Trac since it also affects the
embedded copy in their upstream SVN repo.


JOSM issue: https://josm.openstreetmap.de/ticket/14319

Kind Regards,

Bas

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Bas Couwenberg 

Hi Felix,

On 2017-02-01 09:13, Felix Natter wrote:

there is a security vulnerability in svgSalamander:
  https://github.com/blackears/svgSalamander/issues/11


I've been following that issue since it popped up on by DMD TODO list.


The problem occurs when including raster/svg images via .
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"


The fix for svgSalamander is probably to patch the code which handles 
xlink:href and return NULL for any value that doesn't start with 
"data:", or something along those lines.



--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?


I don't know if it will break JOSM, but I suspect it won't. We'll have 
to test it with the patched svgsalamander when it's available.



http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.

--> Can we discuss how to fix this?


Sure, ideally upstream is included in that discussion.


Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?


Pinging him is a good idea, upstream needs to be involved in resolving 
this issue.


Including the JOSM developers (josm-...@openstreetmap.org) is also a 
good idea, they (and Vincent Privat in particular) have contributed 
patches to svgSalamander recently.


I'll report the issue in the JOSM Trac since it also affects the 
embedded copy in their upstream SVN repo.


Kind Regards,

Bas

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Felix Natter 
hello d-gis/Bas,

there is a security vulnerability in svgSalamander:
  https://github.com/blackears/svgSalamander/issues/11

The problem occurs when including raster/svg images via .
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"

--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?

http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.

--> Can we discuss how to fix this?

Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?

Cheers and Best Regards,
-- 
Felix Natter

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.