Bug#816357: jedit: FTBFS: XThis.java:128: error: cannot find symbol [..] NotSerializableException

Fri, 04 Mar 2016 11:46:01 -0800 

On Thu, 03. Mar 22:30 tony mancill <tmanc...@debian.org> wrote:
> On 03/03/2016 12:49 PM, Markus Koschany wrote:
> > Am 03.03.2016 um 05:03 schrieb tony mancill:
> >> Control: -1 tag  + confirmed
> >> Control: -1 owner tmanc...@debian.org
> >>
> >> On 02/29/2016 11:05 PM, Chris Lamb wrote:
> >>> Source: jedit
> >>> Version: 5.3.0+dfsg-1
> >>> Severity: serious
> >>> Justification: fails to build from source
> >>
> >>>       [javac] 
> >>> /home/lamby/temp/cdt.20160301065925.cu0iTWjXkj/jedit-5.3.0+dfsg/org/gjt/sp/jedit/bsh/XThis.java:128:
> >>>  error: cannot find symbol
> >>>       [javac]                     throw new NotSerializableException();
> >>
> >> Thanks for the bug report.  Looks like we have a bit of porting for the
> >> latest bsh upload.
> >>
> >
> > Sorry for the inconvenience. If there is more involved than importing
> > the missing class, please let me know and I try to fix it.
>
> Hi Markus,
>
> No inconvenience at all. The issue seems to be with the upstream patch
> for CVE-2016-2510, which drops the java.io.Serializable interface from
> the InvocationHandler, but then references the ObjectStreamException and
> NotSerializableException classes that package.
>
> I was able to get things working for jedit by applying the following
> patch (also attached), building a new bsh-src package locally, and using
> that for the jedit build.
>
> > diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch 
> > bsh-2.0b4/debian/patches/CVE-2016-2510.patch
> > --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch    2016-03-02 
> > 20:24:07.000000000 -0800
> > +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch    2016-03-03 
> > 22:10:57.000000000 -0800
> > @@ -35,8 +35,8 @@
> >  -  class Handler implements InvocationHandler, java.io.Serializable
> >  +  class Handler implements InvocationHandler
> >     {
> > -+          private Object readResolve() throws ObjectStreamException {
> > -+                  throw new NotSerializableException();
> > ++          private Object readResolve() throws 
> > java.io.ObjectStreamException {
> > ++                  throw new java.io.NotSerializableException();
> >  +          }
> >  +
>
> So, if you're okay with the patch, could you apply it and upload an
> updated bsh?  Or do you mind if I do?

Hi tony,

I can upload a new revision of bsh with this change later. I'm just wondering
why we need to use java.io.ObjectStreamException and
java.io.NotSerializableException explicitly because these classes are already
imported in bsh's XThis.java.

import java.io.*;

Anyway it doesn't change the intention of the patch and should be safe.

Cheers,

Markus

Attachment: signature.asc
Description: Digital signature

Reply via email to