------------------------------------------------------------ revno: 603 committer: Matthias Klose <d...@ubuntu.com> branch nick: openjdk7 timestamp: Wed 2016-05-04 19:29:22 +0200 message: openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium [ Tiago Stürmer Daitx ] * IcedTea release 2.6.6 (based on 7u101): * Security fixes - S8129952, CVE-2016-0686: Ensure thread consistency - S8132051, CVE-2016-0687: Better byte behavior - S8138593, CVE-2016-0695: Make DSA more fair - S8139008: Better state table management - S8143167, CVE-2016-3425: Better buffering of XML strings - S8144430, CVE-2016-3427: Improve JMX connections - S8146494: Better ligature substitution - S8146498: Better device table adjustments * debian/patches/jdk-8152335-improve-methodhandle-consistency.patch: removed, fix is upstream since 2.6.5 [ Matthias Klose ] * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas Beckmann). Closes: #821858. -- Matthias Klose <d...@ubuntu.com> Fri, 22 Apr 2016 21:14:22 +0200 removed: patches/jdk-8152335-improve-methodhandle-consistency.patch modified: JB-jre-headless.postinst.in JB-jre-headless.preinst.in changelog control control.in generate-debian-orig.sh patches/it-jamvm-2.0.diff patches/it-set-compiler.diff rules
-- lp:~openjdk/openjdk/openjdk7 https://code.launchpad.net/~openjdk/openjdk/openjdk7 Your team Debian Java Maintainers is subscribed to branch lp:~openjdk/openjdk/openjdk7. To unsubscribe from this branch go to https://code.launchpad.net/~openjdk/openjdk/openjdk7/+edit-subscription
=== modified file 'JB-jre-headless.postinst.in' --- JB-jre-headless.postinst.in 2013-11-24 19:23:07 +0000 +++ JB-jre-headless.postinst.in 2016-05-04 17:29:22 +0000 @@ -3,6 +3,7 @@ set -e multiarch=@multiarch@ +with_tzdata=@with_tzdata@ priority=@priority@ basedir=/@basedir@ mandir=$basedir/jre/man @@ -132,7 +133,7 @@ rm -f $log esac - if [ -n "$multiarch" ]; then + if [ "$with_tzdata" = yes ] && [ -n "$multiarch" ]; then if [ ! -h /@basedir@/jre/lib/zi ] && [ -d /@basedir@/jre/lib/zi ]; then rm -rf /@basedir@/jre/lib/zi ln -s ../../../../../share/javazi /@basedir@/jre/lib/zi === modified file 'JB-jre-headless.preinst.in' --- JB-jre-headless.preinst.in 2013-11-24 19:23:07 +0000 +++ JB-jre-headless.preinst.in 2016-05-04 17:29:22 +0000 @@ -7,6 +7,7 @@ fi multiarch=@multiarch@ +with_tzdata=@with_tzdata@ basedir=/@basedir@ old_basedir=/usr/lib/jvm/java-7-openjdk jre_tools='java keytool pack200 rmid rmiregistry unpack200 orbd servertool tnameserv' @@ -29,6 +30,13 @@ fi fi fi + + # upgrading from a version that used the timezone files from tzdata-java + if [ "$with_tzdata" != yes ] && [ -n "$multiarch" ]; then + if [ -h /@basedir@/jre/lib/zi ]; then + rm -f /@basedir@/jre/lib/zi + fi + fi ;; esac === modified file 'changelog' --- changelog 2016-04-22 19:21:50 +0000 +++ changelog 2016-05-04 17:29:22 +0000 @@ -1,3 +1,25 @@ +openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium + + [ Tiago Stürmer Daitx ] + * IcedTea release 2.6.6 (based on 7u101): + * Security fixes + - S8129952, CVE-2016-0686: Ensure thread consistency + - S8132051, CVE-2016-0687: Better byte behavior + - S8138593, CVE-2016-0695: Make DSA more fair + - S8139008: Better state table management + - S8143167, CVE-2016-3425: Better buffering of XML strings + - S8144430, CVE-2016-3427: Improve JMX connections + - S8146494: Better ligature substitution + - S8146498: Better device table adjustments + * debian/patches/jdk-8152335-improve-methodhandle-consistency.patch: + removed, fix is upstream since 2.6.5 + + [ Matthias Klose ] + * Fix handling of /usr/lib/jvm/*/jre/lib/zi if internal tzdata is used (Andreas + Beckmann). Closes: #821858. + + -- Matthias Klose <d...@ubuntu.com> Fri, 22 Apr 2016 21:14:22 +0200 + openjdk-7 (7u95-2.6.4-3) experimental; urgency=medium [ Tiago Stürmer Daitx ] === modified file 'control' --- control 2015-12-13 13:39:09 +0000 +++ control 2016-05-04 17:29:22 +0000 @@ -1,7 +1,8 @@ Source: openjdk-7 Section: java Priority: optional -Maintainer: OpenJDK Team <open...@lists.launchpad.net> +Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> +XSBC-Original-Maintainer: OpenJDK Team <open...@lists.launchpad.net> Uploaders: Matthias Klose <d...@ubuntu.com>, Damien Raude-Morvan <draz...@debian.org> Build-Depends: debhelper (>= 5), m4, lsb-release, wget, zip, unzip, sharutils, === modified file 'control.in' --- control.in 2015-12-13 13:39:09 +0000 +++ control.in 2016-05-04 17:29:22 +0000 @@ -1,7 +1,8 @@ Source: @basename@ Section: java Priority: optional -Maintainer: OpenJDK Team <open...@lists.launchpad.net> +Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> +XSBC-Original-Maintainer: OpenJDK Team <open...@lists.launchpad.net> Uploaders: Matthias Klose <d...@ubuntu.com>, Damien Raude-Morvan <draz...@debian.org> Build-Depends: debhelper (>= 5), m4, lsb-release, wget, zip, unzip, sharutils, === modified file 'generate-debian-orig.sh' --- generate-debian-orig.sh 2015-11-26 20:30:42 +0000 +++ generate-debian-orig.sh 2016-05-04 17:29:22 +0000 @@ -1,21 +1,30 @@ #!/bin/sh +# all directories are relative to the current dir + tarballs="corba.tar.bz2 hotspot.tar.bz2 jaxp.tar.bz2 jaxws.tar.bz2 jdk.tar.bz2 langtools.tar.bz2 openjdk.tar.bz2" -# AArch64 hotspot -aarch64_hsname=hotspot-aarch64 -#tarballs="$tarballs $aarch64_hsname.tar.bz2" tarballs="$tarballs icedtea-sound.tar.gz" jamvmtb=jamvm-2.0.0.tar.gz cacaotb=cacao-c182f119eaad.tar.gz -tarballdir=7u91 -version=7u91-2.6.3 + +# tarballs location +tarballdir=7u101 + +# icedtea upstream location (as extracted from icedtea's tarball) +icedtea_checkout=icedtea-2.6.6 + +# openjdk's debian location (usually fetched from bzr or the latest openjdk) +debian_checkout=openjdk7 + base=openjdk-7 +version=7u101-2.6.6 + +# output directory pkgdir=$base-$version + +# new orig file origtar=${base}_${version}.orig.tar.gz -icedtea_checkout=icedtea-2.6.3 -debian_checkout=openjdk7 - if [ -d $pkgdir ]; then echo directory $pkgdir already exists exit 1 === modified file 'patches/it-jamvm-2.0.diff' --- patches/it-jamvm-2.0.diff 2016-04-22 19:21:50 +0000 +++ patches/it-jamvm-2.0.diff 2016-05-04 17:29:22 +0000 @@ -1,5 +1,7 @@ ---- openjdk-7-7u95-2.6.4.orig/Makefile.am -+++ openjdk-7-7u95-2.6.4/Makefile.am +Index: b/Makefile.am +=================================================================== +--- a/Makefile.am 2016-04-22 14:30:30.947084691 -0300 ++++ b/Makefile.am 2016-04-22 14:30:30.943084642 -0300 @@ -26,8 +26,8 @@ CACAO_SRC_ZIP = cacao-$(CACAO_VERSION).tar.gz CACAO_URL = $(CACAO_BASE_URL)/$(CACAO_SRC_ZIP) @@ -11,16 +13,16 @@ JAMVM_BASE_URL = $(DROP_URL)/jamvm JAMVM_URL = $(JAMVM_BASE_URL)/jamvm-$(JAMVM_VERSION).tar.gz JAMVM_SRC_ZIP = jamvm-$(JAMVM_VERSION).tar.gz -@@ -400,8 +400,6 @@ +@@ -401,8 +401,6 @@ if BUILD_JAMVM ICEDTEA_PATCHES += \ - patches/jamvm/find_class_from_caller.patch \ - patches/jamvm/pr2172-tempdir.patch \ - patches/jamvm/noexecstack.patch + patches/jamvm/noexecstack.patch \ + patches/jamvm/pr2665.patch endif - -@@ -413,6 +411,11 @@ +@@ -415,6 +413,11 @@ ICEDTEA_PATCHES += patches/rh1022017.patch endif @@ -32,7 +34,7 @@ ICEDTEA_PATCHES += $(DISTRIBUTION_PATCHES) # Bootstrapping patches -@@ -2368,7 +2371,7 @@ +@@ -2370,7 +2373,7 @@ stamps/jamvm.stamp: $(OPENJDK_TREE) stamps/rt.stamp if BUILD_JAMVM cd jamvm/jamvm && \ @@ -41,8 +43,10 @@ --prefix=$(abs_top_builddir)/jamvm/install \ CFLAGS='$(EXTRA_CFLAGS_JAMVM)' LDFLAGS='$(EXTRA_LDFLAGS_JAMVM)' CPPFLAGS='$(EXTRA_CPPFLAGS_JAMVM)' CXXFLAGS='$(EXTRA_CXXFLAGS_JAMVM)'; \ $(MAKE) ; \ ---- /dev/null -+++ openjdk-7-7u95-2.6.4/patches/jamvm-2.5.3-fix.diff +Index: b/patches/jamvm-2.5.3-fix.diff +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ b/patches/jamvm-2.5.3-fix.diff 2016-04-22 14:30:30.943084642 -0300 @@ -0,0 +1,76 @@ +--- jamvm/jamvm-2.0.0/src/classlib/openjdk/jvm.c ++++ jamvm/jamvm-2.0.0/src/classlib/openjdk/jvm.c === modified file 'patches/it-set-compiler.diff' --- patches/it-set-compiler.diff 2016-04-22 19:21:50 +0000 +++ patches/it-set-compiler.diff 2016-05-04 17:29:22 +0000 @@ -2,13 +2,15 @@ Author: Matthias Klose <d...@ubuntu.com> Forwarded: #openjdk on OFTC ---- openjdk-7-7u95-2.6.4.orig/Makefile.am -+++ openjdk-7-7u95-2.6.4/Makefile.am -@@ -616,6 +616,7 @@ +Index: b/Makefile.am +=================================================================== +--- a/Makefile.am 2016-04-22 14:27:57.520981863 -0300 ++++ b/Makefile.am 2016-04-22 14:27:57.516981802 -0300 +@@ -618,6 +618,7 @@ VERBOSE="$(VERBOSE)" \ STATIC_CXX="false" \ BUILD_GCC="$(CC)" \ + BUILD_CPP="$(CXX)" \ BUILD_CXX="$(CXX)" \ - SYSTEM_CUPS="true" \ + SYSTEM_CUPS="${ENABLE_SYSTEM_CUPS}" \ CUPS_LIBS="${CUPS_LIBS}" \ === removed file 'patches/jdk-8152335-improve-methodhandle-consistency.patch' --- patches/jdk-8152335-improve-methodhandle-consistency.patch 2016-04-22 19:21:50 +0000 +++ patches/jdk-8152335-improve-methodhandle-consistency.patch 1970-01-01 00:00:00 +0000 @@ -1,177 +0,0 @@ -# HG changeset patch -# User poonam -# Date 1458593316 25200 -# Mon Mar 21 13:48:36 2016 -0700 -# Node ID 8b0a075978f66e873d34258b0d6680320aa86f45 -# Parent c69b0765755e604a01d5802df49fbb9e9f8b3327 -8152335: Improve MethodHandle consistency -Reviewed-by: vlivanov, acorn, jrose - -diff --git openjdk/jdk/src/share/classes/java/lang/ClassLoader.java openjdk/jdk/src//share/classes/java/lang/ClassLoader.java ---- openjdk/jdk/src/share/classes/java/lang/ClassLoader.java -+++ openjdk/jdk/src/share/classes/java/lang/ClassLoader.java -@@ -654,6 +654,9 @@ - if (!checkName(name)) - throw new NoClassDefFoundError("IllegalName: " + name); - -+ // Note: Checking logic in java.lang.invoke.MemberName.checkForTypeAlias -+ // relies on the fact that spoofing is impossible if a class has a name -+ // of the form "java.*" - if ((name != null) && name.startsWith("java.")) { - throw new SecurityException - ("Prohibited package name: " + -diff --git openjdk/jdk/src/share/classes/java/lang/invoke/MemberName.java openjdk/jdk/src//share/classes/java/lang/invoke/MemberName.java ---- openjdk/jdk/src/share/classes/java/lang/invoke/MemberName.java -+++ openjdk/jdk/src/share/classes/java/lang/invoke/MemberName.java -@@ -668,7 +668,7 @@ - assert(isResolved() == isResolved); - } - -- void checkForTypeAlias() { -+ void checkForTypeAlias(Class<?> refc) { - if (isInvocable()) { - MethodType type; - if (this.type instanceof MethodType) -@@ -676,16 +676,16 @@ - else - this.type = type = getMethodType(); - if (type.erase() == type) return; -- if (VerifyAccess.isTypeVisible(type, clazz)) return; -- throw new LinkageError("bad method type alias: "+type+" not visible from "+clazz); -+ if (VerifyAccess.isTypeVisible(type, refc)) return; -+ throw new LinkageError("bad method type alias: "+type+" not visible from "+refc); - } else { - Class<?> type; - if (this.type instanceof Class<?>) - type = (Class<?>) this.type; - else - this.type = type = getFieldType(); -- if (VerifyAccess.isTypeVisible(type, clazz)) return; -- throw new LinkageError("bad field type alias: "+type+" not visible from "+clazz); -+ if (VerifyAccess.isTypeVisible(type, refc)) return; -+ throw new LinkageError("bad field type alias: "+type+" not visible from "+refc); - } - } - -@@ -844,10 +844,25 @@ - MemberName m = ref.clone(); // JVM will side-effect the ref - assert(refKind == m.getReferenceKind()); - try { -+ // There are 4 entities in play here: -+ // * LC: lookupClass -+ // * REFC: symbolic reference class (MN.clazz before resolution); -+ // * DEFC: resolved method holder (MN.clazz after resolution); -+ // * PTYPES: parameter types (MN.type) -+ // -+ // What we care about when resolving a MemberName is consistency between DEFC and PTYPES. -+ // We do type alias (TA) checks on DEFC to ensure that. DEFC is not known until the JVM -+ // finishes the resolution, so do TA checks right after MHN.resolve() is over. -+ // -+ // All parameters passed by a caller are checked against MH type (PTYPES) on every invocation, -+ // so it is safe to call a MH from any context. -+ // -+ // REFC view on PTYPES doesn't matter, since it is used only as a starting point for resolution and doesn't -+ // participate in method selection. - m = MethodHandleNatives.resolve(m, lookupClass); -- m.checkForTypeAlias(); -+ m.checkForTypeAlias(m.getDeclaringClass()); - m.resolution = null; -- } catch (LinkageError ex) { -+ } catch (ClassNotFoundException | LinkageError ex) { - // JVM reports that the "bytecode behavior" would get an error - assert(!m.isResolved()); - m.resolution = ex; -diff --git openjdk/jdk/src/share/classes/java/lang/invoke/MethodHandleNatives.java openjdk/jdk/src//share/classes/java/lang/invoke/MethodHandleNatives.java ---- openjdk/jdk/src/share/classes/java/lang/invoke/MethodHandleNatives.java -+++ openjdk/jdk/src/share/classes/java/lang/invoke/MethodHandleNatives.java -@@ -46,7 +46,7 @@ - - static native void init(MemberName self, Object ref); - static native void expand(MemberName self); -- static native MemberName resolve(MemberName self, Class<?> caller) throws LinkageError; -+ static native MemberName resolve(MemberName self, Class<?> caller) throws LinkageError, ClassNotFoundException; - static native int getMembers(Class<?> defc, String matchName, String matchSig, - int matchFlags, Class<?> caller, int skip, MemberName[] results); - -diff --git openjdk/jdk/src/share/classes/sun/invoke/util/VerifyAccess.java openjdk/jdk/src//share/classes/sun/invoke/util/VerifyAccess.java ---- openjdk/jdk/src/share/classes/sun/invoke/util/VerifyAccess.java -+++ openjdk/jdk/src/share/classes/sun/invoke/util/VerifyAccess.java -@@ -168,22 +168,66 @@ - * @param refc - */ - public static boolean isTypeVisible(Class<?> type, Class<?> refc) { -- if (type == refc) return true; // easy check -+ if (type == refc) { -+ return true; // easy check -+ } - while (type.isArray()) type = type.getComponentType(); -- if (type.isPrimitive() || type == Object.class) return true; -- ClassLoader parent = type.getClassLoader(); -- if (parent == null) return true; -- ClassLoader child = refc.getClassLoader(); -- if (child == null) return false; -- if (parent == child || loadersAreRelated(parent, child, true)) -+ if (type.isPrimitive() || type == Object.class) { - return true; -- // Do it the hard way: Look up the type name from the refc loader. -- try { -- Class<?> res = child.loadClass(type.getName()); -- return (type == res); -- } catch (ClassNotFoundException ex) { -+ } -+ ClassLoader typeLoader = type.getClassLoader(); -+ final ClassLoader refcLoader = refc.getClassLoader(); -+ if (typeLoader == refcLoader) { -+ return true; -+ } -+ if (refcLoader == null && typeLoader != null) { - return false; - } -+ if (typeLoader == null && type.getName().startsWith("java.")) { -+ // Note: The API for actually loading classes, ClassLoader.defineClass, -+ // guarantees that classes with names beginning "java." cannot be aliased, -+ // because class loaders cannot load them directly. -+ return true; -+ } -+ -+ // Do it the hard way: Look up the type name from the refc loader. -+ // -+ // Force the refc loader to report and commit to a particular binding for this type name (type.getName()). -+ // -+ // In principle, this query might force the loader to load some unrelated class, -+ // which would cause this query to fail (and the original caller to give up). -+ // This would be wasted effort, but it is expected to be very rare, occurring -+ // only when an attacker is attempting to create a type alias. -+ // In the normal case, one class loader will simply delegate to the other, -+ // and the same type will be visible through both, with no extra loading. -+ // -+ // It is important to go through Class.forName instead of ClassLoader.loadClass -+ // because Class.forName goes through the JVM system dictionary, which records -+ // the class lookup once for all. This means that even if a not-well-behaved class loader -+ // would "change its mind" about the meaning of the name, the Class.forName request -+ // will use the result cached in the JVM system dictionary. Note that the JVM system dictionary -+ // will record the first successful result. Unsuccessful results are not stored. -+ // -+ // We use doPrivileged in order to allow an unprivileged caller to ask an arbitrary -+ // class loader about the binding of the proposed name (type.getName()). -+ // The looked up type ("res") is compared for equality against the proposed -+ // type ("type") and then is discarded. Thus, the worst that can happen to -+ // the "child" class loader is that it is bothered to load and report a class -+ // that differs from "type"; this happens once due to JVM system dictionary -+ // memoization. And the caller never gets to look at the alternate type binding -+ // ("res"), whether it exists or not. -+ final String name = type.getName(); -+ Class<?> res = java.security.AccessController.doPrivileged( -+ new java.security.PrivilegedAction<Class>() { -+ public Class<?> run() { -+ try { -+ return Class.forName(name, false, refcLoader); -+ } catch (ClassNotFoundException | LinkageError e) { -+ return null; // Assume the class is not found -+ } -+ } -+ }); -+ return (type == res); - } - - /** === modified file 'rules' --- rules 2016-04-22 19:21:50 +0000 +++ rules 2016-05-04 17:29:22 +0000 @@ -6,8 +6,6 @@ unexport LANG LC_ALL -dh_version := $(shell dpkg-query -f '$${Version}\n' -W debhelper | sed -n 's/^\(.\).*/\1/p') - # using brace expansion and substring replacements (${var:0:2}). SHELL = /bin/bash @@ -375,7 +373,8 @@ endif endif -ifneq (,$(filter $(distrel),squeeze wheezy precise lucid precise trusty vivid wily)) +ifneq (,$(filter $(distrel),squeeze wheezy jessie lucid precise trusty vivid wily)) + # use the timezone files from tzdata-java with_tzdata = yes endif @@ -459,7 +458,6 @@ debian/patches/dnd-files.patch \ debian/patches/jdk-bold-swing-fonts.patch \ debian/patches/javadoc-sort-enum-and-annotation-types.patch \ - debian/patches/jdk-8152335-improve-methodhandle-consistency.patch \ ifeq (,$(filter $(DEB_HOST_ARCH),arm64)) DISTRIBUTION_PATCHES += \ @@ -2185,15 +2183,15 @@ --strip-debug $$i; \ objcopy --add-gnu-debuglink $$id $$i; \ else \ - d=usr/lib/debug/.build-id/$${b_id:0:2}; \ - f=$${b_id:2}.debug; \ - mkdir -p $(d_dbg)/$$d; \ - objcopy --only-keep-debug --compress-debug-sections $$i $(d_dbg)/$$d/$$f; \ - chmod 644 $(d_dbg)/$$d/$$f; \ - strip --remove-section=.comment --remove-section=.note $$i; \ - pushd $(d_dbg)/$$d >/dev/null; \ - objcopy --add-gnu-debuglink $$f $(CURDIR)/$$i; \ - popd >/dev/null; \ + d=$(d_dbg)/usr/lib/debug/.build-id/$${b_id:0:2}; \ + mkdir -p $$d; \ + objcopy --only-keep-debug --compress-debug-sections \ + $$i $$d/$$b_id.debug; \ + chmod 644 $$d/$$b_id.debug; \ + strip --remove-section=.comment --remove-section=.note \ + $$i; \ + objcopy --add-gnu-debuglink \ + $$d/$$b_id.debug $$i; \ fi; \ done endif
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.