cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

. Fix a security hole in the Calendar class which allows the elevation of

Browse Source 
permissions within the Java security model.

  http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1

Submitted by:	Kurt Miller <kurt@intricatesoftware.com>
Obtained from:	OpenBSD
This commit is contained in:
Greg Lewis 2009-03-05 05:37:21 +00:00
parent 21d53044dd
commit 64f95ae234
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=229509
4 changed files with 187 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
java/jdk15/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= jdk
PORTVERSION= ${JDK_VERSION}.${JDK_UPDATE_VERSION}p${JDK_PATCHSET_VERSION}
PORTREVISION= 5
PORTREVISION= 6
PORTEPOCH= 1
CATEGORIES= java devel
MASTER_SITES= # http://download.java.net/tiger/

92
java/jdk15/files/patch-j2se::util::Calendar.java Normal file
View File

@ -0,0 +1,92 @@
$FreeBSD$
--- ../../j2se/src/share/classes/java/util/Calendar.java.orig Fri Oct 5 03:18:28 2007
+++ ../../j2se/src/share/classes/java/util/Calendar.java Sat Feb 28 09:34:02 2009
@@ -23,9 +23,14 @@ package java.util;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
+import java.io.OptionalDataException;
import java.io.Serializable;
+import java.security.AccessControlContext;
import java.security.AccessController;
+import java.security.PermissionCollection;
+import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
import java.text.DateFormat;
import sun.text.resources.LocaleData;
import sun.util.BuddhistCalendar;
@@ -2396,6 +2401,18 @@ public abstract class Calendar implements Serializable
}
}
+ private static class CalendarAccessControlContext {
+ private static final AccessControlContext INSTANCE;
+ static {
+ RuntimePermission perm = new RuntimePermission("accessClassInPackage.sun.util.calendar");
+ PermissionCollection perms = perm.newPermissionCollection();
+ perms.add(perm);
+ INSTANCE = new AccessControlContext(new ProtectionDomain[] {
+ new ProtectionDomain(null, perms)
+ });
+ }
+ }
+
/**
* Reconstitutes this object from a stream (i.e., deserialize it).
*/
@@ -2425,17 +2442,30 @@ public abstract class Calendar implements Serializable
serialVersionOnStream = currentSerialVersion;
// If there's a ZoneInfo object, use it for zone.
+ ZoneInfo zi = null;
try {
- ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
- new PrivilegedExceptionAction() {
- public Object run() throws Exception {
- return input.readObject();
- }
- });
- if (zi != null) {
- zone = zi;
- }
- } catch (Exception e) {
+ zi = AccessController.doPrivileged(
+ new PrivilegedExceptionAction<ZoneInfo>() {
+ public ZoneInfo run() throws Exception {
+ return (ZoneInfo) input.readObject();
+ }
+ },
+ CalendarAccessControlContext.INSTANCE);
+ } catch (PrivilegedActionException pae) {
+ Exception e = pae.getException();
+ if (!(e instanceof OptionalDataException)) {
+ if (e instanceof RuntimeException) {
+ throw (RuntimeException) e;
+ } else if (e instanceof IOException) {
+ throw (IOException) e;
+ } else if (e instanceof ClassNotFoundException) {
+ throw (ClassNotFoundException) e;
+ }
+ throw new RuntimeException(e);
+ }
+ }
+ if (zi != null) {
+ zone = zi;
}
// If the deserialized object has a SimpleTimeZone, try to
@@ -2444,9 +2474,9 @@ public abstract class Calendar implements Serializable
// implementation as much as possible.
if (zone instanceof SimpleTimeZone) {
String id = zone.getID();
- TimeZone zi = TimeZone.getTimeZone(id);
- if (zi != null && zi.hasSameRules(zone) && zi.getID().equals(id)) {
- zone = zi;
+ TimeZone tz = TimeZone.getTimeZone(id);
+ if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
+ zone = tz;
}
}
}

2
java/jdk16/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= jdk
PORTVERSION= ${JDK_VERSION}.${JDK_UPDATE_VERSION}p${JDK_PATCHSET_VERSION}
PORTREVISION= 8
PORTREVISION= 9
CATEGORIES= java devel
MASTER_SITES= # http://download.java.net/jdk6/
# http://www.eyesbeyond.com/freebsddom/java/jdk16.html

93
java/jdk16/files/patch-j2se-util-Calendar.java Normal file
View File

@ -0,0 +1,93 @@
$FreeBSD$
--- ../../j2se/src/share/classes/java/util/Calendar.java.orig Tue Sep 25 00:44:04 2007
+++ ../../j2se/src/share/classes/java/util/Calendar.java Sat Feb 28 09:35:28 2009
@@ -23,9 +23,14 @@ package java.util;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
+import java.io.OptionalDataException;
import java.io.Serializable;
+import java.security.AccessControlContext;
import java.security.AccessController;
+import java.security.PermissionCollection;
+import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
import java.text.DateFormat;
import java.text.DateFormatSymbols;
import sun.util.BuddhistCalendar;
@@ -2599,6 +2604,18 @@ public abstract class Calendar implements Serializable
}
}
+ private static class CalendarAccessControlContext {
+ private static final AccessControlContext INSTANCE;
+ static {
+ RuntimePermission perm = new RuntimePermission("accessClassInPackage.sun.util.calendar");
+ PermissionCollection perms = perm.newPermissionCollection();
+ perms.add(perm);
+ INSTANCE = new AccessControlContext(new ProtectionDomain[] {
+ new ProtectionDomain(null, perms)
+ });
+ }
+ }
+
/**
* Reconstitutes this object from a stream (i.e., deserialize it).
*/
@@ -2628,18 +2645,31 @@ public abstract class Calendar implements Serializable
serialVersionOnStream = currentSerialVersion;
// If there's a ZoneInfo object, use it for zone.
+ ZoneInfo zi = null;
try {
- ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
- new PrivilegedExceptionAction() {
- public Object run() throws Exception {
- return input.readObject();
- }
- });
- if (zi != null) {
- zone = zi;
- }
- } catch (Exception e) {
+ zi = AccessController.doPrivileged(
+ new PrivilegedExceptionAction<ZoneInfo>() {
+ public ZoneInfo run() throws Exception {
+ return (ZoneInfo) input.readObject();
+ }
+ },
+ CalendarAccessControlContext.INSTANCE);
+ } catch (PrivilegedActionException pae) {
+ Exception e = pae.getException();
+ if (!(e instanceof OptionalDataException)) {
+ if (e instanceof RuntimeException) {
+ throw (RuntimeException) e;
+ } else if (e instanceof IOException) {
+ throw (IOException) e;
+ } else if (e instanceof ClassNotFoundException) {
+ throw (ClassNotFoundException) e;
+ }
+ throw new RuntimeException(e);
+ }
}
+ if (zi != null) {
+ zone = zi;
+ }
// If the deserialized object has a SimpleTimeZone, try to
// replace it with a ZoneInfo equivalent (as of 1.4) in order
@@ -2647,9 +2677,9 @@ public abstract class Calendar implements Serializable
// implementation as much as possible.
if (zone instanceof SimpleTimeZone) {
String id = zone.getID();
- TimeZone zi = TimeZone.getTimeZone(id);
- if (zi != null && zi.hasSameRules(zone) && zi.getID().equals(id)) {
- zone = zi;
+ TimeZone tz = TimeZone.getTimeZone(id);
+ if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
+ zone = tz;
}
}
}