. Fix a security hole in the Calendar class which allows the elevation of

permissions within the Java security model. http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1 Submitted by: Kurt Miller <kurt@intricatesoftware.com> Obtained from: OpenBSD
author: glewis <glewis@FreeBSD.org> 2009-03-05 13:37:21 +0800
committer: glewis <glewis@FreeBSD.org> 2009-03-05 13:37:21 +0800
commit: 01be4cd0ef5c68eed384ecb8c26f795883cfd4f1 (patch)
tree: bdb9cf174c4c3d230de8ccc7be927dce20913412 /java
parent: bd843c9c64fec2d21784a45b8b84b20e917b7afa (diff)
download: freebsd-ports-graphics-01be4cd0ef5c68eed384ecb8c26f795883cfd4f1.tar.gz
freebsd-ports-graphics-01be4cd0ef5c68eed384ecb8c26f795883cfd4f1.tar.zst
freebsd-ports-graphics-01be4cd0ef5c68eed384ecb8c26f795883cfd4f1.zip
4 files changed, 187 insertions, 2 deletions
diff --git a/java/jdk15/Makefile b/java/jdk15/Makefile
index 73efeb0f78c..ae63e0135f9 100644
--- a/java/jdk15/Makefile
+++ b/java/jdk15/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	jdk
 PORTVERSION=	${JDK_VERSION}.${JDK_UPDATE_VERSION}p${JDK_PATCHSET_VERSION}
-PORTREVISION=	5
+PORTREVISION=	6
 PORTEPOCH=	1
 CATEGORIES=	java devel
 MASTER_SITES=	# http://download.java.net/tiger/
diff --git a/java/jdk15/files/patch-j2se::util::Calendar.java b/java/jdk15/files/patch-j2se::util::Calendar.java
new file mode 100644
index 00000000000..09a94a2e2c8
--- /dev/null
+++ b/java/jdk15/files/patch-j2se::util::Calendar.java
@@ -0,0 +1,92 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/java/util/Calendar.java.orig	Fri Oct  5 03:18:28 2007
++++ ../../j2se/src/share/classes/java/util/Calendar.java	Sat Feb 28 09:34:02 2009
+@@ -23,9 +23,14 @@ package java.util;
+ import java.io.IOException;
+ import java.io.ObjectInputStream;
+ import java.io.ObjectOutputStream;
++import java.io.OptionalDataException;
+ import java.io.Serializable;
++import java.security.AccessControlContext;
+ import java.security.AccessController;
++import java.security.PermissionCollection;
++import java.security.PrivilegedActionException;
+ import java.security.PrivilegedExceptionAction;
++import java.security.ProtectionDomain;
+ import java.text.DateFormat;
+ import sun.text.resources.LocaleData;
+ import sun.util.BuddhistCalendar;
+@@ -2396,6 +2401,18 @@ public abstract class Calendar implements Serializable
+ 	}
+     }
+ 
++    private static class CalendarAccessControlContext {
++        private static final AccessControlContext INSTANCE;
++        static {
++            RuntimePermission perm = new RuntimePermission("accessClassInPackage.sun.util.calendar");
++            PermissionCollection perms = perm.newPermissionCollection();
++            perms.add(perm);
++            INSTANCE = new AccessControlContext(new ProtectionDomain[] {
++                                                    new ProtectionDomain(null, perms)
++                                                });
++        }
++    }
++
+     /**
+      * Reconstitutes this object from a stream (i.e., deserialize it).
+      */
+@@ -2425,17 +2442,30 @@ public abstract class Calendar implements Serializable
+         serialVersionOnStream = currentSerialVersion;
+ 
+ 	// If there's a ZoneInfo object, use it for zone.
++        ZoneInfo zi = null;
+ 	try {
+-	    ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
+-		new PrivilegedExceptionAction() {
+-		    public Object run() throws Exception {
+-			return input.readObject();
+-		    }
+-		});
+-	    if (zi != null) {
+-		zone = zi;
+-	    }
+-	} catch (Exception e) {
++            zi = AccessController.doPrivileged(
++                    new PrivilegedExceptionAction<ZoneInfo>() {
++                        public ZoneInfo run() throws Exception {
++                            return (ZoneInfo) input.readObject();
++                        }
++                    },
++                    CalendarAccessControlContext.INSTANCE);
++        } catch (PrivilegedActionException pae) {
++            Exception e = pae.getException();
++            if (!(e instanceof OptionalDataException)) {
++                if (e instanceof RuntimeException) {
++                    throw (RuntimeException) e;
++                } else if (e instanceof IOException) {
++                    throw (IOException) e;
++                } else if (e instanceof ClassNotFoundException) {
++                    throw (ClassNotFoundException) e;
++                }
++                throw new RuntimeException(e);
++            }
++        }
++        if (zi != null) {
++            zone = zi;
+ 	}
+ 
+ 	// If the deserialized object has a SimpleTimeZone, try to
+@@ -2444,9 +2474,9 @@ public abstract class Calendar implements Serializable
+ 	// implementation as much as possible.
+ 	if (zone instanceof SimpleTimeZone) {
+ 	    String id = zone.getID();
+-	    TimeZone zi = TimeZone.getTimeZone(id);
+-	    if (zi != null && zi.hasSameRules(zone) && zi.getID().equals(id)) {
+-		zone = zi;
++            TimeZone tz = TimeZone.getTimeZone(id);
++            if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
++                zone = tz;
+ 	    }
+ 	}
+     }
diff --git a/java/jdk16/Makefile b/java/jdk16/Makefile
index 6409516aa06..4f77a49fccb 100644
--- a/java/jdk16/Makefile
+++ b/java/jdk16/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	jdk
 PORTVERSION=	${JDK_VERSION}.${JDK_UPDATE_VERSION}p${JDK_PATCHSET_VERSION}
-PORTREVISION=	8
+PORTREVISION=	9
 CATEGORIES=	java devel
 MASTER_SITES=	# http://download.java.net/jdk6/
 #		 http://www.eyesbeyond.com/freebsddom/java/jdk16.html
diff --git a/java/jdk16/files/patch-j2se-util-Calendar.java b/java/jdk16/files/patch-j2se-util-Calendar.java
new file mode 100644
index 00000000000..850cb2d2869
--- /dev/null
+++ b/java/jdk16/files/patch-j2se-util-Calendar.java
@@ -0,0 +1,93 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/java/util/Calendar.java.orig	Tue Sep 25 00:44:04 2007
++++ ../../j2se/src/share/classes/java/util/Calendar.java	Sat Feb 28 09:35:28 2009
+@@ -23,9 +23,14 @@ package java.util;
+ import java.io.IOException;
+ import java.io.ObjectInputStream;
+ import java.io.ObjectOutputStream;
++import java.io.OptionalDataException;
+ import java.io.Serializable;
++import java.security.AccessControlContext;
+ import java.security.AccessController;
++import java.security.PermissionCollection;
++import java.security.PrivilegedActionException;
+ import java.security.PrivilegedExceptionAction;
++import java.security.ProtectionDomain;
+ import java.text.DateFormat;
+ import java.text.DateFormatSymbols;
+ import sun.util.BuddhistCalendar;
+@@ -2599,6 +2604,18 @@ public abstract class Calendar implements Serializable
+ 	}
+     }
+ 
++    private static class CalendarAccessControlContext {
++        private static final AccessControlContext INSTANCE;
++        static {
++            RuntimePermission perm = new RuntimePermission("accessClassInPackage.sun.util.calendar");
++            PermissionCollection perms = perm.newPermissionCollection();
++            perms.add(perm);
++            INSTANCE = new AccessControlContext(new ProtectionDomain[] {
++                                                    new ProtectionDomain(null, perms)
++                                                });
++        }
++    }
++
+     /**
+      * Reconstitutes this object from a stream (i.e., deserialize it).
+      */
+@@ -2628,18 +2645,31 @@ public abstract class Calendar implements Serializable
+         serialVersionOnStream = currentSerialVersion;
+ 
+ 	// If there's a ZoneInfo object, use it for zone.
++        ZoneInfo zi = null;
+ 	try {
+-	    ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
+-		new PrivilegedExceptionAction() {
+-		    public Object run() throws Exception {
+-			return input.readObject();
+-		    }
+-		});
+-	    if (zi != null) {
+-		zone = zi;
+-	    }
+-	} catch (Exception e) {
++            zi = AccessController.doPrivileged(
++                    new PrivilegedExceptionAction<ZoneInfo>() {
++                        public ZoneInfo run() throws Exception {
++                            return (ZoneInfo) input.readObject();
++                        }
++                    },
++                    CalendarAccessControlContext.INSTANCE);
++        } catch (PrivilegedActionException pae) {
++            Exception e = pae.getException();
++            if (!(e instanceof OptionalDataException)) {
++                if (e instanceof RuntimeException) {
++                    throw (RuntimeException) e;
++                } else if (e instanceof IOException) {
++                    throw (IOException) e;
++                } else if (e instanceof ClassNotFoundException) {
++                    throw (ClassNotFoundException) e;
++                }
++                throw new RuntimeException(e);
++            }
+ 	}
++        if (zi != null) {
++            zone = zi;
++        }
+ 
+ 	// If the deserialized object has a SimpleTimeZone, try to
+ 	// replace it with a ZoneInfo equivalent (as of 1.4) in order
+@@ -2647,9 +2677,9 @@ public abstract class Calendar implements Serializable
+ 	// implementation as much as possible.
+ 	if (zone instanceof SimpleTimeZone) {
+ 	    String id = zone.getID();
+-	    TimeZone zi = TimeZone.getTimeZone(id);
+-	    if (zi != null && zi.hasSameRules(zone) && zi.getID().equals(id)) {
+-		zone = zi;
++            TimeZone tz = TimeZone.getTimeZone(id);
++            if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
++                zone = tz;
+ 	    }
+ 	}
+     }
author	glewis <glewis@FreeBSD.org>	2009-03-05 13:37:21 +0800
committer	glewis <glewis@FreeBSD.org>	2009-03-05 13:37:21 +0800
commit	01be4cd0ef5c68eed384ecb8c26f795883cfd4f1 (patch)
tree	bdb9cf174c4c3d230de8ccc7be927dce20913412 /java
parent	bd843c9c64fec2d21784a45b8b84b20e917b7afa (diff)
download	freebsd-ports-graphics-01be4cd0ef5c68eed384ecb8c26f795883cfd4f1.tar.gz freebsd-ports-graphics-01be4cd0ef5c68eed384ecb8c26f795883cfd4f1.tar.zst freebsd-ports-graphics-01be4cd0ef5c68eed384ecb8c26f795883cfd4f1.zip