GNU/Andrew’s Blog

There is a new set of security releases: IcedTea6 1.8.8, IcedTea6 1.9.8 and IcedTea6 1.10.2.

This update contains the following security updates:

• S6213702, CVE-2011-0872: (so) non-blocking sockets with TCP urgent disabled get still selected for read ops (win)
• S6618658, CVE-2011-0865: Vulnerability in deserialization
• S7012520, CVE-2011-0815: Heap overflow vulnerability in FileDialog.show()
• S7013519, CVE-2011-0822, CVE-2011-0862: Integer overflows in 2D code
• S7013969, CVE-2011-0867: NetworkInterface.toString can reveal bindings
• S7013971, CVE-2011-0869: Vulnerability in SAAJ
• S7016340, CVE-2011-0870: Vulnerability in SAAJ
• S7016495, CVE-2011-0868: Crash in Java 2D transforming an image with scale close to zero
• S7020198, CVE-2011-0871: ImageIcon creates Component with null acc
• S7020373, CVE-2011-0864: JSR rewriting can overflow memory address size variables

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What Else Is New?

IcedTea6 1.8.8

• Backports
  • S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
  • S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
  • PR632: patches/security/20110215/6878713.patch breaks shark zero build
  • Fixed AccessControlContext which was thrown while working with Color class in a PropertyEditor
• Plugin
  • PR542: Plugin fails with NPE on http://www.openprocessing.org/visuals/iframe.php?visualID=2615

IcedTea6 1.9.8

• Backports
  • S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
  • S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
  • S6980392, PR642: simple correction in testcase, added missing bracket
  • Fixed AccessControlContext which was thrown while working with Color class in a PropertyEditor
• Plugin
  • PR542: Plugin fails with NPE on http://www.openprocessing.org/visuals/iframe.php?visualID=2615
• Shark
  • PR689: Shark fails to find LLVM 2.9 System headers during build

IcedTea6 1.10.2

• Backports
  • S7043054: REGRESSION – wrong userBounds in Paint.createContext()
  • S7043963, RH698295: Window manager workaround in AWT was not applied to mutter. Now it is.
• Shark
  • PR689: Shark fails to find LLVM 2.9 System headers during build.

The tarballs can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.8.8.tar.gz
• http://icedtea.classpath.org/download/source/icedtea6-1.9.8.tar.gz
• http://icedtea.classpath.org/download/source/icedtea6-1.10.2.tar.gz

SHA256 sums

• 61c0036df25aa0108dba91ab3dd8334e45dd85f8caa6dadf997b10b63a7d280f icedtea6-1.8.8.tar.gz
• ad63b3c4f87df5bf189b3fd2ef5e82f916b4bb22fb3ff107105a14583b38fbc3 icedtea6-1.9.8.tar.gz
• 488af9a6ddebc38344aabdb62798d403ccc477be1076118788f0b146aa3db5ba icedtea6-1.10.2.tar.gz

The following people helped with these releases:

• Deepak Bhole
• Andrew John Hughes
• Denis Lila
• Xerxes Rånby
• Pavel Tisnovsky
• Mark Wielaard

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make