GNU/Andrew’s Blog

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new set of security releases is now available:

• IcedTea6 1.10.10
• IcedTea6 1.11.5
• IcedTea7 2.1.3
• IcedTea7 2.2.3
• IcedTea7 2.3.3

We recommend that users upgrade to the latest release from the appropriate branch as soon as possible.

All updates contain the following security fixes:

• S6631398, CVE-2012-3216: FilePermission improved path checking
• S7093490: adjust package access in rmiregistry
• S7143535, CVE-2012-5068: ScriptEngine corrected permissions
• S7167656, CVE-2012-5077: Multiple Seeders are being created
• S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
• S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
• S7172522, CVE-2012-5072: Improve DomainCombiner checking
• S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
• S7189103, CVE-2012-5069: Executors needs to maintain state
• S7189490: More improvements to DomainCombiner checking
• S7189567, CVE-2012-5085: java net obselete protocol
• S7192975, CVE-2012-5071: Conditional usage check is wrong
• S7195194, CVE-2012-5084: Better data validation for Swing
• S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
• S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without needing to create instance
• S7198296, CVE-2012-5089: Refactor classloader usage
• S7158801: Improve VM CompileOnly option
• S7158804: Improve config file parsing
• S7198606, CVE-2012-4416: Improve VM optimization

The following fix is backported from 2.3.x to all other releases:

• S7158800: Improve storage of symbol tables

Updates for OpenJDK6 also include:

• S7176337: Additional changes needed for 7158801 fix

Updates for OpenJDK7 also include:

• S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
• S7158807: Revise stack management with volatile call sites
• S7163198, CVE-2012-5076: Tightened package accessibility
• S7169887, CVE-2012-5074: Tightened package accessibility
• S7195549, CVE-2012-5087: Better bean object persistence
• S7196190, CVE-2012-5088: Improve method of handling MethodHandles

We believe that the 2.3.3 release takes IcedTea beyond u9[*], providing security updates from u7 and u9 on top of an OpenJDK7 u6 base, along with additional IcedTea patches to allow builds against system libraries and to support more estoric architectures.

Please note support for alternative VM solutions (CACAO, Shark, Zero) may be lacking in this release, as there has been little time for testing non-standard builds, and Zero is known to not work with 2.2.x (and only with 2.3.x via using the HotSpot from 2.1.x). Patches are welcome; please contact the mailing list and/or file bugs under the appropriate component. An update release may follow to correct issues with these builds, if necessary, but we deem it important to get the security updates out for mainstream builds as quickly as possible without further delay.

Full details of each release can be found below.

[*] It is difficult to make authoritative statements about u9 as the release
is proprietary. Oracle still do not provide GPL binaries based on OpenJDK.

What’s New?

New in release 1.10.10 (2012-10-16)

• Security fixes
  • S6631398, CVE-2012-3216: FilePermission improved path checking
  • S7093490: adjust package access in rmiregistry
  • S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  • S7167656, CVE-2012-5077: Multiple Seeders are being created
  • S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  • S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  • S7172522, CVE-2012-5072: Improve DomainCombiner checking
  • S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  • S7189103, CVE-2012-5069: Executors needs to maintain state
  • S7189490: More improvements to DomainCombiner checking
  • S7189567, CVE-2012-5085: java net obselete protocol
  • S7192975, CVE-2012-5071: Conditional usage check is wrong
  • S7195194, CVE-2012-5084: Better data validation for Swing
  • S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  • S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without needing to create instance
  • S7198296, CVE-2012-5089: Refactor classloader usage
  • S7158800: Improve storage of symbol tables
  • S7158801: Improve VM CompileOnly option
  • S7158804: Improve config file parsing
  • S7176337: Additional changes needed for 7158801 fix
  • S7198606, CVE-2012-4416: Improve VM optimization
• Backports
  • S7092186: adjust package access in rmiregistry
• Bug fixes
  • PR1194: IcedTea tries to build with /usr/lib/jvm/java-openjdk (now a 1.7 VM) by default
  • S7175845: “jar uf” changes file permissions unexpectedly
  • S7177216: native2ascii changes file permissions of input file
  • S7199153: TEST_BUG: try-with-resources syntax pushed to 6-open repo

New in release 1.11.5 (2012-10-16)

• Security fixes
  • S6631398, CVE-2012-3216: FilePermission improved path checking
  • S7093490: adjust package access in rmiregistry
  • S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  • S7167656, CVE-2012-5077: Multiple Seeders are being created
  • S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  • S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  • S7172522, CVE-2012-5072: Improve DomainCombiner checking
  • S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  • S7189103, CVE-2012-5069: Executors needs to maintain state
  • S7189490: More improvements to DomainCombiner checking
  • S7189567, CVE-2012-5085: java net obselete protocol
  • S7192975, CVE-2012-5071: Conditional usage check is wrong
  • S7195194, CVE-2012-5084: Better data validation for Swing
  • S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  • S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without needing to create instance
  • S7198296, CVE-2012-5089: Refactor classloader usage
  • S7158800: Improve storage of symbol tables
  • S7158801: Improve VM CompileOnly option
  • S7158804: Improve config file parsing
  • S7176337: Additional changes needed for 7158801 fix
  • S7198606, CVE-2012-4416: Improve VM optimization
• Backports
  • S7175845: “jar uf” changes file permissions unexpectedly
  • S7177216: native2ascii changes file permissions of input file
  • S7199153: TEST_BUG: try-with-resources syntax pushed to 6-open repo
• Bug fixes
  • PR1194: IcedTea tries to build with /usr/lib/jvm/java-openjdk (now a 1.7 VM) by default

New in release 2.1.3 (2012-10-17)

• Security fixes
  • S6631398, CVE-2012-3216: FilePermission improved path checking
  • S7093490: adjust package access in rmiregistry
  • S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  • S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
  • S7158807: Revise stack management with volatile call sites
  • S7163198, CVE-2012-5076: Tightened package accessibility
  • S7167656, CVE-2012-5077: Multiple Seeders are being created
  • S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  • S7169887, CVE-2012-5074: Tightened package accessibility
  • S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  • S7172522, CVE-2012-5072: Improve DomainCombiner checking
  • S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  • S7189103, CVE-2012-5069: Executors needs to maintain state
  • S7189490: More improvements to DomainCombiner checking
  • S7189567, CVE-2012-5085: java net obselete protocol
  • S7192975, CVE-2012-5071: Issue with JMX reflection
  • S7195194, CVE-2012-5084: Better data validation for Swing
  • S7195549, CVE-2012-5087: Better bean object persistence
  • S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  • S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without needing to create instance
  • S7196190, CVE-2012-5088: Improve method of handling MethodHandles
  • S7198296, CVE-2012-5089: Refactor classloader usage
  • S7158801: Improve VM CompileOnly option
  • S7158804: Improve config file parsing
  • S7198606, CVE-2012-4416: Improve VM optimization
• Backports
  • S7175845: “jar uf” changes file permissions unexpectedly
  • S7177216: native2ascii changes file permissions of input file
  • S7106773: 512 bits RSA key cannot work with SHA384 and SHA512
  • S7158800: Improve storage of symbol tables
• Bug fixes
  • Remove merge artefact.
  • Remove the Xp header and library checks.

New in release 2.2.3 (2012-10-17)

• Security fixes
  • S6631398, CVE-2012-3216: FilePermission improved path checking
  • S7093490: adjust package access in rmiregistry
  • S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  • S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
  • S7158807: Revise stack management with volatile call sites
  • S7163198, CVE-2012-5076: Tightened package accessibility
  • S7167656, CVE-2012-5077: Multiple Seeders are being created
  • S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  • S7169887, CVE-2012-5074: Tightened package accessibility
  • S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  • S7172522, CVE-2012-5072: Improve DomainCombiner checking
  • S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  • S7189103, CVE-2012-5069: Executors needs to maintain state
  • S7189490: More improvements to DomainCombiner checking
  • S7189567, CVE-2012-5085: java net obselete protocol
  • S7192975, CVE-2012-5071: Issue with JMX reflection
  • S7195194, CVE-2012-5084: Better data validation for Swing
  • S7195549, CVE-2012-5087: Better bean object persistence
  • S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  • S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without needing to create instance
  • S7196190, CVE-2012-5088: Improve method of handling MethodHandles
  • S7198296, CVE-2012-5089: Refactor classloader usage
  • S7158801: Improve VM CompileOnly option
  • S7158804: Improve config file parsing
  • S7198606, CVE-2012-4416: Improve VM optimization
• Backports
  • S7175845: “jar uf” changes file permissions unexpectedly
  • S7177216: native2ascii changes file permissions of input file
  • S7158800: Improve storage of symbol tables
• Bug fixes
  • Remove merge artefact.
  • Remove the Xp header and library checks.

New in release 2.3.3 (2012-10-17)

• Security fixes
  • S6631398, CVE-2012-3216: FilePermission improved path checking
  • S7093490: adjust package access in rmiregistry
  • S7143535, CVE-2012-5068: ScriptEngine corrected permissions
  • S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp
  • S7158807: Revise stack management with volatile call sites
  • S7163198, CVE-2012-5076: Tightened package accessibility
  • S7167656, CVE-2012-5077: Multiple Seeders are being created
  • S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types
  • S7169887, CVE-2012-5074: Tightened package accessibility
  • S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector
  • S7172522, CVE-2012-5072: Improve DomainCombiner checking
  • S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC
  • S7189103, CVE-2012-5069: Executors needs to maintain state
  • S7189490: More improvements to DomainCombiner checking
  • S7189567, CVE-2012-5085: java net obselete protocol
  • S7192975, CVE-2012-5071: Issue with JMX reflection
  • S7195194, CVE-2012-5084: Better data validation for Swing
  • S7195549, CVE-2012-5087: Better bean object persistence
  • S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved
  • S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without needing to create instance
  • S7196190, CVE-2012-5088: Improve method of handling MethodHandles
  • S7198296, CVE-2012-5089: Refactor classloader usage
  • S7158801: Improve VM CompileOnly option
  • S7158804: Improve config file parsing
  • S7198606, CVE-2012-4416: Improve VM optimization
• Bug fixes
  • Remove merge artefact.
  • Remove the Xp header and library checks.
• JamVM
  • PR1155: Do not put version number in libjvm.so SONAME

The tarballs can be downloaded from:

• http://icedtea.classpath.org/download/source/icedtea6-1.10.10.tar.gz (sig)
• http://icedtea.classpath.org/download/source/icedtea6-1.11.5.tar.gz (sig)
• http://icedtea.classpath.org/download/source/icedtea-2.1.3.tar.gz (sig)
• http://icedtea.classpath.org/download/source/icedtea-2.2.3.tar.gz (sig)
• http://icedtea.classpath.org/download/source/icedtea-2.3.3.tar.gz (sig)

SHA256 checksums:

• 644804a85b5b446d7840e3d11adf45782d73fcd880a2df5403c53c96cc288c3e icedtea6-1.10.10.tar.gz
• 258d81d957f8ab9322fbaf7c90647f27f6b4e675504fa279858e6dfe513f7574 icedtea6-1.11.5.tar.gz
• 1929e57eb6718d30735e1e04e9e129457f845f7d7a8404b2b028740d0779ddb6 icedtea-2.1.3.tar.gz
• 4397ef71a0d729521be70f920bfc3fb6aec3455f1619b538cea75df512df1a16 icedtea-2.2.3.tar.gz
• e5ac5564e00c4a8d7b3376ed6de91b18a2587c8abdad802ccc92c780765b1073 icedtea-2.3.3.tar.gz

Each tarball is accompanied by a digital signature (see above links). This is produced using my public key. See details below.

• PGP Key: 248BDC07 (https://keys.indymedia.org/)
• Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07

The following people helped with these releases:

• Elliott Baron (creation of reproducers for S7163198/S7169887 & S7186286, checking S7189103 & S7189567)
• Deepak Bhole (creation of reproducer for S7093490)
• Severin Gehwolf (creation of reproducers for S7163198/S7169887 & S7186286, checking S7189103 & S7189567)
• Andrew John Hughes (applying all security patches, backports & bug fixes, reproducer runs, release management)
• Omair Majid (creation of reproducers for S7167656, S7172522, S7195549, S7195917 & S7189490)
• Chris Phillips (checking S7143535, S7169884 & S7198606 reproducers)
• Roman Kennke (creation of reproducers for S7158796, S7169888, S7192975 & S7198296)
• Pavel Tisnovsky (additional reproducer runs)
• Mario Torre (creation of reproducers for S6631398, S7195919 & S7196190, checking S7195194 reproducer)
• Jon VanAlten (creation of reproducer for S7158801, checking S7158800, S7158804 & S7158807)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${ver}.tar.gz

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea6-build
$ cd icedtea6-build
$ ../icedtea6-${ver}/configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!