From e5d80a29ca4422e275d4af152f0aa80d6ad520bd Mon Sep 17 00:00:00 2001 From: justinwm Date: Mon, 12 Jun 2023 15:13:13 +0800 Subject: [PATCH 1/2] fix-CVE-2023-21939 --- fix-CVE-2023-21939.patch | 155 +++++++++++++++++++++++++++++++++++++++ openjdk-1.8.0.spec | 7 +- 2 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2023-21939.patch diff --git a/fix-CVE-2023-21939.patch b/fix-CVE-2023-21939.patch new file mode 100644 index 0000000..1f181bd --- /dev/null +++ b/fix-CVE-2023-21939.patch @@ -0,0 +1,155 @@ +From b6d02586c0294ea17ebc77da95332303c8db6383 Mon Sep 17 00:00:00 2001 +From: justinwm +Date: Mon, 12 Jun 2023 12:08:47 +0800 +Subject: [PATCH] fix-CVE-2023-21939 + +--- + .../javax/swing/plaf/basic/BasicHTML.java | 26 +++++++++++++++++-- + .../javax/swing/text/html/HTMLEditorKit.java | 7 ++++- + .../javax/swing/text/html/ObjectView.java | 10 +++++++ + .../classes/sun/swing/SwingAccessor.java | 15 +++++++++++ + 4 files changed, 55 insertions(+), 3 deletions(-) + +diff --git a/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java b/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java +index 250c6d4..9a1b1e2 100644 +--- a/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java ++++ b/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java +@@ -33,6 +33,7 @@ import javax.swing.*; + import javax.swing.text.*; + import javax.swing.text.html.*; + ++import sun.swing.SwingAccessor; + import sun.swing.SwingUtilities2; + + /** +@@ -204,7 +205,7 @@ public class BasicHTML { + View value = null; + View oldValue = (View)c.getClientProperty(BasicHTML.propertyKey); + Boolean htmlDisabled = (Boolean) c.getClientProperty(htmlDisable); +- if (htmlDisabled != Boolean.TRUE && BasicHTML.isHTMLString(text)) { ++ if (!(Boolean.TRUE.equals(htmlDisabled)) && BasicHTML.isHTMLString(text)) { + value = BasicHTML.createHTMLView(c, text); + } + if (value != oldValue && oldValue != null) { +@@ -361,13 +362,34 @@ public class BasicHTML { + public View create(Element elem) { + View view = super.create(elem); + ++ View view = null; ++ try { ++ setAllowHTMLObject(); ++ view = super.create(elem); ++ } finally { ++ clearAllowHTMLObject(); ++ } + if (view instanceof ImageView) { + ((ImageView)view).setLoadsSynchronously(true); + } + return view; + } +- } + ++ private static Boolean useOV = null; ++ ++ private static void setAllowHTMLObject() { ++ if (useOV == null) { ++ useOV = java.security.AccessController.doPrivileged( ++ new sun.security.action.GetBooleanAction( ++ "swing.html.object")); ++ }; ++ SwingAccessor.setAllowHTMLObject(useOV); ++ } ++ ++ private static void clearAllowHTMLObject() { ++ SwingAccessor.setAllowHTMLObject(null); ++ } ++ } + + /** + * The subclass of HTMLDocument that is used as the model. getForeground +diff --git a/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java b/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java +index 425ba5f..3c2da35 100644 +--- a/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java ++++ b/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java +@@ -40,6 +40,7 @@ import javax.accessibility.*; + import java.lang.ref.*; + import java.security.AccessController; + import java.security.PrivilegedAction; ++import sun.swing.SwingAccessor; + + /** + * The Swing JEditorPane text component supports different kinds +@@ -1182,7 +1183,11 @@ public class HTMLEditorKit extends StyledEditorKit implements Accessible { + (kind == HTML.Tag.TEXTAREA)) { + return new FormView(elem); + } else if (kind == HTML.Tag.OBJECT) { +- return new ObjectView(elem); ++ if (SwingAccessor.getAllowHTMLObject()) { ++ return new ObjectView(elem); ++ } else { ++ return new ObjectView(elem, false); ++ } + } else if (kind == HTML.Tag.FRAMESET) { + if (elem.getAttributes().isDefined(HTML.Attribute.ROWS)) { + return new FrameSetView(elem, View.Y_AXIS); +diff --git a/openjdk/jdk/src/share/classes/javax/swing/text/html/ObjectView.java b/openjdk/jdk/src/share/classes/javax/swing/text/html/ObjectView.java +index e163d3e..7673436 100644 +--- a/openjdk/jdk/src/share/classes/javax/swing/text/html/ObjectView.java ++++ b/openjdk/jdk/src/share/classes/javax/swing/text/html/ObjectView.java +@@ -72,6 +72,8 @@ import sun.reflect.misc.ReflectUtil; + */ + public class ObjectView extends ComponentView { + ++ private boolean createComp = true; // default ++ + /** + * Creates a new ObjectView object. + * +@@ -81,12 +83,20 @@ public class ObjectView extends ComponentView { + super(elem); + } + ++ ObjectView(Element elem, boolean createComp) { ++ super(elem); ++ this.createComp = createComp; ++ } ++ + /** + * Create the component. The classid is used + * as a specification of the classname, which + * we try to load. + */ + protected Component createComponent() { ++ if (!createComp) { ++ return getUnloadableRepresentation(); ++ } + AttributeSet attr = getElement().getAttributes(); + String classname = (String) attr.getAttribute(HTML.Attribute.CLASSID); + try { +diff --git a/openjdk/jdk/src/share/classes/sun/swing/SwingAccessor.java b/openjdk/jdk/src/share/classes/sun/swing/SwingAccessor.java +index 797802a..8cec052 100644 +--- a/openjdk/jdk/src/share/classes/sun/swing/SwingAccessor.java ++++ b/openjdk/jdk/src/share/classes/sun/swing/SwingAccessor.java +@@ -156,4 +156,19 @@ public final class SwingAccessor { + } + return repaintManagerAccessor; + } ++ ++ private static ThreadLocal tlObj = new ThreadLocal(); ++ ++ public static Boolean getAllowHTMLObject() { ++ Boolean b = tlObj.get(); ++ if (b == null) { ++ return Boolean.TRUE; ++ } else { ++ return b; ++ } ++ } ++ ++ public static void setAllowHTMLObject(Boolean val) { ++ tlObj.set(val); ++ } + } +-- +2.39.2 (Apple Git-143) + diff --git a/openjdk-1.8.0.spec b/openjdk-1.8.0.spec index f1c6fec..ad08c9e 100644 --- a/openjdk-1.8.0.spec +++ b/openjdk-1.8.0.spec @@ -916,7 +916,7 @@ Provides: java-%{javaver}-%{origin}-accessibility%{?1} = %{epoch}:%{version}-%{r Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} -Release: 2 +Release: 3 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1136,6 +1136,7 @@ Patch241: 8268819-SA-Remove-libthread_db-dependency-on-Linux.patch Patch242: fix-make-bugs-when-git-and-hg-not-exist.patch Patch243: Fix-compile-and-runtime-failures-for-minimal1-versio.patch Patch244: fix_X509TrustManagerImpl_symantec_distrust.patch +Patch245: fix-CVE-2023-21939.patch ############################################# # @@ -1614,6 +1615,7 @@ pushd %{top_level_dir_name} %patch242 -p1 %patch243 -p1 %patch244 -p1 +%patch245 -p1 popd # System library fixes @@ -2238,6 +2240,9 @@ cjc.mainProgram(arg) %endif %changelog +* Mon Jun 12 2023 justinwm - 1:1.8.0.332-b09.3 +- add fix-CVE-2023-21939.patch + * Thu Apr 28 2022 kuenking111 - 1:1.8.0.332-b09.2 - add fix_X509TrustManagerImpl_symantec_distrust.patch -- Gitee From 60e325d768e2711130d5f505ae3712e844589740 Mon Sep 17 00:00:00 2001 From: justinwm Date: Mon, 12 Jun 2023 16:10:48 +0800 Subject: [PATCH 2/2] update fix-CVE-2023-21939.patch --- fix-CVE-2023-21939.patch | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/fix-CVE-2023-21939.patch b/fix-CVE-2023-21939.patch index 1f181bd..4e5b275 100644 --- a/fix-CVE-2023-21939.patch +++ b/fix-CVE-2023-21939.patch @@ -1,17 +1,17 @@ -From b6d02586c0294ea17ebc77da95332303c8db6383 Mon Sep 17 00:00:00 2001 +From 86971aa3cf1328abf9ba28e6d79099ec37bf6838 Mon Sep 17 00:00:00 2001 From: justinwm -Date: Mon, 12 Jun 2023 12:08:47 +0800 -Subject: [PATCH] fix-CVE-2023-21939 +Date: Mon, 12 Jun 2023 16:06:20 +0800 +Subject: fix-CVE-2023-21939 --- - .../javax/swing/plaf/basic/BasicHTML.java | 26 +++++++++++++++++-- + .../javax/swing/plaf/basic/BasicHTML.java | 27 ++++++++++++++++--- .../javax/swing/text/html/HTMLEditorKit.java | 7 ++++- .../javax/swing/text/html/ObjectView.java | 10 +++++++ .../classes/sun/swing/SwingAccessor.java | 15 +++++++++++ - 4 files changed, 55 insertions(+), 3 deletions(-) + 4 files changed, 55 insertions(+), 4 deletions(-) diff --git a/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java b/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java -index 250c6d4..9a1b1e2 100644 +index 250c6d4..b13a9a1 100644 --- a/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java +++ b/openjdk/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java @@ -33,6 +33,7 @@ import javax.swing.*; @@ -31,9 +31,11 @@ index 250c6d4..9a1b1e2 100644 value = BasicHTML.createHTMLView(c, text); } if (value != oldValue && oldValue != null) { -@@ -361,13 +362,34 @@ public class BasicHTML { +@@ -359,15 +360,35 @@ public class BasicHTML { + */ + static class BasicHTMLViewFactory extends HTMLEditorKit.HTMLFactory { public View create(Element elem) { - View view = super.create(elem); +- View view = super.create(elem); + View view = null; + try { @@ -54,8 +56,8 @@ index 250c6d4..9a1b1e2 100644 + private static void setAllowHTMLObject() { + if (useOV == null) { + useOV = java.security.AccessController.doPrivileged( -+ new sun.security.action.GetBooleanAction( -+ "swing.html.object")); ++ new sun.security.action.GetBooleanAction( ++ "swing.html.object")); + }; + SwingAccessor.setAllowHTMLObject(useOV); + } @@ -68,7 +70,7 @@ index 250c6d4..9a1b1e2 100644 /** * The subclass of HTMLDocument that is used as the model. getForeground diff --git a/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java b/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java -index 425ba5f..3c2da35 100644 +index 425ba5f..c49a1ed 100644 --- a/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java +++ b/openjdk/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java @@ -40,6 +40,7 @@ import javax.accessibility.*; @@ -84,7 +86,7 @@ index 425ba5f..3c2da35 100644 return new FormView(elem); } else if (kind == HTML.Tag.OBJECT) { - return new ObjectView(elem); -+ if (SwingAccessor.getAllowHTMLObject()) { ++ if (SwingAccessor.getAllowHTMLObject()) { + return new ObjectView(elem); + } else { + return new ObjectView(elem, false); -- Gitee