diff --git a/backport-CVE-2023-22067.patch b/backport-CVE-2023-22067.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d9bdfb45c7da19361778415fbdd002fe65bc25c --- /dev/null +++ b/backport-CVE-2023-22067.patch @@ -0,0 +1,180 @@ +From f0aad701f0bc0d4afedd92a9a6534e5965c8df69 Mon Sep 17 00:00:00 2001 +From: dimitryc authored and gnu-andrew +Date: Wed, 22 Nov 2023 15:57:59 +0800 +Subject: [PATCH] 8303384: Improved communication in CORBA + +--- + .../corba/se/impl/orbutil/IORCheckImpl.java | 109 ++++++++++++++++++ + .../corba/se/impl/orbutil/ORBConstants.java | 6 + + .../corba/se/idl/toJavaPortable/Stub.java | 8 +- + 3 files changed, 118 insertions(+), 5 deletions(-) + create mode 100644 corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java + +diff --git a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java +new file mode 100644 +index 00000000..9f44957e +--- /dev/null ++++ b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java +@@ -0,0 +1,109 @@ ++/* ++ * Copyright (c) 2023, Azul Systems, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++package com.sun.corba.se.impl.orbutil; ++ ++import java.io.InvalidObjectException; ++import java.security.AccessController; ++import java.util.*; ++ ++import sun.security.action.GetPropertyAction; ++ ++public final class IORCheckImpl { ++ ++ private static final Set stubsToCheck; ++ ++ static { ++ boolean checkLocalStubs = ++ !getBooleanProperty(ORBConstants.DISABLE_IOR_CHECK_FOR_LOCAL_STUBS, ++ getBooleanProperty(ORBConstants.ALLOW_DESERIALIZE_OBJECT, false)); ++ ++ boolean checkRemoteStubs = ++ getBooleanProperty(ORBConstants.ENABLE_IOR_CHECK_FOR_REMOTE_STUBS, false); ++ ++ stubsToCheck = getStubsToCheck(checkLocalStubs, checkRemoteStubs); ++ } ++ ++ private static Set getStubsToCheck(boolean checkLocalStubs, boolean checkRemoteStubs) { ++ if (!checkLocalStubs && !checkRemoteStubs) { ++ return Collections.emptySet(); ++ } ++ List stubs = new ArrayList<>(); ++ if (checkLocalStubs) { ++ stubs.addAll(getLocalStubs()); ++ } ++ if (checkRemoteStubs) { ++ stubs.addAll(getRemoteStubs()); ++ } ++ return Collections.unmodifiableSet(new HashSet<>(stubs)); ++ } ++ ++ private static List getLocalStubs() { ++ String[] localStubs = { ++ "org.omg.DynamicAny._DynAnyFactoryStub", ++ "org.omg.DynamicAny._DynAnyStub", ++ "org.omg.DynamicAny._DynArrayStub", ++ "org.omg.DynamicAny._DynEnumStub", ++ "org.omg.DynamicAny._DynFixedStub", ++ "org.omg.DynamicAny._DynSequenceStub", ++ "org.omg.DynamicAny._DynStructStub", ++ "org.omg.DynamicAny._DynUnionStub", ++ "org.omg.DynamicAny._DynValueStub" ++ }; ++ return Arrays.asList(localStubs); ++ } ++ ++ private static List getRemoteStubs() { ++ String[] remoteStubs = { ++ "com.sun.corba.se.spi.activation._ActivatorStub", ++ "com.sun.corba.se.spi.activation._InitialNameServiceStub", ++ "com.sun.corba.se.spi.activation._LocatorStub", ++ "com.sun.corba.se.spi.activation._RepositoryStub", ++ "com.sun.corba.se.spi.activation._ServerManagerStub", ++ "com.sun.corba.se.spi.activation._ServerStub", ++ "org.omg.CosNaming._BindingIteratorStub", ++ "org.omg.CosNaming._NamingContextExtStub", ++ "org.omg.CosNaming._NamingContextStub", ++ "org.omg.PortableServer._ServantActivatorStub", ++ "org.omg.PortableServer._ServantLocatorStub" ++ }; ++ return Arrays.asList(remoteStubs); ++ } ++ ++ /* ++ * The str parameter is expected to start with "IOR:". ++ * Otherwise, the method throws the InvalidObjectException exception. ++ */ ++ public static void check(String str, String stubClassName) throws InvalidObjectException { ++ if (stubsToCheck.contains(stubClassName) && !str.startsWith(ORBConstants.STRINGIFY_PREFIX)) { ++ throw new InvalidObjectException("IOR: expected"); ++ } ++ } ++ ++ private static boolean getBooleanProperty(String property, boolean defaultValue) { ++ String value = AccessController.doPrivileged( ++ new GetPropertyAction(property, String.valueOf(defaultValue))); ++ return "true".equalsIgnoreCase(value); ++ } ++} +diff --git a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java +index a621d88a..9779e5c9 100644 +--- a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java ++++ b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java +@@ -317,8 +317,14 @@ public class ORBConstants { + public static final String DYNAMIC_STUB_FACTORY_FACTORY_CLASS = + SUN_PREFIX + "ORBDynamicStubFactoryFactoryClass" ; + ++ // This property is provided for backward compatibility reasons + public static final String ALLOW_DESERIALIZE_OBJECT = SUN_PREFIX + "ORBAllowDeserializeObject" ; + ++ // Disables the IOR check for the ORB constrained stubs ++ public static final String DISABLE_IOR_CHECK_FOR_LOCAL_STUBS = ORG_OMG_PREFIX + "DynamicAny.disableIORCheck" ; ++ // Enables the IOR check for the Remote CORBA services stubs ++ public static final String ENABLE_IOR_CHECK_FOR_REMOTE_STUBS = ORG_OMG_CORBA_PREFIX + "IDL.Stubs.enableIORCheck"; ++ + // Constants for NameService properties ************************************ + + public static final int DEFAULT_INITIAL_PORT = 900; +diff --git a/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java b/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java +index 89c80967..62d42619 100644 +--- a/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java ++++ b/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java +@@ -101,6 +101,7 @@ public class Stub implements AuxGen + Util.mkdir (pkg); + name = pkg + '/' + name; + } ++ stubClassName = name.replace('/', '.'); + stream = Util.getStream (name.replace ('/', File.separatorChar) + ".java", i); + } // openStream + +@@ -342,11 +343,7 @@ public class Stub implements AuxGen + stream.println (" private void readObject (java.io.ObjectInputStream s) throws java.io.IOException"); + stream.println (" {"); + stream.println (" String str = s.readUTF ();"); +- if ("DynAnyFactory".equals (i.name ())) { +- stream.println (" if (!str.startsWith(com.sun.corba.se.impl.orbutil.ORBConstants.STRINGIFY_PREFIX) &&"); +- stream.println (" !Boolean.getBoolean(com.sun.corba.se.impl.orbutil.ORBConstants.ALLOW_DESERIALIZE_OBJECT))"); +- stream.println (" throw new java.io.InvalidObjectException(\"IOR: expected\");"); +- } ++ stream.println (" com.sun.corba.se.impl.orbutil.IORCheckImpl.check(str, \"" + stubClassName + "\");"); + stream.println (" String[] args = null;"); + stream.println (" java.util.Properties props = null;"); + stream.println (" org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init (args, props);"); +@@ -382,4 +379,5 @@ public class Stub implements AuxGen + protected String classSuffix = ""; + protected boolean localStub = false; + private boolean isAbstract = false; ++ private String stubClassName = null; + } // class Stub +-- +2.27.0 + \ No newline at end of file diff --git a/backport-CVE-2023-22081.patch b/backport-CVE-2023-22081.patch new file mode 100644 index 0000000000000000000000000000000000000000..4008010f3d5057f80c56c303b0d8a6398d710958 --- /dev/null +++ b/backport-CVE-2023-22081.patch @@ -0,0 +1,527 @@ +From 9d99937d835aa328b8578f18fc5ffbe108a9d866 Mon Sep 17 00:00:00 2001 +From: Yuri Nesterenko +Date: Wed, 22 Nov 2023 16:18:37 +0800 +Subject: [PATCH] 8309966: Enhanced TLS connections + +--- + .../security/cert/CertPathHelperImpl.java | 11 +- + .../java/security/cert/X509CertSelector.java | 14 +-- + .../provider/certpath/CertPathHelper.java | 14 +-- + .../provider/certpath/ForwardBuilder.java | 65 ----------- + .../provider/certpath/ForwardState.java | 51 -------- + .../provider/certpath/SunCertPathBuilder.java | 110 ++++++++++++++---- + 6 files changed, 90 insertions(+), 175 deletions(-) + +diff --git a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java +index c56a5f14..54cc8af3 100644 +--- a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java ++++ b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -25,12 +25,10 @@ + + package java.security.cert; + +-import java.util.*; ++import java.util.Date; + + import sun.security.provider.certpath.CertPathHelper; + +-import sun.security.x509.GeneralNameInterface; +- + /** + * Helper class that allows the Sun CertPath provider to access + * implementation dependent APIs in CertPath framework. +@@ -55,11 +53,6 @@ class CertPathHelperImpl extends CertPathHelper { + } + } + +- protected void implSetPathToNames(X509CertSelector sel, +- Set names) { +- sel.setPathToNamesInternal(names); +- } +- + protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) { + sel.setDateAndTime(date, skew); + } +diff --git a/jdk/src/share/classes/java/security/cert/X509CertSelector.java b/jdk/src/share/classes/java/security/cert/X509CertSelector.java +index 905e4540..74e4c5c2 100644 +--- a/jdk/src/share/classes/java/security/cert/X509CertSelector.java ++++ b/jdk/src/share/classes/java/security/cert/X509CertSelector.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -90,10 +90,6 @@ public class X509CertSelector implements CertSelector { + private final static ObjectIdentifier ANY_EXTENDED_KEY_USAGE = + ObjectIdentifier.newInternal(new int[] {2, 5, 29, 37, 0}); + +- static { +- CertPathHelperImpl.initialize(); +- } +- + private BigInteger serialNumber; + private X500Principal issuer; + private X500Principal subject; +@@ -1177,14 +1173,6 @@ public class X509CertSelector implements CertSelector { + } + } + +- // called from CertPathHelper +- void setPathToNamesInternal(Set names) { +- // set names to non-null dummy value +- // this breaks getPathToNames() +- pathToNames = Collections.>emptySet(); +- pathToGeneralNames = names; +- } +- + /** + * Adds a name to the pathToNames criterion. The {@code X509Certificate} + * must not include name constraints that would prohibit building a +diff --git a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java +index 7c020074..ebc2200f 100644 +--- a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java ++++ b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -26,14 +26,10 @@ + package sun.security.provider.certpath; + + import java.util.Date; +-import java.util.Set; + + import java.security.cert.TrustAnchor; +-import java.security.cert.X509CertSelector; + import java.security.cert.X509CRLSelector; + +-import sun.security.x509.GeneralNameInterface; +- + /** + * Helper class that allows access to JDK specific known-public methods in the + * java.security.cert package. It relies on a subclass in the +@@ -55,18 +51,10 @@ public abstract class CertPathHelper { + // empty + } + +- protected abstract void implSetPathToNames(X509CertSelector sel, +- Set names); +- + protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew); + + protected abstract boolean implIsJdkCA(TrustAnchor anchor); + +- static void setPathToNames(X509CertSelector sel, +- Set names) { +- instance.implSetPathToNames(sel, names); +- } +- + public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { + instance.implSetDateAndTime(sel, date, skew); + } +diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java +index 971f2165..00351647 100644 +--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java ++++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java +@@ -49,7 +49,6 @@ import sun.security.x509.AuthorityInfoAccessExtension; + import sun.security.x509.AuthorityKeyIdentifierExtension; + import static sun.security.x509.PKIXExtensions.*; + import sun.security.x509.X500Name; +-import sun.security.x509.SubjectAlternativeNameExtension; + import sun.security.x509.X509CertImpl; + + /** +@@ -258,14 +257,6 @@ class ForwardBuilder extends Builder { + */ + caSelector.setSubject(currentState.issuerDN); + +- /* +- * Match on subjectNamesTraversed (both DNs and AltNames) +- * (checks that current cert's name constraints permit it +- * to certify all the DNs and AltNames that have been traversed) +- */ +- CertPathHelper.setPathToNames +- (caSelector, currentState.subjectNamesTraversed); +- + /* + * check the validity period + */ +@@ -704,19 +695,6 @@ class ForwardBuilder extends Builder { + // Don't bother to verify untrusted certificate more. + currState.untrustedChecker.check(cert, Collections.emptySet()); + +- /* +- * Abort if we encounter the same certificate or a certificate with +- * the same public key, subject DN, and subjectAltNames as a cert +- * that is already in path. +- */ +- for (X509Certificate cpListCert : certPathList) { +- if (repeated(cpListCert, cert)) { +- throw new CertPathValidatorException( +- "cert with repeated subject, public key, and " + +- "subjectAltNames detected"); +- } +- } +- + /* check if trusted cert */ + boolean isTrustedCert = trustedCerts.contains(cert); + +@@ -794,49 +772,6 @@ class ForwardBuilder extends Builder { + } + } + +- /** +- * Return true if two certificates are equal or have the same subject, +- * public key, and subject alternative names. +- */ +- private static boolean repeated( +- X509Certificate currCert, X509Certificate nextCert) { +- if (currCert.equals(nextCert)) { +- return true; +- } +- return (currCert.getSubjectX500Principal().equals( +- nextCert.getSubjectX500Principal()) && +- currCert.getPublicKey().equals(nextCert.getPublicKey()) && +- altNamesEqual(currCert, nextCert)); +- } +- +- /** +- * Return true if two certificates have the same subject alternative names. +- */ +- private static boolean altNamesEqual( +- X509Certificate currCert, X509Certificate nextCert) { +- X509CertImpl curr, next; +- try { +- curr = X509CertImpl.toImpl(currCert); +- next = X509CertImpl.toImpl(nextCert); +- } catch (CertificateException ce) { +- return false; +- } +- +- SubjectAlternativeNameExtension currAltNameExt = +- curr.getSubjectAlternativeNameExtension(); +- SubjectAlternativeNameExtension nextAltNameExt = +- next.getSubjectAlternativeNameExtension(); +- if (currAltNameExt != null) { +- if (nextAltNameExt == null) { +- return false; +- } +- return Arrays.equals(currAltNameExt.getExtensionValue(), +- nextAltNameExt.getExtensionValue()); +- } else { +- return (nextAltNameExt == null); +- } +- } +- + /** + * Verifies whether the input certificate completes the path. + * First checks the cert against each trust anchor that was specified, +diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java +index 9d7af9b1..9ce1106e 100644 +--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java ++++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java +@@ -31,17 +31,11 @@ import java.security.cert.CertPathValidatorException; + import java.security.cert.PKIXCertPathChecker; + import java.security.cert.X509Certificate; + import java.util.ArrayList; +-import java.util.HashSet; + import java.util.List; + import java.util.ListIterator; + import javax.security.auth.x500.X500Principal; + + import sun.security.util.Debug; +-import sun.security.x509.SubjectAlternativeNameExtension; +-import sun.security.x509.GeneralNames; +-import sun.security.x509.GeneralName; +-import sun.security.x509.GeneralNameInterface; +-import sun.security.x509.X500Name; + import sun.security.x509.X509CertImpl; + + /** +@@ -61,9 +55,6 @@ class ForwardState implements State { + /* The last cert in the path */ + X509CertImpl cert; + +- /* The set of subjectDNs and subjectAltNames of all certs in the path */ +- HashSet subjectNamesTraversed; +- + /* + * The number of intermediate CA certs which have been traversed so + * far in the path +@@ -73,7 +64,6 @@ class ForwardState implements State { + /* Flag indicating if state is initial (path is just starting) */ + private boolean init = true; + +- + /* the untrusted certificates checker */ + UntrustedChecker untrustedChecker; + +@@ -104,8 +94,6 @@ class ForwardState implements State { + sb.append("\n issuerDN of last cert: ").append(issuerDN); + sb.append("\n traversedCACerts: ").append(traversedCACerts); + sb.append("\n init: ").append(String.valueOf(init)); +- sb.append("\n subjectNamesTraversed: \n").append +- (subjectNamesTraversed); + sb.append("\n selfIssued: ").append + (String.valueOf(selfIssued)); + sb.append("]\n"); +@@ -120,7 +108,6 @@ class ForwardState implements State { + public void initState(List certPathCheckers) + throws CertPathValidatorException + { +- subjectNamesTraversed = new HashSet(); + traversedCACerts = 0; + + /* +@@ -169,33 +156,6 @@ class ForwardState implements State { + traversedCACerts++; + } + } +- +- /* update subjectNamesTraversed only if this is the EE cert or if +- this cert is not self-issued */ +- if (init || !selfIssued) { +- X500Principal subjName = cert.getSubjectX500Principal(); +- subjectNamesTraversed.add(X500Name.asX500Name(subjName)); +- +- try { +- SubjectAlternativeNameExtension subjAltNameExt +- = icert.getSubjectAlternativeNameExtension(); +- if (subjAltNameExt != null) { +- GeneralNames gNames = subjAltNameExt.get( +- SubjectAlternativeNameExtension.SUBJECT_NAME); +- for (GeneralName gName : gNames.names()) { +- subjectNamesTraversed.add(gName.getName()); +- } +- } +- } catch (IOException e) { +- if (debug != null) { +- debug.println("ForwardState.updateState() unexpected " +- + "exception"); +- e.printStackTrace(); +- } +- throw new CertPathValidatorException(e); +- } +- } +- + init = false; + } + +@@ -203,10 +163,6 @@ class ForwardState implements State { + * Clone current state. The state is cloned as each cert is + * added to the path. This is necessary if backtracking occurs, + * and a prior state needs to be restored. +- * +- * Note that this is a SMART clone. Not all fields are fully copied, +- * because some of them will +- * not have their contents modified by subsequent calls to updateState. + */ + @Override + @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly +@@ -226,13 +182,6 @@ class ForwardState implements State { + } + } + +- /* +- * Shallow copy traversed names. There is no need to +- * deep copy contents, since the elements of the Set +- * are never modified by subsequent calls to updateState(). +- */ +- clonedState.subjectNamesTraversed +- = (HashSet)subjectNamesTraversed.clone(); + return clonedState; + } catch (CloneNotSupportedException e) { + throw new InternalError(e.toString(), e); +diff --git a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +index bd21e051..b417e932 100644 +--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java ++++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +@@ -32,6 +32,7 @@ import java.security.PublicKey; + import java.security.cert.*; + import java.security.cert.CertPathValidatorException.BasicReason; + import java.util.ArrayList; ++import java.util.Arrays; + import java.util.Collection; + import java.util.Collections; + import java.util.List; +@@ -41,6 +42,7 @@ import javax.security.auth.x500.X500Principal; + + import sun.security.provider.certpath.PKIX.BuilderParams; + import static sun.security.x509.PKIXExtensions.*; ++import sun.security.x509.SubjectAlternativeNameExtension; + import sun.security.x509.X509CertImpl; + import sun.security.util.Debug; + +@@ -264,7 +266,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { + */ + Collection certs = + builder.getMatchingCerts(currentState, buildParams.certStores()); +- List vertices = addVertices(certs, adjList); ++ List vertices = addVertices(certs, adjList, cpList); + if (debug != null) { + debug.println("SunCertPathBuilder.depthFirstSearchForward(): " + + "certs.size=" + vertices.size()); +@@ -324,17 +326,32 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { + * cert (which is signed by the trusted public key), but + * don't add it yet to the cpList + */ ++ PublicKey rootKey = cert.getPublicKey(); + if (builder.trustAnchor.getTrustedCert() == null) { + appendedCerts.add(0, cert); ++ rootKey = builder.trustAnchor.getCAPublicKey(); ++ if (debug != null) ++ debug.println( ++ "SunCertPathBuilder.depthFirstSearchForward " + ++ "using buildParams public key: " + ++ rootKey.toString()); + } ++ TrustAnchor anchor = new TrustAnchor ++ (cert.getSubjectX500Principal(), rootKey, null); + ++ // add the basic checker ++ List checkers = new ArrayList<>(); ++ BasicChecker basicChecker = new BasicChecker(anchor, ++ buildParams.date(), ++ buildParams.sigProvider(), ++ true); ++ checkers.add(basicChecker); + Set initExpPolSet = + Collections.singleton(PolicyChecker.ANY_POLICY); + + PolicyNodeImpl rootNode = new PolicyNodeImpl(null, + PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); + +- List checkers = new ArrayList<>(); + PolicyChecker policyChecker + = new PolicyChecker(buildParams.initialPolicies(), + appendedCerts.size(), +@@ -345,29 +362,13 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { + rootNode); + checkers.add(policyChecker); + ++ // add the constraints checker ++ checkers.add(new ConstraintsChecker(appendedCerts.size())); ++ + // add the algorithm checker + checkers.add(new AlgorithmChecker(builder.trustAnchor, + buildParams.date(), buildParams.variant())); + +- PublicKey rootKey = cert.getPublicKey(); +- if (builder.trustAnchor.getTrustedCert() == null) { +- rootKey = builder.trustAnchor.getCAPublicKey(); +- if (debug != null) +- debug.println( +- "SunCertPathBuilder.depthFirstSearchForward " + +- "using buildParams public key: " + +- rootKey.toString()); +- } +- TrustAnchor anchor = new TrustAnchor +- (cert.getSubjectX500Principal(), rootKey, null); +- +- // add the basic checker +- BasicChecker basicChecker = new BasicChecker(anchor, +- buildParams.date(), +- buildParams.sigProvider(), +- true); +- checkers.add(basicChecker); +- + buildParams.setCertPath(cf.generateCertPath(appendedCerts)); + + boolean revCheckerAdded = false; +@@ -562,18 +563,79 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { + * adjacency list. + */ + private static List addVertices(Collection certs, +- List> adjList) ++ List> adjList, ++ List cpList) + { + List l = adjList.get(adjList.size() - 1); + + for (X509Certificate cert : certs) { +- Vertex v = new Vertex(cert); +- l.add(v); ++ boolean repeated = false; ++ for (X509Certificate cpListCert : cpList) { ++ /* ++ * Ignore if we encounter the same certificate or a ++ * certificate with the same public key, subject DN, and ++ * subjectAltNames as a cert that is already in path. ++ */ ++ if (repeated(cpListCert, cert)) { ++ if (debug != null) { ++ debug.println("cert with repeated subject, " + ++ "public key, and subjectAltNames detected"); ++ } ++ repeated = true; ++ break; ++ } ++ } ++ if (!repeated) { ++ l.add(new Vertex(cert)); ++ } + } + + return l; + } + ++ /** ++ * Return true if two certificates are equal or have the same subject, ++ * public key, and subject alternative names. ++ */ ++ private static boolean repeated( ++ X509Certificate currCert, X509Certificate nextCert) { ++ if (currCert.equals(nextCert)) { ++ return true; ++ } ++ return (currCert.getSubjectX500Principal().equals( ++ nextCert.getSubjectX500Principal()) && ++ currCert.getPublicKey().equals(nextCert.getPublicKey()) && ++ altNamesEqual(currCert, nextCert)); ++ } ++ ++ /** ++ * Return true if two certificates have the same subject alternative names. ++ */ ++ private static boolean altNamesEqual( ++ X509Certificate currCert, X509Certificate nextCert) { ++ X509CertImpl curr, next; ++ try { ++ curr = X509CertImpl.toImpl(currCert); ++ next = X509CertImpl.toImpl(nextCert); ++ } catch (CertificateException ce) { ++ return false; ++ } ++ ++ SubjectAlternativeNameExtension currAltNameExt = ++ curr.getSubjectAlternativeNameExtension(); ++ SubjectAlternativeNameExtension nextAltNameExt = ++ next.getSubjectAlternativeNameExtension(); ++ if (currAltNameExt != null) { ++ if (nextAltNameExt == null) { ++ return false; ++ } ++ return Arrays.equals(currAltNameExt.getExtensionValue(), ++ nextAltNameExt.getExtensionValue()); ++ } else { ++ return (nextAltNameExt == null); ++ } ++ } ++ + /** + * Returns true if trust anchor certificate matches specified + * certificate constraints. +-- +2.27.0 \ No newline at end of file diff --git a/openjdk-1.8.0.spec b/openjdk-1.8.0.spec index af31cc8841c5cb2b4db4d0ad9f1c164ad6a06539..f24ac7e1b98d8a101bdf9413451d32a660980e9a 100644 --- a/openjdk-1.8.0.spec +++ b/openjdk-1.8.0.spec @@ -925,7 +925,7 @@ Provides: java-%{javaver}-%{origin}-accessibility%{?1} = %{epoch}:%{version}-%{r Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} -Release: 2 +Release: 3 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1287,6 +1287,8 @@ Patch405: 8148470-Metadata-print-routines-should-not-print-to-.patch Patch406: 8293344-JDK-8242181-broke-stack-printing-for-non-att.patch Patch407: 8278794-Infinite-loop-in-DeflaterOutputStream.finish.patch Patch408: 8312065-Socket.connect-does-not-timeout-when-profili.patch +Patch409: backport-CVE-2023-22067.patch +Patch410: backport-CVE-2023-22081.patch ############################################# # @@ -1900,6 +1902,8 @@ pushd %{top_level_dir_name} %patch406 -p1 %patch407 -p1 %patch408 -p1 +%patch409 -p1 +%patch410 -p1 %ifarch riscv64 %patch2000 -p1 @@ -2405,7 +2409,6 @@ else return end end - arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} require "copy_jdk_configs.lua" @@ -2544,6 +2547,11 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Dec 22 2023 xuyuchao - 1:1.8.0.392.b08.3 +- Type:CVE +- CVE:CVE-2023-22067,CVE-2023-22081 +- DESC:fix CVE-2023-22067,CVE-2023-22081 + * Mon Oct 30 2023 kuenking111 - 1:1.8.0.392-b08.2 - remove add-8142508-To-bring-j.u.z.ZipFile-s-native-implemen.patch - remove add-8226530-ZipFile-reads-wrong-entry-size-from-ZIP6.patch