diff --git a/fix-CVE-2023-21930.patch b/fix-CVE-2023-21930.patch new file mode 100644 index 0000000000000000000000000000000000000000..e8005107f0588cfb2df95aa831735d982e48ff18 --- /dev/null +++ b/fix-CVE-2023-21930.patch @@ -0,0 +1,125 @@ +From 8dcd5924d2d1f2a5e7a11f77988a0704c3d1481f Mon Sep 17 00:00:00 2001 +From: zhangyuting +Date: Thu, 27 Apr 2023 16:18:53 +0800 +Subject: [PATCH] fix CVE-2023-21930 + +--- + .../share/classes/sun/security/ssl/KeyUpdate.java | 6 ++++-- + .../classes/sun/security/ssl/SSLEngineImpl.java | 8 ++++---- + .../classes/sun/security/ssl/SSLSocketImpl.java | 8 ++++---- + .../classes/sun/security/ssl/TransportContext.java | 13 ++++++++++--- + 4 files changed, 22 insertions(+), 13 deletions(-) + +diff --git a/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java b/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java +index 1306344..9e921e6 100644 +--- a/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java ++++ b/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -169,7 +169,9 @@ final class KeyUpdate { + public byte[] produce(ConnectionContext context) throws IOException { + PostHandshakeContext hc = (PostHandshakeContext)context; + return handshakeProducer.produce(context, +- new KeyUpdateMessage(hc, KeyUpdateRequest.REQUESTED)); ++ new KeyUpdateMessage(hc, hc.conContext.isInboundClosed() ? ++ KeyUpdateRequest.NOTREQUESTED : ++ KeyUpdateRequest.REQUESTED)); + } + } + +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java +index a3db3ad..42d6e76 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -368,11 +368,11 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport { + */ + private HandshakeStatus tryKeyUpdate( + HandshakeStatus currentHandshakeStatus) throws IOException { +- // Don't bother to kickstart if handshaking is in progress, or if the +- // connection is not duplex-open. ++ // Don't bother to kickstart if handshaking is in progress, or if ++ // the write side of the connection is not open. We allow a half- ++ // duplex write-only connection for key updates. + if ((conContext.handshakeContext == null) && + !conContext.isOutboundClosed() && +- !conContext.isInboundClosed() && + !conContext.isBroken) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { + SSLLogger.finest("trigger key update"); +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java +index 1222a4f..d06088d 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -1538,11 +1538,11 @@ public final class SSLSocketImpl + * wrapped. + */ + private void tryKeyUpdate() throws IOException { +- // Don't bother to kickstart if handshaking is in progress, or if the +- // connection is not duplex-open. ++ // Don't bother to kickstart if handshaking is in progress, or if ++ // the write side of the connection is not open. We allow a half- ++ // duplex write-only connection for key updates. + if ((conContext.handshakeContext == null) && + !conContext.isOutboundClosed() && +- !conContext.isInboundClosed() && + !conContext.isBroken) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { + SSLLogger.finest("trigger key update"); +diff --git a/src/java.base/share/classes/sun/security/ssl/TransportContext.java b/src/java.base/share/classes/sun/security/ssl/TransportContext.java +index 91266db..6ad87b6 100644 +--- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java ++++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -201,7 +201,14 @@ class TransportContext implements ConnectionContext { + throw new IllegalStateException("Client/Server mode not yet set."); + } + +- if (outputRecord.isClosed() || inputRecord.isClosed() || isBroken) { ++ // The threshold for allowing the method to continue processing ++ // depends on whether we are doing a key update or kickstarting ++ // a handshake. In the former case, we only require the write-side ++ // to be open where a handshake would require a full duplex connection. ++ boolean isNotUsable = outputRecord.writeCipher.atKeyLimit() ? ++ (outputRecord.isClosed() || isBroken) : ++ (outputRecord.isClosed() || inputRecord.isClosed() || isBroken); ++ if (isNotUsable) { + if (closeReason != null) { + throw new SSLException( + "Cannot kickstart, the connection is broken or closed", +@@ -229,7 +236,7 @@ class TransportContext implements ConnectionContext { + // + // Need no kickstart message on server side unless the connection + // has been established. +- if(isNegotiated || sslConfig.isClientMode) { ++ if (isNegotiated || sslConfig.isClientMode) { + handshakeContext.kickstart(); + } + } +-- +2.33.1.windows.1 + diff --git a/openjdk-11.spec b/openjdk-11.spec index 3ef4f1ff910fb44e88dcebb50b775760856aa7d1..555310b5b0e7f1d1ffcee7389d541347d5b1ce62 100644 --- a/openjdk-11.spec +++ b/openjdk-11.spec @@ -740,7 +740,7 @@ Provides: java-src%{?1} = %{epoch}:%{version}-%{release} Name: java-%{javaver}-%{origin} Version: %{newjavaver}.%{buildver} -Release: 2 +Release: 3 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -878,6 +878,7 @@ Patch90: fix_Internal_and_external_code_inconsistency.patch # 11.0.18 patch91: 8222289-Overhaul-logic-for-reading-writing-constant-pool-entries.patch +patch92: fix-CVE-2023-21930.patch BuildRequires: elfutils-extra BuildRequires: autoconf @@ -1170,6 +1171,7 @@ pushd %{top_level_dir_name} %patch89 -p1 %patch90 -p1 %patch91 -p1 +%patch92 -p1 popd # openjdk # %patch1000 @@ -1679,6 +1681,9 @@ cjc.mainProgram(arg) %changelog +* Fri Apr 28 2023 zhangyuting - 1:11.0.18.10-3 +- fix CVE-2023-21930. + * Thu Mar 09 2023 herengui - 1:11.0.18.10-2 - fix the issue of %%pretrans reporting error.