[oe][meta-java][dunfell][PATCH] openjdk: Fix CVE-2022-34169 for openjdk

[oe][meta-java][dunfell][PATCH] openjdk: Fix CVE-2022-34169 for openjdk

[Virendra Thakur]

From: Virendra Thakur <virendrak@kpit.com>

Add patch to fix CVE-2022-34169

Reference:
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297

https://launchpadlibrarian.net/614309983/openjdk-8_8u342~b06-1_8u342-b07-1.diff.gz

Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
 .../openjdk/openjdk-8-release-common.inc      |   1 +
 .../patches-openjdk-8/CVE-2022-34169.patch    | 111 ++++++++++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 recipes-core/openjdk/patches-openjdk-8/CVE-2022-34169.patch

diff --git a/recipes-core/openjdk/openjdk-8-release-common.inc b/recipes-core/openjdk/openjdk-8-release-common.inc
index ff8d96e..cebbc0b 100644
--- a/recipes-core/openjdk/openjdk-8-release-common.inc
+++ b/recipes-core/openjdk/openjdk-8-release-common.inc
@@ -21,6 +21,7 @@ PATCHES_URI = "\
     file://2007-jdk-no-genx11-in-headless.patch \
     file://2008-jdk-no-unused-deps.patch \
     file://2009-jdk-make-use-gcc-instead-of-ld-for-genSocketOptionRe.patch \
+    file://CVE-2022-34169.patch \
 "
 HOTSPOT_UB_PATCH = "\
     file://1001-hotspot-fix-crash-on-JNI_CreateJavaVM.patch \
diff --git a/recipes-core/openjdk/patches-openjdk-8/CVE-2022-34169.patch b/recipes-core/openjdk/patches-openjdk-8/CVE-2022-34169.patch
new file mode 100644
index 0000000..db5acba
--- /dev/null
+++ b/recipes-core/openjdk/patches-openjdk-8/CVE-2022-34169.patch
@@ -0,0 +1,111 @@
+From 41ef2b249073450172e11163a4d05762364b1297 Mon Sep 17 00:00:00 2001
+From: Joe Wang <joehw@openjdk.org>
+Date: Fri, 13 May 2022 02:02:26 +0000
+Subject: [PATCH] 8285407: Improve Xalan supports
+
+Reviewed-by: naoto, lancea, ahgross, rhalade
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+CVE: CVE-2022-34169
+
+Upstream-Status: Backport [https://launchpadlibrarian.net/614309983/openjdk-8_8u342~b06-1_8u342-b07-1.diff.gz]
+---
+Index: openjdk/jaxp/src/com/sun/org/apache/bcel/internal/classfile/ConstantPool.java
+===================================================================
+--- a/jaxp/src/com/sun/org/apache/bcel/internal/classfile/ConstantPool.java
++++ b/jaxp/src/com/sun/org/apache/bcel/internal/classfile/ConstantPool.java
+@@ -1,6 +1,5 @@
+ /*
+- * reserved comment block
+- * DO NOT REMOVE OR ALTER!
++ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+  */
+ package com.sun.org.apache.bcel.internal.classfile;
+
+@@ -59,6 +58,7 @@ package com.sun.org.apache.bcel.internal
+  */
+
+ import  com.sun.org.apache.bcel.internal.Constants;
++import  com.sun.org.apache.bcel.internal.generic.ConstantPoolGen;
+ import  java.io.*;
+
+ /**
+@@ -72,6 +72,7 @@ import  java.io.*;
+  * @see     Constant
+  * @see     com.sun.org.apache.bcel.internal.generic.ConstantPoolGen
+  * @author <A HREF="mailto:markus.dahm@berlin.de">M. Dahm</A>
++ * @LastModified: May 2022
+  */
+ public class ConstantPool implements Cloneable, Node, Serializable {
+   private int        constant_pool_count;
+@@ -226,9 +227,16 @@ public class ConstantPool implements Clo
+    */
+   public void dump(DataOutputStream file) throws IOException
+   {
+-    file.writeShort(constant_pool_count);
++    /*
++     * Constants over the size of the constant pool shall not be written out.
++     * This is a redundant measure as the ConstantPoolGen should have already
++     * reported an error back in the situation.
++     */
++    int size = constant_pool_count < ConstantPoolGen.CONSTANT_POOL_SIZE - 1 ?
++               constant_pool_count : ConstantPoolGen.CONSTANT_POOL_SIZE - 1;
+
+-    for(int i=1; i < constant_pool_count; i++)
++    file.writeShort(size);
++    for(int i=1; i < size; i++)
+       if(constant_pool[i] != null)
+         constant_pool[i].dump(file);
+   }
+Index: openjdk/jaxp/src/com/sun/org/apache/bcel/internal/generic/ConstantPoolGen.java
+===================================================================
+--- a/jaxp/src/com/sun/org/apache/bcel/internal/generic/ConstantPoolGen.java
++++ b/jaxp/src/com/sun/org/apache/bcel/internal/generic/ConstantPoolGen.java
+@@ -1,6 +1,5 @@
+ /*
+- * reserved comment block
+- * DO NOT REMOVE OR ALTER!
++ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+  */
+ package com.sun.org.apache.bcel.internal.generic;
+
+@@ -74,8 +73,10 @@ import java.util.HashMap;
+  *
+  * @author  <A HREF="mailto:markus.dahm@berlin.de">M. Dahm</A>
+  * @see Constant
++ * @LastModified: May 2022
+  */
+ public class ConstantPoolGen implements java.io.Serializable {
++  public static final int CONSTANT_POOL_SIZE = 65536;
+   protected int        size      = 1024; // Inital size, sufficient in most cases
+   protected Constant[] constants = new Constant[size];
+   protected int        index     = 1; // First entry (0) used by JVM
+@@ -97,7 +98,7 @@ public class ConstantPoolGen implements
+    */
+   public ConstantPoolGen(Constant[] cs) {
+     if(cs.length > size) {
+-      size      = cs.length;
++      size      = Math.min(cs.length, CONSTANT_POOL_SIZE);
+       constants = new Constant[size];
+     }
+
+@@ -170,10 +171,19 @@ public class ConstantPoolGen implements
+   /** Resize internal array of constants.
+    */
+   protected void adjustSize() {
++    // 3 extra spaces are needed as some entries may take 3 slots
++    if (index + 3 >= CONSTANT_POOL_SIZE) {
++      throw new RuntimeException("The number of constants " + (index + 3) +
++                                 " is over the size of the constant pool: " +
++                                 (CONSTANT_POOL_SIZE - 1));
++    }
++
+     if(index + 3 >= size) {
+       Constant[] cs = constants;
+
+       size      *= 2;
++      // the constant array shall not exceed the size of the constant pool
++      size       = Math.min(size, CONSTANT_POOL_SIZE);
+       constants  = new Constant[size];
+       System.arraycopy(cs, 0, constants, 0, index);
+     }
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [meta-java][dunfell][PATCH] openjdk: Fix CVE-2022-34169 for openjdk

[akash hadke]

[-- Attachment #1: Type: text/plain, Size: 97 bytes --]

Hello Team,

Is there any update on this fix are we going you going to consider this CVE fix?

[-- Attachment #2: Type: text/html, Size: 105 bytes --]

Re: [oe] [meta-java][dunfell][PATCH] openjdk: Fix CVE-2022-34169 for openjdk

[Richard Leitner]

Hi,
thanks for the reminder!

On Thu, Dec 22, 2022 at 02:07:53AM -0800, akash hadke via lists.openembedded.org wrote:
> 
> Hello Team,
> 
> Is there any update on this fix are we going you going to consider this CVE fix?

Tbh, I wanted to update openjdk so backporting this patch is not necessary.
Unfortunately I didn't have time for it. Are you interested to update
the openjdk/jre version according to docs/UPDATING.md?

regards;rl