Mark-of-the-Beast security bug --- community collaboration?

Mark Wielaard mark at klomp.org
Tue Feb 8 03:01:24 PST 2011


On Tue, 2011-02-08 at 10:59 +0100, Mark Wielaard wrote:
> > It would be great if we could find this and patch
> > OpenJDK 6 deployments ASAP.
>
> There has been extensive discussion on the core-libs mailinglist, with a
> patch and some historic digging to find where the issue came from.
> 
> Short story, it was already found through the Free Software Jacks
> testsuite in 2001 (!). http://sourceware.org/mauve/jacks.html
> http://sourceware.org/cgi-bin/cvsweb.cgi/~checkout~/jacks/docs/tests.html?cvsroot=mauve#3.10.2-runtime 
> reported by the Jikes compiler hacker Eric Blake.
> http://bugs.sun.com/view_bug.do?bug_id=4421494 The bug report even has a
> suggested fix. Dmitry Nadezhin posted a patch in 2009, but unfortunately
> that didn't make it in.
> http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-November/003153.html
> https://bugs.openjdk.java.net/show_bug.cgi?id=100119
> It was rediscovered through the php issue a week ago.
> http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
> Andrew Haley almost immediate posted a new patch for it last week.
> http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
> Hopefully it will go into IcedTea6 ASAP according to Andrew Hughes.
> http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005836.html
> With possibly more security fixes following next week.
> http://www.oracle.com/technetwork/topics/security/alerts-086861.html

For those that cannot wait and need a fix right now Marc Schoenefeld of
the Red Hat Security Response Team created a script that will create a
jar that you can use with -Xbootclasspath/p:prevent_double_dos.jar to
mitigate the DoS bug till there are full new security releases:
https://code.google.com/p/javapharmacy/source/browse/trunk/scripts/harden_against_jre_dos.sh

Cheers,

Mark




More information about the discuss mailing list