On 03/03/2016 12:49 PM, Markus Koschany wrote: > Am 03.03.2016 um 05:03 schrieb tony mancill: >> Control: -1 tag + confirmed >> Control: -1 owner tmanc...@debian.org >> >> On 02/29/2016 11:05 PM, Chris Lamb wrote: >>> Source: jedit >>> Version: 5.3.0+dfsg-1 >>> Severity: serious >>> Justification: fails to build from source >> >>> [javac] >>> /home/lamby/temp/cdt.20160301065925.cu0iTWjXkj/jedit-5.3.0+dfsg/org/gjt/sp/jedit/bsh/XThis.java:128: >>> error: cannot find symbol >>> [javac] throw new NotSerializableException(); >> >> Thanks for the bug report. Looks like we have a bit of porting for the >> latest bsh upload. >> > > Sorry for the inconvenience. If there is more involved than importing > the missing class, please let me know and I try to fix it.
Hi Markus, No inconvenience at all. The issue seems to be with the upstream patch for CVE-2016-2510, which drops the java.io.Serializable interface from the InvocationHandler, but then references the ObjectStreamException and NotSerializableException classes that package. I was able to get things working for jedit by applying the following patch (also attached), building a new bsh-src package locally, and using that for the jedit build. > diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch > bsh-2.0b4/debian/patches/CVE-2016-2510.patch > --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-02 > 20:24:07.000000000 -0800 > +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-03 > 22:10:57.000000000 -0800 > @@ -35,8 +35,8 @@ > - class Handler implements InvocationHandler, java.io.Serializable > + class Handler implements InvocationHandler > { > -+ private Object readResolve() throws ObjectStreamException { > -+ throw new NotSerializableException(); > ++ private Object readResolve() throws > java.io.ObjectStreamException { > ++ throw new java.io.NotSerializableException(); > + } > + So, if you're okay with the patch, could you apply it and upload an updated bsh? Or do you mind if I do? Cheers, tony
diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-02 20:24:07.000000000 -0800 +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-03 22:10:57.000000000 -0800 @@ -35,8 +35,8 @@ - class Handler implements InvocationHandler, java.io.Serializable + class Handler implements InvocationHandler { -+ private Object readResolve() throws ObjectStreamException { -+ throw new NotSerializableException(); ++ private Object readResolve() throws java.io.ObjectStreamException { ++ throw new java.io.NotSerializableException(); + } +
signature.asc
Description: OpenPGP digital signature