Hello,
This email is related to http://security-tracker.debian.org/tracker/CVE-2011-3556



Basically, one of our RMI applications is failing to start after the security update to java 6b18-1.8.10-0~lenny1*

*I have tried to run the test case specified as part of

http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470
http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/d27f0b2f1476

and it fails with an exception trace similar to:

Exceptions

2011-12-13 17:28:18,346 [main] ERROR com.gleim.gacs.Gacs - 
java.rmi.ServerException: RemoteException occurred in server thread; nested 
exception is:
   java.rmi.UnmarshalException: error unmarshalling arguments; nested exception 
is:
   java.lang.ClassNotFoundException: access to class loader denied
java.rmi.ServerException: RemoteException occurred in server thread; nested 
exception is:
   java.rmi.UnmarshalException: error unmarshalling arguments; nested exception 
is:
   java.lang.ClassNotFoundException: access to class loader denied
   at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:419)
   at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267)
   at sun.rmi.transport.Transport$1.run(Transport.java:177)
   at java.security.AccessController.doPrivileged(Native Method)
   at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
   at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:553)
   at 
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:808)
   at 
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:667)
   at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
   at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
   at java.lang.Thread.run(Thread.java:636)
   at 
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:273)
   at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:251)
   at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:377)
   at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
   at java.rmi.Naming.rebind(Naming.java:177)
   at com.gleim.gacs.Gacs.startup(Gacs.java:49)
   at com.gleim.gacs.Gacs.main(Gacs.java:103)
Caused by: java.rmi.UnmarshalException: error unmarshalling arguments; nested 
exception is:
   java.lang.ClassNotFoundException: access to class loader denied
   at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
   at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409)

Caused by: java.lang.ClassNotFoundException: access to class loader denied
   at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:445)
   at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:182)
   at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637)
   at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264)
   at 
sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214)
   at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1592)
   at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1513)
   at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1749)
   at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1346)
   at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368)
   ... 12 more
Caused by: java.security.AccessControlException: access denied 
(java.io.FilePermission ////usr/local/gcss2/gacs/- read)
   at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
   at java.security.AccessController.checkPermission(AccessController.java:553)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
   at 
sun.rmi.server.LoaderHandler$Loader.checkPermissions(LoaderHandler.java:1173)
   at sun.rmi.server.LoaderHandler$Loader.access$000(LoaderHandler.java:1127)
   at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:409)



The code and the test case both work fine with the the previous security java version "1.6.0_18"

OpenJDK Runtime Environment (IcedTea6 1.8.7) *(6b18-1.8.7-2*~lenny1)


Is there a way for somebody to re-review
http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470 ?

Have a great day.

--

Andrei Sura
Software Developer
IT Department

Gleim Publications, Inc.
4201 NW 95th Blvd
Gainesville, FL. 32606
http://www.gleim.com
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to