On 03/03/2016 12:49 PM, Markus Koschany wrote:
> Am 03.03.2016 um 05:03 schrieb tony mancill:
>> Control: -1 tag  + confirmed
>> Control: -1 owner tmanc...@debian.org
>>
>> On 02/29/2016 11:05 PM, Chris Lamb wrote:
>>> Source: jedit
>>> Version: 5.3.0+dfsg-1
>>> Severity: serious
>>> Justification: fails to build from source
>>
>>>       [javac] 
>>> /home/lamby/temp/cdt.20160301065925.cu0iTWjXkj/jedit-5.3.0+dfsg/org/gjt/sp/jedit/bsh/XThis.java:128:
>>>  error: cannot find symbol
>>>       [javac]                       throw new NotSerializableException();
>>
>> Thanks for the bug report.  Looks like we have a bit of porting for the
>> latest bsh upload.
>>
> 
> Sorry for the inconvenience. If there is more involved than importing
> the missing class, please let me know and I try to fix it.

Hi Markus,

No inconvenience at all. The issue seems to be with the upstream patch
for CVE-2016-2510, which drops the java.io.Serializable interface from
the InvocationHandler, but then references the ObjectStreamException and
NotSerializableException classes that package.

I was able to get things working for jedit by applying the following
patch (also attached), building a new bsh-src package locally, and using
that for the jedit build.

> diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch 
> bsh-2.0b4/debian/patches/CVE-2016-2510.patch
> --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch      2016-03-02 
> 20:24:07.000000000 -0800
> +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch      2016-03-03 
> 22:10:57.000000000 -0800
> @@ -35,8 +35,8 @@
>  -    class Handler implements InvocationHandler, java.io.Serializable 
>  +    class Handler implements InvocationHandler
>       {
> -+            private Object readResolve() throws ObjectStreamException {
> -+                    throw new NotSerializableException();
> ++            private Object readResolve() throws 
> java.io.ObjectStreamException {
> ++                    throw new java.io.NotSerializableException();
>  +            }
>  +

So, if you're okay with the patch, could you apply it and upload an
updated bsh?  Or do you mind if I do?

Cheers,
tony

diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch
--- bsh-2.0b4/debian/patches/CVE-2016-2510.patch	2016-03-02 20:24:07.000000000 -0800
+++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch	2016-03-03 22:10:57.000000000 -0800
@@ -35,8 +35,8 @@
 -	class Handler implements InvocationHandler, java.io.Serializable 
 +	class Handler implements InvocationHandler
  	{
-+		private Object readResolve() throws ObjectStreamException {
-+			throw new NotSerializableException();
++		private Object readResolve() throws java.io.ObjectStreamException {
++			throw new java.io.NotSerializableException();
 +		}
 +

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to