On Thu, 03. Mar 22:30 tony mancill <tmanc...@debian.org> wrote: > On 03/03/2016 12:49 PM, Markus Koschany wrote: > > Am 03.03.2016 um 05:03 schrieb tony mancill: > >> Control: -1 tag + confirmed > >> Control: -1 owner tmanc...@debian.org > >> > >> On 02/29/2016 11:05 PM, Chris Lamb wrote: > >>> Source: jedit > >>> Version: 5.3.0+dfsg-1 > >>> Severity: serious > >>> Justification: fails to build from source > >> > >>> [javac] > >>> /home/lamby/temp/cdt.20160301065925.cu0iTWjXkj/jedit-5.3.0+dfsg/org/gjt/sp/jedit/bsh/XThis.java:128: > >>> error: cannot find symbol > >>> [javac] throw new NotSerializableException(); > >> > >> Thanks for the bug report. Looks like we have a bit of porting for the > >> latest bsh upload. > >> > > > > Sorry for the inconvenience. If there is more involved than importing > > the missing class, please let me know and I try to fix it. > > Hi Markus, > > No inconvenience at all. The issue seems to be with the upstream patch > for CVE-2016-2510, which drops the java.io.Serializable interface from > the InvocationHandler, but then references the ObjectStreamException and > NotSerializableException classes that package. > > I was able to get things working for jedit by applying the following > patch (also attached), building a new bsh-src package locally, and using > that for the jedit build. > > > diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch > > bsh-2.0b4/debian/patches/CVE-2016-2510.patch > > --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-02 > > 20:24:07.000000000 -0800 > > +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-03 > > 22:10:57.000000000 -0800 > > @@ -35,8 +35,8 @@ > > - class Handler implements InvocationHandler, java.io.Serializable > > + class Handler implements InvocationHandler > > { > > -+ private Object readResolve() throws ObjectStreamException { > > -+ throw new NotSerializableException(); > > ++ private Object readResolve() throws > > java.io.ObjectStreamException { > > ++ throw new java.io.NotSerializableException(); > > + } > > + > > So, if you're okay with the patch, could you apply it and upload an > updated bsh? Or do you mind if I do?
Hi tony, I can upload a new revision of bsh with this change later. I'm just wondering why we need to use java.io.ObjectStreamException and java.io.NotSerializableException explicitly because these classes are already imported in bsh's XThis.java. import java.io.*; Anyway it doesn't change the intention of the patch and should be safe. Cheers, Markus
signature.asc
Description: Digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.