On 03/04/2016 12:24 AM, Markus Koschany wrote:
> On Thu, 03. Mar 22:30 tony mancill <tmanc...@debian.org> wrote:
>>> diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch
>>> bsh-2.0b4/debian/patches/CVE-2016-2510.patch
>>> --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-02
>>> 20:24:07.000000000 -0800
>>> +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-03
>>> 22:10:57.000000000 -0800
>>> @@ -35,8 +35,8 @@
>>> - class Handler implements InvocationHandler, java.io.Serializable
>>> + class Handler implements InvocationHandler
>>> {
>>> -+ private Object readResolve() throws ObjectStreamException {
>>> -+ throw new NotSerializableException();
>>> ++ private Object readResolve() throws
>>> java.io.ObjectStreamException {
>>> ++ throw new java.io.NotSerializableException();
>>> + }
>>> +
>>
>> So, if you're okay with the patch, could you apply it and upload an
>> updated bsh? Or do you mind if I do?
>
> Hi tony,
>
> I can upload a new revision of bsh with this change later. I'm just wondering
> why we need to use java.io.ObjectStreamException and
> java.io.NotSerializableException explicitly because these classes are already
> imported in bsh's XThis.java.
>
> import java.io.*;
>
> Anyway it doesn't change the intention of the patch and should be safe.Hi Markus, I ask myself that same question, and intend to look it up. Perhaps because it's a nested inner class of XThis? But one of the clues was that the original code specified the full class name for java.io.Serializable and not just Serializable. I agree that it shouldn't affect the intention of patch and should be safe, but it is a bit puzzling. Thank you, tony P.S. I'm leaving you on the cc: because my MX is having some issues with bugs.debian.org at the moment. Sorry if you get duplicates.
signature.asc
Description: OpenPGP digital signature
