On 03/03/2016 12:49 PM, Markus Koschany wrote: > Am 03.03.2016 um 05:03 schrieb tony mancill: >> Control: -1 tag + confirmed >> Control: -1 owner [email protected] >> >> On 02/29/2016 11:05 PM, Chris Lamb wrote: >>> Source: jedit >>> Version: 5.3.0+dfsg-1 >>> Severity: serious >>> Justification: fails to build from source >> >>> [javac] >>> /home/lamby/temp/cdt.20160301065925.cu0iTWjXkj/jedit-5.3.0+dfsg/org/gjt/sp/jedit/bsh/XThis.java:128: >>> error: cannot find symbol >>> [javac] throw new NotSerializableException(); >> >> Thanks for the bug report. Looks like we have a bit of porting for the >> latest bsh upload. >> > > Sorry for the inconvenience. If there is more involved than importing > the missing class, please let me know and I try to fix it.
Hi Markus,
No inconvenience at all. The issue seems to be with the upstream patch
for CVE-2016-2510, which drops the java.io.Serializable interface from
the InvocationHandler, but then references the ObjectStreamException and
NotSerializableException classes that package.
I was able to get things working for jedit by applying the following
patch (also attached), building a new bsh-src package locally, and using
that for the jedit build.
> diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch
> bsh-2.0b4/debian/patches/CVE-2016-2510.patch
> --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-02
> 20:24:07.000000000 -0800
> +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-03
> 22:10:57.000000000 -0800
> @@ -35,8 +35,8 @@
> - class Handler implements InvocationHandler, java.io.Serializable
> + class Handler implements InvocationHandler
> {
> -+ private Object readResolve() throws ObjectStreamException {
> -+ throw new NotSerializableException();
> ++ private Object readResolve() throws
> java.io.ObjectStreamException {
> ++ throw new java.io.NotSerializableException();
> + }
> +
So, if you're okay with the patch, could you apply it and upload an
updated bsh? Or do you mind if I do?
Cheers,
tony
diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch
--- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-02 20:24:07.000000000 -0800
+++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-03 22:10:57.000000000 -0800
@@ -35,8 +35,8 @@
- class Handler implements InvocationHandler, java.io.Serializable
+ class Handler implements InvocationHandler
{
-+ private Object readResolve() throws ObjectStreamException {
-+ throw new NotSerializableException();
++ private Object readResolve() throws java.io.ObjectStreamException {
++ throw new java.io.NotSerializableException();
+ }
+
signature.asc
Description: OpenPGP digital signature
