From 08fa06d6c9c8008b2575af278c44b9c2e19cd622 Mon Sep 17 00:00:00 2001 From: yangxinyu Date: Tue, 9 Sep 2025 15:39:45 +0800 Subject: [PATCH] [CVE] fix cve-2025-30749 cve-2025-50059 cve-2025-50106 to #bug22755 #bug22752 #bug22744 fix cve-2025-30749 cve-2025-50059 cve-2025-50106 Project: TC2024080204 Signed-off-by:yangxinyu --- java-17-openjdk.spec | 18 ++- jdk-17-cve-2025-30749.patch | 216 ++++++++++++++++++++++++++++++++++++ jdk-17-cve-2025-50059.patch | 99 +++++++++++++++++ jdk-17-cve-2025-50106.patch | 53 +++++++++ 4 files changed, 385 insertions(+), 1 deletion(-) create mode 100644 jdk-17-cve-2025-30749.patch create mode 100644 jdk-17-cve-2025-50059.patch create mode 100644 jdk-17-cve-2025-50106.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 2fc1c6f..8f76383 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -13,7 +13,7 @@ # Only produce a release build on x86_64: # $ fedpkg mockbuild --without slowdebug --without fastdebug -%global anolis_release 4 +%global anolis_release 5 # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -1224,6 +1224,8 @@ Source17: nss.fips.cfg.in # Ensure translations are available for new timezones Source18: TestTranslations.java +ExclusiveArch: loongarch64 + ############################################ # # RPM/distribution specific patches @@ -1310,6 +1312,13 @@ Patch2003: jdk8295173-tzdata2022e.patch # Init support for LoongArch64 Patch3000: jdk17-LoongArch64.patch +#https://github.com/openjdk/jdk17u/commit/5b443e9e817fa206dfaa87d9e2b9dbc87daa027f +Patch3001: jdk-17-cve-2025-30749.patch +#https://github.com/openjdk/jdk17u/commit/770ad1fa038d4df857f4c769580ed27bb5d211e6 +Patch3002: jdk-17-cve-2025-50059.patch +#https://github.com/openjdk/jdk17u/commit/dc37bab65cb052ecae715bc8e71efa116c16b034 +Patch3003: jdk-17-cve-2025-50106.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: alsa-lib-devel @@ -1688,6 +1697,10 @@ pushd %{top_level_dir_name} %ifarch loongarch64 %patch3000 -p1 %endif +%patch3001 -p1 +%patch3002 -p1 +%patch3003 -p1 + popd # openjdk %patch600 @@ -2493,6 +2506,9 @@ require "copy_jdk_configs.lua" %endif %changelog +* Tue Sep 09 2025 yangxinyu - 1:17.0.5.0.8-5 +- fix cve-2025-30749 cve-2025-50059 cve-2025-50106 + * Thu Nov 09 2023 Leslie Zhai - 1:17.0.5.0.8-4 - Disable gdb diff --git a/jdk-17-cve-2025-30749.patch b/jdk-17-cve-2025-30749.patch new file mode 100644 index 0000000..a6bdad8 --- /dev/null +++ b/jdk-17-cve-2025-30749.patch @@ -0,0 +1,216 @@ +From 5b443e9e817fa206dfaa87d9e2b9dbc87daa027f Mon Sep 17 00:00:00 2001 +From: Ilarion Nakonechnyy +Date: Tue, 27 May 2025 16:03:01 -0700 +Subject: [PATCH] 8348989: Better Glyph drawing + +Reviewed-by: avoitylov, mbalao, andrew +Backport-of: 191c37a280faccfaecae033a68313ad06cdfc411 +--- + .../native/libawt_lwawt/font/CGGlyphImages.m | 82 +++++++++++++++---- + 1 file changed, 66 insertions(+), 16 deletions(-) + +diff --git a/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m b/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m +index fdd855b6994..316f6e273f2 100644 +--- a/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m ++++ b/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m +@@ -237,6 +237,7 @@ @implementation CGGI_GlyphCanvas + { + UInt32 *src = (UInt32 *)canvas->image->data; + size_t srcRowWidth = canvas->image->width; ++ size_t srcHeight = canvas->image->height; + + UInt8 *dest = (UInt8 *)info->image; + size_t destRowWidth = info->width; +@@ -246,12 +247,12 @@ @implementation CGGI_GlyphCanvas + size_t y; + + // fill empty glyph image with black-on-white glyph +- for (y = 0; y < height; y++) { ++ for (y = 0; y < height && y < srcHeight; y++) { + size_t destRow = y * destRowWidth * 3; + size_t srcRow = y * srcRowWidth; + + size_t x; +- for (x = 0; x < destRowWidth; x++) { ++ for (x = 0; x < destRowWidth && x < srcRowWidth; x++) { + CGGI_CopyARGBPixelToRGBPixel(src[srcRow + x], + dest + destRow + x * 3); + } +@@ -289,6 +290,7 @@ @implementation CGGI_GlyphCanvas + { + UInt32 *src = (UInt32 *)canvas->image->data; + size_t srcRowWidth = canvas->image->width; ++ size_t srcHeight = canvas->image->height; + + UInt8 *dest = (UInt8 *)info->image; + size_t destRowWidth = info->width; +@@ -298,11 +300,11 @@ @implementation CGGI_GlyphCanvas + size_t y; + + // fill empty glyph image with black-on-white glyph +- for (y = 0; y < height; y++) { ++ for (y = 0; y < height && y < srcHeight; y++) { + size_t destRow = y * destRowWidth; + size_t srcRow = y * srcRowWidth; + size_t x; +- for (x = 0; x < destRowWidth; x++) { ++ for (x = 0; x < destRowWidth && x < srcRowWidth; x++) { + UInt32 p = src[srcRow + x]; + dest[destRow + x] = CGGI_ConvertBWPixelToByteGray(p); + } +@@ -317,6 +319,7 @@ @implementation CGGI_GlyphCanvas + + UInt32 *src = (UInt32 *)canvas->image->data; + size_t srcRowWidth = canvas->image->width; ++ size_t srcHeight = canvas->image->height; + + UInt8 *dest = (UInt8 *)info->image; + size_t destRowWidth = info->width; +@@ -325,15 +328,16 @@ @implementation CGGI_GlyphCanvas + + size_t y; + +- for (y = 0; y < height; y++) { ++ for (y = 0; y < height && y < srcHeight; y++) { + size_t srcRow = y * srcRowWidth; + if (littleEndian) { +- UInt16 destRowBytes = info->rowBytes; ++ size_t srcRowBytes = canvas->image->rowBytes; ++ UInt16 destRowBytes = (info->rowBytes < srcRowBytes) ? info->rowBytes : srcRowBytes; + memcpy(dest, src + srcRow, destRowBytes); + dest += destRowBytes; + } else { + size_t x; +- for (x = 0; x < destRowWidth; x++) { ++ for (x = 0; x < destRowWidth && x < srcRowWidth; x++) { + UInt32 p = src[srcRow + x]; + *dest++ = (p >> 24 & 0xFF); // blue (alpha-premultiplied) + *dest++ = (p >> 16 & 0xFF); // green (alpha-premultiplied) +@@ -426,8 +430,10 @@ @implementation CGGI_GlyphCanvas + + canvas->image->data = (void *)calloc(byteCount, sizeof(UInt8)); + if (canvas->image->data == NULL) { +- [[NSException exceptionWithName:NSMallocException +- reason:@"Failed to allocate memory for the buffer which backs the CGContext for glyph strikes." userInfo:nil] raise]; ++ canvas->image->width = 0; ++ canvas->image->height = 0; ++ canvas->image->rowBytes = 0; ++ canvas->image->data = malloc(0); + } + + uint32_t bmpInfo = kCGImageAlphaPremultipliedFirst; +@@ -477,6 +483,10 @@ @implementation CGGI_GlyphCanvas + + /* + * Quick and easy inline to check if this canvas is big enough. ++ * This function only increases the size. To get a smaller canvas, free it first. ++ * This function adds padding / slack multiplier to the requested size. ++ * So resizes must be based on the size you need, not the size of the canvas. ++ * The function will internally account for the multiplier it uses. + */ + static inline void + CGGI_SizeCanvas(CGGI_GlyphCanvas *canvas, const vImagePixelCount width, +@@ -484,18 +494,31 @@ @implementation CGGI_GlyphCanvas + const CGGI_RenderingMode* mode) + { + if (canvas->image != NULL && +- width < canvas->image->width && +- height < canvas->image->height) ++ width * CGGI_GLYPH_CANVAS_SLACK <= canvas->image->width && ++ height * CGGI_GLYPH_CANVAS_SLACK <= canvas->image->height) + { + return; + } + ++ vImagePixelCount w = width * CGGI_GLYPH_CANVAS_SLACK; ++ vImagePixelCount h = height * CGGI_GLYPH_CANVAS_SLACK; ++ ++ // Do not allow the canvas to be resized smaller. ++ if (canvas->image != NULL) { ++ if (w < canvas->image->width) { ++ w = canvas->image->width; ++ } ++ if (h < canvas->image->height) { ++ h = canvas->image->height; ++ } ++ } ++ + // if we don't have enough space to strike the largest glyph in the + // run, resize the canvas + CGGI_FreeCanvas(canvas); + CGGI_InitCanvas(canvas, +- width * CGGI_GLYPH_CANVAS_SLACK, +- height * CGGI_GLYPH_CANVAS_SLACK, ++ w, ++ h, + mode); + JRSFontSetRenderingStyleOnContext(canvas->context, mode->cgFontMode); + } +@@ -511,6 +534,12 @@ @implementation CGGI_GlyphCanvas + canvasRectToClear.data = canvas->image->data; + canvasRectToClear.height = info->height; + canvasRectToClear.width = info->width; ++ if (canvas->image->width < canvasRectToClear.width) { ++ canvasRectToClear.width = canvas->image->width; ++ } ++ if (canvas->image->height < canvasRectToClear.height) { ++ canvasRectToClear.height = canvas->image->height; ++ } + // use the row stride of the canvas, not the info + canvasRectToClear.rowBytes = canvas->image->rowBytes; + +@@ -870,7 +899,6 @@ @implementation CGGI_GlyphCanvas + CGRect bbox = bboxes[i]; + + GlyphInfo *glyphInfo = CGGI_CreateNewGlyphInfoFrom(advance, bbox, strike, mainFontDescriptor); +- + if (maxWidth < glyphInfo->width) maxWidth = glyphInfo->width; + if (maxHeight < glyphInfo->height) maxHeight = glyphInfo->height; + +@@ -947,8 +975,7 @@ @implementation CGGI_GlyphCanvas + } + + // just do one malloc, and carve it up for all the buffers +- void *buffer = malloc(sizeof(CGRect) * sizeof(CGSize) * +- sizeof(CGGlyph) * sizeof(UnicodeScalarValue) * len); ++ void *buffer = malloc((sizeof(CGRect) + sizeof(CGSize) + sizeof(CGGlyph) + sizeof(UnicodeScalarValue)) * len); + if (buffer == NULL) { + [[NSException exceptionWithName:NSMallocException + reason:@"Failed to allocate memory for the temporary glyph strike and measurement buffers." userInfo:nil] raise]; +@@ -966,6 +993,8 @@ @implementation CGGI_GlyphCanvas + free(buffer); + } + ++#define TX_FIXED_UNSAFE(v) (isinf(v) || isnan(v) || fabs(v) >= (1<<30)) ++ + /* + * Calculates bounding boxes (for given transform) and advance (for untransformed 1pt-size font) for specified glyphs. + */ +@@ -977,6 +1006,27 @@ @implementation CGGI_GlyphCanvas + size_t count, + CGRect bboxes[], + CGSize advances[]) { ++ ++ if (TX_FIXED_UNSAFE(tx->a) || TX_FIXED_UNSAFE(tx->b) || TX_FIXED_UNSAFE(tx->c) || ++ TX_FIXED_UNSAFE(tx->d) || TX_FIXED_UNSAFE(tx->tx) || TX_FIXED_UNSAFE(tx->tx)) { ++ ++ if (bboxes) { ++ for (int i = 0; i < count; i++) { ++ bboxes[i].origin.x = 0; ++ bboxes[i].origin.y = 0; ++ bboxes[i].size.width = 0; ++ bboxes[i].size.height = 0; ++ } ++ } ++ if (advances) { ++ for (int i = 0; i < count; i++) { ++ advances[i].width = 0; ++ advances[i].height = 0; ++ } ++ } ++ return; ++ } ++ + if (IsEmojiFont(font)) { + // Glyph metrics for emoji font are not strictly proportional to font size, + // so we need to construct real-sized font object to calculate them. diff --git a/jdk-17-cve-2025-50059.patch b/jdk-17-cve-2025-50059.patch new file mode 100644 index 0000000..bdc5243 --- /dev/null +++ b/jdk-17-cve-2025-50059.patch @@ -0,0 +1,99 @@ +From 770ad1fa038d4df857f4c769580ed27bb5d211e6 Mon Sep 17 00:00:00 2001 +From: Alexey Bakhtin +Date: Wed, 21 May 2025 17:11:28 -0700 +Subject: [PATCH] 8350991: Improve HTTP client header handling + +Reviewed-by: mbalao, andrew +Backport-of: 3b0f6ebdf8dbaf0caf9a9ec1f201d5938f674021 +--- + .../internal/net/http/HttpRequestImpl.java | 21 ++++++++++++++++--- + .../jdk/internal/net/http/common/Utils.java | 12 +++++++++++ + .../java/net/httpclient/DigestEchoClient.java | 5 +++-- + 3 files changed, 33 insertions(+), 5 deletions(-) + +diff --git a/src/java.net.http/share/classes/jdk/internal/net/http/HttpRequestImpl.java b/src/java.net.http/share/classes/jdk/internal/net/http/HttpRequestImpl.java +index 890ed1de07f..7fe05edcec0 100644 +--- a/src/java.net.http/share/classes/jdk/internal/net/http/HttpRequestImpl.java ++++ b/src/java.net.http/share/classes/jdk/internal/net/http/HttpRequestImpl.java +@@ -41,6 +41,7 @@ + import java.net.http.HttpClient; + import java.net.http.HttpHeaders; + import java.net.http.HttpRequest; ++import java.util.function.BiPredicate; + + import jdk.internal.net.http.common.HttpHeadersBuilder; + import jdk.internal.net.http.common.Utils; +@@ -151,7 +152,11 @@ public static HttpRequestImpl newInstanceForRedirection(URI uri, + String method, + HttpRequestImpl other, + boolean mayHaveBody) { +- return new HttpRequestImpl(uri, method, other, mayHaveBody); ++ if (uri.getScheme().equalsIgnoreCase(other.uri.getScheme()) && ++ uri.getRawAuthority().equals(other.uri.getRawAuthority())) { ++ return new HttpRequestImpl(uri, method, other, mayHaveBody, Optional.empty()); ++ } ++ return new HttpRequestImpl(uri, method, other, mayHaveBody, Optional.of(Utils.ALLOWED_REDIRECT_HEADERS)); + } + + /** Returns a new instance suitable for authentication. */ +@@ -171,9 +176,19 @@ private HttpRequestImpl(URI uri, + String method, + HttpRequestImpl other, + boolean mayHaveBody) { ++ this(uri, method, other, mayHaveBody, Optional.empty()); ++ } ++ ++ private HttpRequestImpl(URI uri, ++ String method, ++ HttpRequestImpl other, ++ boolean mayHaveBody, ++ Optional> redirectHeadersFilter) { + assert method == null || Utils.isValidName(method); +- this.method = method == null? "GET" : method; +- this.userHeaders = other.userHeaders; ++ this.method = method == null ? "GET" : method; ++ HttpHeaders userHeaders = redirectHeadersFilter.isPresent() ? ++ HttpHeaders.of(other.userHeaders.map(), redirectHeadersFilter.get()) : other.userHeaders; ++ this.userHeaders = userHeaders; + this.isWebSocket = other.isWebSocket; + this.systemHeadersBuilder = new HttpHeadersBuilder(); + if (!userHeaders.firstValue("User-Agent").isPresent()) { +diff --git a/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java b/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java +index a51b3d35979..2d18be13caf 100644 +--- a/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java ++++ b/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java +@@ -152,6 +152,18 @@ private static Set getDisallowedHeaders() { + public static final BiPredicate + ALLOWED_HEADERS = (header, unused) -> !DISALLOWED_HEADERS_SET.contains(header); + ++ private static final Set DISALLOWED_REDIRECT_HEADERS_SET = getDisallowedRedirectHeaders(); ++ ++ private static Set getDisallowedRedirectHeaders() { ++ Set headers = new TreeSet<>(String.CASE_INSENSITIVE_ORDER); ++ headers.addAll(Set.of("Authorization", "Cookie", "Origin", "Referer", "Host")); ++ ++ return Collections.unmodifiableSet(headers); ++ } ++ ++ public static final BiPredicate ++ ALLOWED_REDIRECT_HEADERS = (header, unused) -> !DISALLOWED_REDIRECT_HEADERS_SET.contains(header); ++ + public static final BiPredicate VALIDATE_USER_HEADER = + (name, value) -> { + assert name != null : "null header name"; +diff --git a/test/jdk/java/net/httpclient/DigestEchoClient.java b/test/jdk/java/net/httpclient/DigestEchoClient.java +index f7bac2038d1..071eb5bd6f5 100644 +--- a/test/jdk/java/net/httpclient/DigestEchoClient.java ++++ b/test/jdk/java/net/httpclient/DigestEchoClient.java +@@ -258,8 +258,9 @@ public static void main(String[] args) throws Exception { + } + try { + for (DigestEchoServer.HttpAuthType authType : types) { +- // The test server does not support PROXY305 properly +- if (authType == DigestEchoServer.HttpAuthType.PROXY305) continue; ++ // The test server does not support PROXY305 or SERVER307 properly ++ if (authType == DigestEchoServer.HttpAuthType.PROXY305 || ++ authType == DigestEchoServer.HttpAuthType.SERVER307) continue; + EnumSet basics = + EnumSet.of(DigestEchoServer.HttpAuthSchemeType.BASICSERVER, + DigestEchoServer.HttpAuthSchemeType.BASIC); diff --git a/jdk-17-cve-2025-50106.patch b/jdk-17-cve-2025-50106.patch new file mode 100644 index 0000000..ed1ab49 --- /dev/null +++ b/jdk-17-cve-2025-50106.patch @@ -0,0 +1,53 @@ +From dc37bab65cb052ecae715bc8e71efa116c16b034 Mon Sep 17 00:00:00 2001 +From: Alexey Bakhtin +Date: Mon, 23 Jun 2025 18:49:26 +0000 +Subject: [PATCH] 8360147: Better Glyph drawing redux + +Reviewed-by: mbalao, andrew +Backport-of: f57e6baf3b86a7ef0911223cccb47b96e2af0420 +--- + .../native/libawt_lwawt/font/CGGlyphImages.m | 23 +++++++++++-------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m b/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m +index 316f6e273f2..4dac06a8a5f 100644 +--- a/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m ++++ b/src/java.desktop/macosx/native/libawt_lwawt/font/CGGlyphImages.m +@@ -974,23 +974,28 @@ @implementation CGGI_GlyphCanvas + return; + } + +- // just do one malloc, and carve it up for all the buffers +- void *buffer = malloc((sizeof(CGRect) + sizeof(CGSize) + sizeof(CGGlyph) + sizeof(UnicodeScalarValue)) * len); +- if (buffer == NULL) { ++ CGRect *bboxes = (CGRect*)calloc(len, sizeof(CGRect)); ++ CGSize *advances = (CGSize*)calloc(len, sizeof(CGSize)); ++ CGGlyph *glyphs = (CGGlyph*)calloc(len, sizeof(CGGlyph)); ++ UnicodeScalarValue *uniChars = (UnicodeScalarValue*)calloc(len, sizeof(UnicodeScalarValue)); ++ ++ if (bboxes == NULL || advances == NULL || glyphs == NULL || uniChars == NULL) { ++ free(bboxes); ++ free(advances); ++ free(glyphs); ++ free(uniChars); + [[NSException exceptionWithName:NSMallocException + reason:@"Failed to allocate memory for the temporary glyph strike and measurement buffers." userInfo:nil] raise]; + } + +- CGRect *bboxes = (CGRect *)(buffer); +- CGSize *advances = (CGSize *)(bboxes + sizeof(CGRect) * len); +- CGGlyph *glyphs = (CGGlyph *)(advances + sizeof(CGGlyph) * len); +- UnicodeScalarValue *uniChars = (UnicodeScalarValue *)(glyphs + sizeof(UnicodeScalarValue) * len); +- + CGGI_CreateGlyphsAndScanForComplexities(glyphInfos, strike, &mode, + rawGlyphCodes, uniChars, glyphs, + advances, bboxes, len); + +- free(buffer); ++ free(bboxes); ++ free(advances); ++ free(glyphs); ++ free(uniChars); + } + + #define TX_FIXED_UNSAFE(v) (isinf(v) || isnan(v) || fabs(v) >= (1<<30)) -- Gitee