GNU bug report logs - #68333
Time bomb in icedtea/openjdk

Previous Next

Package: guix;

Reported by: Julien Lepiller <julien <at> lepiller.eu>

Date: Mon, 8 Jan 2024 21:37:02 UTC

Severity: important

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Rostislav Svoboda <rostislav.svoboda <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 68333-done <at> debbugs.gnu.org
Subject: bug#68333: Time bomb in icedtea/openjdk
Date: Wed, 10 Jan 2024 22:00:16 +0100

Hi,

> What do you think of the attached patch?  The difference is that it
> patches code at its root (in the actual source tarball rather than after
> it’s been copied), it does so for IcedTea 7 and 8, and there are patch
> files that are slightly clearer than a substitution pattern.

That's clearly a much better solution than that substitution pattern of mine.

Besides, I missed the path difference:
  jdk-3.19.0-2d5d2c77faa3:
/make/src/classes/build/tools/generatecurrencydata/GenerateCurrencyData.java
  jdk-2.6.13-68b6bb380175:
/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java

Speaking of which, I'd go for e.g.:
  jdk-3.19.0-currency-time-bomb.patch
  jdk-2.6.13-currency-time-bomb.patch
instead of:
  jdk-currency-time-bomb.patch
  jdk-currency-time-bomb2.patch

Yeah naming is hard ;-)

Also, changing the error string from:
  time is more than 10 years from present
to:
  time is more than 10 years from \"present\"

i.e. adding double quotes will slightly complicate googling for that
error message in the future.

> Pushed as 5c0f77f4241c9beac0c82deae946bfdc70b49ff0.

Thanks

> Let’s hope there’s no similar time bomb elsewhere in the Java stack.

I'm looking aaaand... I haven't found anything so far.

Cheers Bost
This bug report was last modified 1 year and 186 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.