Bug#645881: RMI and java 6b18-1.8.10-0~lenny1

Andrei asura at gleim.com
Wed Dec 14 00:32:46 UTC 2011


Hello,
This email is related to 
http://security-tracker.debian.org/tracker/CVE-2011-3556


Basically, one of our RMI applications is failing to start after the 
security update to java 6b18-1.8.10-0~lenny1*

*I have tried to run the test case specified as part of

http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470
http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/d27f0b2f1476

and it fails with an exception trace similar to:

Exceptions

2011-12-13 17:28:18,346 [main] ERROR com.gleim.gacs.Gacs - java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
    java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
    java.lang.ClassNotFoundException: access to class loader denied
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
    java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
    java.lang.ClassNotFoundException: access to class loader denied
    at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:419)
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267)
    at sun.rmi.transport.Transport$1.run(Transport.java:177)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:553)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:808)
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:667)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:636)
    at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:273)
    at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:251)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:377)
    at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
    at java.rmi.Naming.rebind(Naming.java:177)
    at com.gleim.gacs.Gacs.startup(Gacs.java:49)
    at com.gleim.gacs.Gacs.main(Gacs.java:103)
Caused by: java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
    java.lang.ClassNotFoundException: access to class loader denied
    at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
    at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409)

Caused by: java.lang.ClassNotFoundException: access to class loader denied
    at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:445)
    at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:182)
    at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637)
    at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264)
    at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1592)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1513)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1749)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1346)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368)
    ... 12 more
Caused by: java.security.AccessControlException: access denied (java.io.FilePermission ////usr/local/gcss2/gacs/- read)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
    at java.security.AccessController.checkPermission(AccessController.java:553)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at sun.rmi.server.LoaderHandler$Loader.checkPermissions(LoaderHandler.java:1173)
    at sun.rmi.server.LoaderHandler$Loader.access$000(LoaderHandler.java:1127)
    at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:409)



The code and the test case both work fine with the the previous security 
java version "1.6.0_18"

OpenJDK Runtime Environment (IcedTea6 1.8.7) *(6b18-1.8.7-2*~lenny1)


Is there a way for somebody to re-review
http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470 ?

Have a great day.

-- 

Andrei Sura
Software Developer
IT Department

Gleim Publications, Inc.
4201 NW 95th Blvd
Gainesville, FL. 32606
http://www.gleim.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20111213/4f5bf824/attachment-0001.html>


More information about the pkg-java-maintainers mailing list