From 33bf05f46a6214eb2ad2d379909ba2192689aef4 Mon Sep 17 00:00:00 2001 From: Wanja Hentze Date: Thu, 21 Apr 2022 15:07:57 +0200 Subject: [PATCH 1/2] openjdk: 11.0.12+7 -> 11.0.15.+10 Fixes several security vulnerabilities, see https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19 --- pkgs/development/compilers/openjdk/11.nix | 13 ++++++---- .../openjdk/fix-library-path-jdk11.patch | 24 ++++++++++++++++--- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/pkgs/development/compilers/openjdk/11.nix b/pkgs/development/compilers/openjdk/11.nix index 8c45bece9adc..1a74a78fc6c4 100644 --- a/pkgs/development/compilers/openjdk/11.nix +++ b/pkgs/development/compilers/openjdk/11.nix @@ -11,8 +11,8 @@ let major = "11"; minor = "0"; - update = "12"; - build = "7"; + update = "15"; + build = "10"; openjdk = stdenv.mkDerivation rec { pname = "openjdk" + lib.optionalString headless "-headless"; @@ -22,7 +22,7 @@ let owner = "openjdk"; repo = "jdk${major}u"; rev = "jdk-${version}"; - sha256 = "0s8g6gj5vhm7hbp05cqaxasjrkwr41fm634qim8q6slklm4pkkli"; + sha256 = "le2JDxPJPSuga4JxLJNRZwCaodptSb2kh4TsJXumTXs="; }; nativeBuildInputs = [ pkg-config autoconf unzip ]; @@ -40,7 +40,6 @@ let ./currency-date-range-jdk10.patch ./increase-javadoc-heap.patch ./fix-library-path-jdk11.patch - ./fix-glibc-2.34.patch ] ++ lib.optionals (!headless && enableGnome2) [ ./swing-use-gtk-jdk10.patch ]; @@ -61,13 +60,17 @@ let "--with-zlib=system" "--with-lcms=system" "--with-stdc++lib=dynamic" + "--disable-warnings-as-errors" ] ++ lib.optional stdenv.isx86_64 "--with-jvm-features=zgc" ++ lib.optional headless "--enable-headless-only" ++ lib.optional (!headless && enableJavaFX) "--with-import-modules=${openjfx}"; separateDebugInfo = true; - NIX_CFLAGS_COMPILE = "-Wno-error"; + # Workaround for + # `cc1plus: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security]` + # when building jtreg + NIX_CFLAGS_COMPILE = "-Wformat"; NIX_LDFLAGS = toString (lib.optionals (!headless) [ "-lfontconfig" "-lcups" "-lXinerama" "-lXrandr" "-lmagic" diff --git a/pkgs/development/compilers/openjdk/fix-library-path-jdk11.patch b/pkgs/development/compilers/openjdk/fix-library-path-jdk11.patch index 21263dd68926..ce30edb7f1d9 100644 --- a/pkgs/development/compilers/openjdk/fix-library-path-jdk11.patch +++ b/pkgs/development/compilers/openjdk/fix-library-path-jdk11.patch @@ -1,16 +1,31 @@ +From 83f97773ea99fe2191a49e551ea43d51c9a765cd Mon Sep 17 00:00:00 2001 +Subject: [PATCH] strip some hard-coded default paths for libs and extensions + +--- + src/hotspot/os/linux/os_linux.cpp | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp -index 0dbe03349e..847d56778d 100644 +index 476b1c2175..2695ed2301 100644 --- a/src/hotspot/os/linux/os_linux.cpp +++ b/src/hotspot/os/linux/os_linux.cpp -@@ -326,13 +326,13 @@ void os::init_system_properties_values() { +@@ -417,20 +417,20 @@ void os::init_system_properties_values() { // ... // 7: The default directories, normally /lib and /usr/lib. #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) - #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" ++ #define DEFAULT_LIBPATH "" + #else + #if defined(AARCH64) + // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems + // might not adhere to the FHS and it would be a change in behaviour if we used + // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. +- #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" + #define DEFAULT_LIBPATH "" #else - #define DEFAULT_LIBPATH "/lib:/usr/lib" + #define DEFAULT_LIBPATH "" + #endif // AARCH64 #endif // Base path of extensions installed on the system. @@ -19,7 +34,7 @@ index 0dbe03349e..847d56778d 100644 #define EXTENSIONS_DIR "/lib/ext" // Buffer that fits several sprintfs. -@@ -392,13 +392,13 @@ void os::init_system_properties_values() { +@@ -490,13 +490,13 @@ void os::init_system_properties_values() { strlen(v) + 1 + sizeof(SYS_EXT_DIR) + sizeof("/lib/") + sizeof(DEFAULT_LIBPATH) + 1, mtInternal); @@ -35,3 +50,6 @@ index 0dbe03349e..847d56778d 100644 Arguments::set_ext_dirs(buf); FREE_C_HEAP_ARRAY(char, buf); +-- +2.35.1 + From aca95cc45983012212129c8ba824479a7b149ded Mon Sep 17 00:00:00 2001 From: Wanja Hentze Date: Thu, 21 Apr 2022 15:30:59 +0200 Subject: [PATCH 2/2] openjdk: 17.0.1+12 -> 17.0.3.+7 Fixes several security vulnerabilities, see https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19 --- pkgs/development/compilers/openjdk/17.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/compilers/openjdk/17.nix b/pkgs/development/compilers/openjdk/17.nix index 757fe8f101ed..de12711894f7 100644 --- a/pkgs/development/compilers/openjdk/17.nix +++ b/pkgs/development/compilers/openjdk/17.nix @@ -11,8 +11,8 @@ let version = { feature = "17"; - interim = ".0.1"; - build = "12"; + interim = ".0.3"; + build = "7"; }; openjdk = stdenv.mkDerivation { @@ -23,7 +23,7 @@ let owner = "openjdk"; repo = "jdk${version.feature}u"; rev = "jdk-${version.feature}${version.interim}+${version.build}"; - sha256 = "1l1jgbz8q7zq66npfg88r0l5xga427vrz35iys09j44b6qllrldd"; + sha256 = "qxiKz8HCNZXFdfgfiA16q5z0S65cZE/u7e+QxLlplWo="; }; nativeBuildInputs = [ pkg-config autoconf unzip ];