diff -u openjdk-6-6b16-1.6~pre1/debian/changelog openjdk-6-6b16-1.6~pre1/debian/changelog
--- openjdk-6-6b16-1.6~pre1/debian/changelog
+++ openjdk-6-6b16-1.6~pre1/debian/changelog
@@ -1,3 +1,14 @@
+openjdk-6 (6b16-1.6~pre1-0ubuntu2) karmic; urgency=low
+
+  * debian/rules: re-enable fortification and stack protector
+    (LP: #330713).
+  * Add debian/patches/gcc-hotspot-stack-markings.diff: set non-exec
+    stack marking to linux_x86_{32,64}.s (LP: #409736).
+  * Add debian/patches/openjdk-debugger-socket-overflow.diff: fix
+    debugging message overflow (LP: #419018).
+
+ -- Kees Cook <kees@ubuntu.com>  Tue, 25 Aug 2009 21:33:40 -0700
+
 openjdk-6 (6b16-1.6~pre1-0ubuntu1) karmic; urgency=low
 
   * Test build (icedtea6-1.6 release branch).
diff -u openjdk-6-6b16-1.6~pre1/debian/rules openjdk-6-6b16-1.6~pre1/debian/rules
--- openjdk-6-6b16-1.6~pre1/debian/rules
+++ openjdk-6-6b16-1.6~pre1/debian/rules
@@ -174,14 +174,11 @@
 endif
 
 ifeq ($(with_hotspot),original)
-#	$(if $(filter $(distribution),Ubuntu),debian/patches/gcc-no-stack-protector-original.diff) \
 
   DISTRIBUTION_PATCHES = \
 	debian/patches/ld-symbolic-functions-original.diff \
 	debian/patches/set-exec-name-original.diff
 else
-# FIXME: doesn't seem to be enough, the gcc-*-no-stack-protector patches below are needed.
-#	$(if $(filter $(distribution),Ubuntu),debian/patches/gcc-no-stack-protector.diff) \
 
   DISTRIBUTION_PATCHES = \
 	debian/patches/ld-symbolic-functions.diff \
@@ -201,6 +198,8 @@
 	debian/patches/java-access-bridge-security.patch \
 	debian/patches/accessible-toolkit.patch \
 	debian/patches/default-libpath.diff \
+	debian/patches/gcc-hotspot-stack-markings.diff \
+	debian/patches/openjdk-debugger-socket-overflow.diff \
 
 #	debian/patches/gcc-mtune-generic.diff \
 
@@ -213,14 +211,7 @@
 ifeq ($(distribution),Ubuntu)
   DISTRIBUTION_PATCHES += \
 	debian/patches/openjdk-ubuntu-branding.patch \
-	debian/patches/gcc-jdk-no-stack-protector.diff
-  ifeq ($(with_hotspot),original)
-    DISTRIBUTION_PATCHES += \
-	debian/patches/gcc-hotspot-no-stack-protector-original.diff
-  else
-    DISTRIBUTION_PATCHES += \
-	debian/patches/gcc-hotspot-no-stack-protector.diff
-  endif
+
 endif
 
 export DISTRIBUTION_PATCHES
reverted:
--- openjdk-6-6b16-1.6~pre1/debian/patches/gcc-no-stack-protector-original.diff
+++ openjdk-6-6b16-1.6~pre1.orig/debian/patches/gcc-no-stack-protector-original.diff
@@ -1,32 +0,0 @@
---- openjdk/hotspot/build/linux/makefiles/gcc.make~	2007-11-24 14:49:38.366274732 +0100
-+++ openjdk/hotspot/build/linux/makefiles/gcc.make	2007-11-24 15:00:51.616430558 +0100
-@@ -62,6 +62,7 @@
- CFLAGS += -fno-exceptions
- CFLAGS += -D_REENTRANT
- CFLAGS += -fcheck-new
-+CFLAGS += -fno-stack-protector -U_FORTIFY_SOURCE
- 
- # Always generate full debuginfo on Linux.  It'll be in a separate
- # debuginfo package when building RPMs.
---- openjdk/corba/make/common/Defs-linux.gmk~	2008-03-28 20:11:54.075568406 +0100
-+++ openjdk/corba/make/common/Defs-linux.gmk	2008-03-28 20:13:51.537340290 +0100
-@@ -107,6 +107,8 @@
-   LDFLAGS_COMMON        += $(LDFLAGS_COMMON_$(ARCH))
- endif
- 
-+CFLAGS_REQUIRED         += -fno-stack-protector -U_FORTIFY_SOURCE
-+
- # Add in platform specific optimizations for all opt levels
- CC_HIGHEST_OPT += $(_OPT_$(ARCH))
- CC_HIGHER_OPT  += $(_OPT_$(ARCH))
---- openjdk/jdk/make/common/Defs-linux.gmk~	2008-03-28 20:11:54.095568707 +0100
-+++ openjdk/jdk/make/common/Defs-linux.gmk	2008-03-28 20:14:15.037694787 +0100
-@@ -117,6 +117,8 @@
-   LDFLAGS_COMMON        += $(LDFLAGS_COMMON_$(ARCH))
- endif
- 
-+CFLAGS_REQUIRED         += -fno-stack-protector -U_FORTIFY_SOURCE
-+
- # Add in platform specific optimizations for all opt levels
- CC_HIGHEST_OPT += $(_OPT_$(ARCH))
- CC_HIGHER_OPT  += $(_OPT_$(ARCH))
reverted:
--- openjdk-6-6b16-1.6~pre1/debian/patches/gcc-hotspot-no-stack-protector.diff
+++ openjdk-6-6b16-1.6~pre1.orig/debian/patches/gcc-hotspot-no-stack-protector.diff
@@ -1,11 +0,0 @@
---- openjdk/hotspot/make/linux/makefiles/gcc.make~	2007-11-29 12:38:22.578339247 +0100
-+++ openjdk/hotspot/make/linux/makefiles/gcc.make	2007-11-29 12:42:28.742052571 +0100
-@@ -103,7 +103,7 @@
- CFLAGS_WARN/BYFILE = $(CFLAGS_WARN/$@)$(CFLAGS_WARN/DEFAULT$(CFLAGS_WARN/$@)) 
- 
- # The flags to use for an Optimized g++ build
--OPT_CFLAGS += -O3
-+OPT_CFLAGS += -O3 -fno-stack-protector -U_FORTIFY_SOURCE
- 
- # Hotspot uses very unstrict aliasing turn this optimization off
- OPT_CFLAGS += -fno-strict-aliasing
reverted:
--- openjdk-6-6b16-1.6~pre1/debian/patches/gcc-hotspot-no-stack-protector-original.diff
+++ openjdk-6-6b16-1.6~pre1.orig/debian/patches/gcc-hotspot-no-stack-protector-original.diff
@@ -1,11 +0,0 @@
---- openjdk/hotspot/build/linux/makefiles/gcc.make~	2007-11-29 12:38:22.578339247 +0100
-+++ openjdk/hotspot/build/linux/makefiles/gcc.make	2007-11-29 12:42:28.742052571 +0100
-@@ -103,7 +103,7 @@
- CFLAGS_WARN/BYFILE = $(CFLAGS_WARN/$@)$(CFLAGS_WARN/DEFAULT$(CFLAGS_WARN/$@)) 
- 
- # The flags to use for an Optimized g++ build
--OPT_CFLAGS += -O3
-+OPT_CFLAGS += -O3 -fno-stack-protector -U_FORTIFY_SOURCE
- 
- # Hotspot uses very unstrict aliasing turn this optimization off
- OPT_CFLAGS += -fno-strict-aliasing
reverted:
--- openjdk-6-6b16-1.6~pre1/debian/patches/gcc-jdk-no-stack-protector.diff
+++ openjdk-6-6b16-1.6~pre1.orig/debian/patches/gcc-jdk-no-stack-protector.diff
@@ -1,15 +0,0 @@
---- openjdk/jdk/make/common/Defs-linux.gmk~	2009-01-15 21:41:19.000000000 +0100
-+++ openjdk/jdk/make/common/Defs-linux.gmk	2009-01-17 14:32:08.000000000 +0100
-@@ -86,9 +86,9 @@
- #
- # Default optimization
- #
--CC_HIGHEST_OPT = -O3
--CC_HIGHER_OPT  = -O3
--CC_LOWER_OPT   = -O2
-+CC_HIGHEST_OPT = -O3 -fno-stack-protector -U_FORTIFY_SOURCE
-+CC_HIGHER_OPT  = -O3 -fno-stack-protector -U_FORTIFY_SOURCE
-+CC_LOWER_OPT   = -O2 -fno-stack-protector -U_FORTIFY_SOURCE
- CC_NO_OPT      =
- 
- ifeq ($(PRODUCT), java)
reverted:
--- openjdk-6-6b16-1.6~pre1/debian/patches/gcc-no-stack-protector.diff
+++ openjdk-6-6b16-1.6~pre1.orig/debian/patches/gcc-no-stack-protector.diff
@@ -1,32 +0,0 @@
---- openjdk/hotspot/make/linux/makefiles/gcc.make.orig	2008-12-02 14:56:38.000000000 +0100
-+++ openjdk/hotspot/make/linux/makefiles/gcc.make	2008-12-02 14:58:56.000000000 +0100
-@@ -67,6 +67,7 @@
- CFLAGS += -fno-exceptions
- CFLAGS += -D_REENTRANT
- CFLAGS += -fcheck-new
-+CFLAGS += -fno-stack-protector -U_FORTIFY_SOURCE
- 
- # Always generate full debuginfo on Linux.  It'll be in a separate
- # debuginfo package when building RPMs.
---- openjdk/corba/make/common/Defs-linux.gmk~	2008-03-28 20:11:54.075568406 +0100
-+++ openjdk/corba/make/common/Defs-linux.gmk	2008-03-28 20:13:51.537340290 +0100
-@@ -107,6 +107,8 @@
-   LDFLAGS_COMMON        += $(LDFLAGS_COMMON_$(ARCH))
- endif
- 
-+CFLAGS_REQUIRED         += -fno-stack-protector -U_FORTIFY_SOURCE
-+
- # Add in platform specific optimizations for all opt levels
- CC_HIGHEST_OPT += $(_OPT_$(ARCH))
- CC_HIGHER_OPT  += $(_OPT_$(ARCH))
---- openjdk/jdk/make/common/Defs-linux.gmk~	2008-03-28 20:11:54.095568707 +0100
-+++ openjdk/jdk/make/common/Defs-linux.gmk	2008-03-28 20:14:15.037694787 +0100
-@@ -117,6 +117,8 @@
-   LDFLAGS_COMMON        += $(LDFLAGS_COMMON_$(ARCH))
- endif
- 
-+CFLAGS_REQUIRED         += -fno-stack-protector -U_FORTIFY_SOURCE
-+
- # Add in platform specific optimizations for all opt levels
- CC_HIGHEST_OPT += $(_OPT_$(ARCH))
- CC_HIGHER_OPT  += $(_OPT_$(ARCH))
only in patch2:
unchanged:
--- openjdk-6-6b16-1.6~pre1.orig/debian/patches/openjdk-debugger-socket-overflow.diff
+++ openjdk-6-6b16-1.6~pre1/debian/patches/openjdk-debugger-socket-overflow.diff
@@ -0,0 +1,17 @@
+Description: buffer not large enough for maximum size of debugger warning.
+ (Largest error could be 73 bytes long: "handshake failed - received >Here's
+ a poke < - excepted >JDWP-Handshake<")
+Ubuntu: https://launchpad.net/bugs/419018
+Upstream: https://bugs.openjdk.java.net/show_bug.cgi?id=100103
+
+--- openjdk/jdk/src/share/transport/socket/socketTransport.c~	2009-08-25 21:19:38.000000000 -0700
++++ openjdk/jdk/src/share/transport/socket/socketTransport.c	2009-08-25 21:19:55.000000000 -0700
+@@ -168,7 +168,7 @@ handshake(int fd, jlong timeout) {
+     }
+     for (i=0; i<(int)strlen(hello); i++) {
+         if (b[i] != hello[i]) {
+-            char msg[64];
++            char msg[80];
+             strcpy(msg, "handshake failed - received >");
+             strncat(msg, b, strlen(hello));
+             strcat(msg, "< - excepted >");
only in patch2:
unchanged:
--- openjdk-6-6b16-1.6~pre1.orig/debian/patches/gcc-hotspot-stack-markings.diff
+++ openjdk-6-6b16-1.6~pre1/debian/patches/gcc-hotspot-stack-markings.diff
@@ -0,0 +1,17 @@
+Description: mark assembly as not needing an executable stack.
+Ubuntu: https://launchpad.net/bugs/409736
+
+--- openjdk/hotspot/src/os_cpu/linux_x86/vm/linux_x86_32.s~	2009-08-06 01:08:57.000000000 -0700
++++ openjdk/hotspot/src/os_cpu/linux_x86/vm/linux_x86_32.s	2009-08-06 01:09:27.000000000 -0700
+@@ -650,3 +650,4 @@ _Atomic_cmpxchg_long:
+         popl     %ebx
+         ret
+ 
++.section        .note.GNU-stack, "", @progbits
+--- openjdk/hotspot/src/os_cpu/linux_x86/vm/linux_x86_64.s~	2009-08-06 01:08:57.000000000 -0700
++++ openjdk/hotspot/src/os_cpu/linux_x86/vm/linux_x86_64.s	2009-08-06 01:09:27.000000000 -0700
+@@ -400,3 +400,4 @@ _Atomic_cmpxchg_long:
+         addq     $4,%rdx
+         jg       4b
+         ret
++.section        .note.GNU-stack, "", @progbits