To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unpack200: insecure use of /tmp
Date: Mon, 3 Feb 2014 20:40:42 +0100
Package: openjdk-7-jre-headless
Version: 7u51-2.4.5-1
Tags: security
If unpack200 cannot open logfile, it creates a file in /tmp in an
insecure way:
$ strace -o '| grep /tmp' unpack200 --log-file=/cannot/open test.pack.gz test.jar
open("/tmp/unpack.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 3
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openjdk-7-jre-headless:i386 depends on:
ii ca-certificates-java 20130815
ii java-common 0.51
ii libc6 2.18-0experimental1
ii libcups2 1.7.1-3
ii libfontconfig1 2.11.0-2
ii libfreetype6 2.5.2-1
ii libgcc1 1:4.9-20140122-1
ii libglib2.0-0 2.36.4-1
ii libjpeg8 8d-2
ii libkrb5-3 1.12+dfsg-2
ii liblcms2-2 2.2+git20110628-2.3+b1
ii libnss3 2:3.15.3.1-1.1
ii libpcsclite1 1.8.10-1
ii libstdc++6 4.9-20140122-1
ii multiarch-support 2.18-0experimental1
ii tzdata-java 2013i-1
ii zlib1g 1:1.2.8.dfsg-1
--
Jakub Wilk
Changed Bug title to 'unpack200: CVE-2014-1876: insecure use of /tmp' from 'unpack200: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 08 Feb 2014 07:39:05 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility.
(Mon, 12 May 2014 14:54:18 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Mon, 12 May 2014 14:54:18 GMT) (full text, mbox, link).
Version: 7u55-2.4.7-1
On Mon, Feb 03, 2014 at 08:40:42PM +0100, Jakub Wilk wrote:
> Package: openjdk-7-jre-headless
> Version: 7u51-2.4.5-1
> Tags: security
>
> If unpack200 cannot open logfile, it creates a file in /tmp in an
> insecure way:
>
> $ strace -o '| grep /tmp' unpack200 --log-file=/cannot/open test.pack.gz test.jar
> open("/tmp/unpack.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 3
This was fixed in the latest OpenJDK security update round.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 Jun 2014 07:31:18 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.