oss-sec mailing list archives
Re: CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java)
From: cve-assign () mitre org
Date: Fri, 7 Feb 2014 19:52:46 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I'm not sure if this affects IBM's JDK, but it seems to affect Oracle's (based on a quick test on my mac) the unpack200 program included in OpenJDK did not properly handle the logfile properly. If the the log file was unable to be opened, it would create /tmp/unpack.log instead as the fallback, but do so in an insecure manner, as shown in unpack.cpp (the below is from OpenJDK 6): 4732 void unpacker::redirect_stdio() { ... 4759 sprintf(log_file_name, "/tmp/unpack.log");
4761 if ((errstrm = fopen(log_file_name, "a+")) != NULL) { The same exists in OpenJDK 7 and 8. This could allow a malicious local attacker to conduct local attacks, such as symlink attacks, where a file could be overwritten if the user running unpack200 had write permissions. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562 https://bugzilla.redhat.com/show_bug.cgi?id=1060907
Use CVE-2014-1876. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS9X4vAAoJEKllVAevmvmsY18H/jhe8ReMewYm51zFXb3Ma5vg hzG5hmArGvX6DaEXj8qwtT1ifUys2KFq/EaIYcQVtoivWeZgXh5LERfjUybl0aPY 4pr9U1quWra7QJtTTr49mi48mJS/Ef1Lj0yQ2GxwYyOVN7250SuUMjkT6euXWBxd ol6/Y/rYzabU+k/1OXRSU1auHvjX3nj++vontWv5clIDDDTPMacStLn5JbYImcoi UQJjuVFhAwu2Ue9ztpC0+OBpftFkMsX+y3Xzx92c2+orerDPioqdE5JzVBSp8Ei1 F7Ai06g0QOjxZc9SUFdgGAzQyLyM3gPfk2P8HnMVvNeps9u9Wt8DiEWM8/xKCkg= =d/PB -----END PGP SIGNATURE-----
Current thread:
- CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java) Vincent Danen (Feb 03)
- Re: CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java) cve-assign (Feb 04)
- Re: CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java) cve-assign (Feb 07)