openjdk: fix CVE-2014-1876

Rather than creating /tmp/unpack.log and insecure permissions, if unpack cannot create teh specified log file, it defaults to writing to /dev/null, failing that, stderr. (These are the default options if it cannot write to /tmp/unpack.log) Signed-off-by: Amy Fong <amy.fong@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
author: Amy Fong <amy.fong@windriver.com> 2015-04-16 14:48:46 -0400
committer: Otavio Salvador <otavio@ossystems.com.br> 2016-01-04 09:21:06 -0200
commit: bf1362e05be0fccbcccb8d55291b8a5cf42c0f30 (patch)
tree: 7fb07fdd12f21bf72f46eb413bce41d315974649
parent: e3ac9836ab585c0b4134c7c0857cc275c403ad32 (diff)
download: meta-java-bf1362e05be0fccbcccb8d55291b8a5cf42c0f30.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
new file mode 100644
index 0000000..d0717c4
--- /dev/null
+++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,44 @@
+This provides a fix for the security vulnerability reported in
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+    The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+    7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+    log file cannot be opened, which allows local users to overwrite arbitrary
+    files via a symlink attack on /tmp/unpack.log.
+Rather than trying to open a /tmp/unpack.log file, this fix comments
+out that segment and goes to the fallback options which include
+redirecting error to /dev/null, or failing that, redirecting to stderr.
+Upstream-Status: Pending
+Signed-off-by: Amy Fong <amy.fong@windriver.com>
+Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+===================================================================
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -4757,6 +4757,15 @@
+     return;
+   } else {
+     char log_file_name[PATH_MAX+100];
+#if 0
+/*
+The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+log file cannot be opened, which allows local users to overwrite arbitrary
+files via a symlink attack on /tmp/unpack.log.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+*/
+     char tmpdir[PATH_MAX];
+ #ifdef WIN32
+     int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
+@@ -4781,6 +4790,7 @@
+       log_file = errstrm_name = saveStr(log_file_name);
+       return ;
+     }
+#endif
+ #ifndef WIN32
+     sprintf(log_file_name, "/dev/null");
+     // On windows most likely it will fail.
diff --git a/recipes-core/icedtea/openjdk-7-release-03b147.inc b/recipes-core/icedtea/openjdk-7-release-03b147.inc
index dbdc045..83b087c 100644
--- a/recipes-core/icedtea/openjdk-7-release-03b147.inc
+++ b/recipes-core/icedtea/openjdk-7-release-03b147.inc
@@ -86,6 +86,7 @@ OPENJDK_PATCHES = " \
        file://icedtea-disable-sun.applet-for-tools-in-headless.patch;apply=no \
        file://icedtea-hotspot-fix-undefined-behaviour.patch;apply=no \
        file://icedtea-x11_extension_cleanup.patch;apply=no \
+        file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
        "
 OPENJDK_HEADLESS_PATCHES = " \
@@ -106,5 +107,6 @@ export DISTRIBUTION_PATCHES = " \
        patches/icedtea-change-to-gdb-debug-format.patch \
        patches/icedtea-hotspot-fix-undefined-behaviour.patch \
        patches/icedtea-x11_extension_cleanup.patch \
+        patches/icedtea-CVE-2014-1876-unpack.patch \
        ${CLEAN_X11_DISTRIBUTION_PATCH} \
        "
author	Amy Fong <amy.fong@windriver.com>	2015-04-16 14:48:46 -0400
committer	Otavio Salvador <otavio@ossystems.com.br>	2016-01-04 09:21:06 -0200
commit	bf1362e05be0fccbcccb8d55291b8a5cf42c0f30 (patch)
tree	7fb07fdd12f21bf72f46eb413bce41d315974649
parent	e3ac9836ab585c0b4134c7c0857cc275c403ad32 (diff)
download	meta-java-bf1362e05be0fccbcccb8d55291b8a5cf42c0f30.tar.gz

diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch new file mode 100644 index 0000000..d0717c4 --- /dev/null +++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,44 @@
		1	This provides a fix for the security vulnerability reported in
		2	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
		3
		4	The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
		5	7, and 8, and Oracle Java JDK, does not securely create temporary files when a
		6	log file cannot be opened, which allows local users to overwrite arbitrary
		7	files via a symlink attack on /tmp/unpack.log.
		8
		9	Rather than trying to open a /tmp/unpack.log file, this fix comments
		10	out that segment and goes to the fallback options which include
		11	redirecting error to /dev/null, or failing that, redirecting to stderr.
		12
		13	Upstream-Status: Pending
		14
		15	Signed-off-by: Amy Fong <amy.fong@windriver.com>
		16
		17	Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
		18	===================================================================
		19	--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
		20	+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
		21	@@ -4757,6 +4757,15 @@
		22	return;
		23	} else {
		24	char log_file_name[PATH_MAX+100];
		25	+#if 0
		26	+/*
		27	+The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
		28	+7, and 8, and Oracle Java JDK, does not securely create temporary files when a
		29	+log file cannot be opened, which allows local users to overwrite arbitrary
		30	+files via a symlink attack on /tmp/unpack.log.
		31	+
		32	+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
		33	+*/
		34	char tmpdir[PATH_MAX];
		35	#ifdef WIN32
		36	int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
		37	@@ -4781,6 +4790,7 @@
		38	log_file = errstrm_name = saveStr(log_file_name);
		39	return ;
		40	}
		41	+#endif
		42	#ifndef WIN32
		43	sprintf(log_file_name, "/dev/null");
		44	// On windows most likely it will fail.


diff --git a/recipes-core/icedtea/openjdk-7-release-03b147.inc b/recipes-core/icedtea/openjdk-7-release-03b147.inc index dbdc045..83b087c 100644 --- a/recipes-core/icedtea/openjdk-7-release-03b147.inc +++ b/recipes-core/icedtea/openjdk-7-release-03b147.inc
@@ -86,6 +86,7 @@ OPENJDK_PATCHES = " \
86	file://icedtea-disable-sun.applet-for-tools-in-headless.patch;apply=no \	86	file://icedtea-disable-sun.applet-for-tools-in-headless.patch;apply=no \
87	file://icedtea-hotspot-fix-undefined-behaviour.patch;apply=no \	87	file://icedtea-hotspot-fix-undefined-behaviour.patch;apply=no \
88	file://icedtea-x11_extension_cleanup.patch;apply=no \	88	file://icedtea-x11_extension_cleanup.patch;apply=no \
		89	file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
89	"	90	"
90		91
91	OPENJDK_HEADLESS_PATCHES = " \	92	OPENJDK_HEADLESS_PATCHES = " \
@@ -106,5 +107,6 @@ export DISTRIBUTION_PATCHES = " \
106	patches/icedtea-change-to-gdb-debug-format.patch \	107	patches/icedtea-change-to-gdb-debug-format.patch \
107	patches/icedtea-hotspot-fix-undefined-behaviour.patch \	108	patches/icedtea-hotspot-fix-undefined-behaviour.patch \
108	patches/icedtea-x11_extension_cleanup.patch \	109	patches/icedtea-x11_extension_cleanup.patch \
		110	patches/icedtea-CVE-2014-1876-unpack.patch \
109	${CLEAN_X11_DISTRIBUTION_PATCH} \	111	${CLEAN_X11_DISTRIBUTION_PATCH} \
110	"	112	"