1 files changed, 44 insertions, 0 deletions
diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
new file mode 100644
index 0000000..d0717c4
--- /dev/null
+++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,44 @@
+This provides a fix for the security vulnerability reported in
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+    The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+    7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+    log file cannot be opened, which allows local users to overwrite arbitrary
+    files via a symlink attack on /tmp/unpack.log.
+Rather than trying to open a /tmp/unpack.log file, this fix comments
+out that segment and goes to the fallback options which include
+redirecting error to /dev/null, or failing that, redirecting to stderr.
+Upstream-Status: Pending
+Signed-off-by: Amy Fong <amy.fong@windriver.com>
+Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+===================================================================
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -4757,6 +4757,15 @@
+     return;
+   } else {
+     char log_file_name[PATH_MAX+100];
+#if 0
+/*
+The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+log file cannot be opened, which allows local users to overwrite arbitrary
+files via a symlink attack on /tmp/unpack.log.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+*/
+     char tmpdir[PATH_MAX];
+ #ifdef WIN32
+     int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
+@@ -4781,6 +4790,7 @@
+       log_file = errstrm_name = saveStr(log_file_name);
+       return ;
+     }
+#endif
+ #ifndef WIN32
+     sprintf(log_file_name, "/dev/null");
+     // On windows most likely it will fail.

diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch new file mode 100644 index 0000000..d0717c4 --- /dev/null +++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,44 @@
	1	This provides a fix for the security vulnerability reported in
	2	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
	3
	4	The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
	5	7, and 8, and Oracle Java JDK, does not securely create temporary files when a
	6	log file cannot be opened, which allows local users to overwrite arbitrary
	7	files via a symlink attack on /tmp/unpack.log.
	8
	9	Rather than trying to open a /tmp/unpack.log file, this fix comments
	10	out that segment and goes to the fallback options which include
	11	redirecting error to /dev/null, or failing that, redirecting to stderr.
	12
	13	Upstream-Status: Pending
	14
	15	Signed-off-by: Amy Fong <amy.fong@windriver.com>
	16
	17	Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
	18	===================================================================
	19	--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
	20	+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
	21	@@ -4757,6 +4757,15 @@
	22	return;
	23	} else {
	24	char log_file_name[PATH_MAX+100];
	25	+#if 0
	26	+/*
	27	+The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
	28	+7, and 8, and Oracle Java JDK, does not securely create temporary files when a
	29	+log file cannot be opened, which allows local users to overwrite arbitrary
	30	+files via a symlink attack on /tmp/unpack.log.
	31	+
	32	+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
	33	+*/
	34	char tmpdir[PATH_MAX];
	35	#ifdef WIN32
	36	int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
	37	@@ -4781,6 +4790,7 @@
	38	log_file = errstrm_name = saveStr(log_file_name);
	39	return ;
	40	}
	41	+#endif
	42	#ifndef WIN32
	43	sprintf(log_file_name, "/dev/null");
	44	// On windows most likely it will fail.