From bf1362e05be0fccbcccb8d55291b8a5cf42c0f30 Mon Sep 17 00:00:00 2001 From: Amy Fong Date: Thu, 16 Apr 2015 14:48:46 -0400 Subject: openjdk: fix CVE-2014-1876 Rather than creating /tmp/unpack.log and insecure permissions, if unpack cannot create teh specified log file, it defaults to writing to /dev/null, failing that, stderr. (These are the default options if it cannot write to /tmp/unpack.log) Signed-off-by: Amy Fong Signed-off-by: Jackie Huang --- .../icedtea-CVE-2014-1876-unpack.patch | 44 ++++++++++++++++++++++ recipes-core/icedtea/openjdk-7-release-03b147.inc | 2 + 2 files changed, 46 insertions(+) create mode 100644 recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch new file mode 100644 index 0000000..d0717c4 --- /dev/null +++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch @@ -0,0 +1,44 @@ +This provides a fix for the security vulnerability reported in +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876 + + The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, + 7, and 8, and Oracle Java JDK, does not securely create temporary files when a + log file cannot be opened, which allows local users to overwrite arbitrary + files via a symlink attack on /tmp/unpack.log. + +Rather than trying to open a /tmp/unpack.log file, this fix comments +out that segment and goes to the fallback options which include +redirecting error to /dev/null, or failing that, redirecting to stderr. + +Upstream-Status: Pending + +Signed-off-by: Amy Fong + +Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp +=================================================================== +--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp ++++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp +@@ -4757,6 +4757,15 @@ + return; + } else { + char log_file_name[PATH_MAX+100]; ++#if 0 ++/* ++The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, ++7, and 8, and Oracle Java JDK, does not securely create temporary files when a ++log file cannot be opened, which allows local users to overwrite arbitrary ++files via a symlink attack on /tmp/unpack.log. ++ ++http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876 ++*/ + char tmpdir[PATH_MAX]; + #ifdef WIN32 + int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\' +@@ -4781,6 +4790,7 @@ + log_file = errstrm_name = saveStr(log_file_name); + return ; + } ++#endif + #ifndef WIN32 + sprintf(log_file_name, "/dev/null"); + // On windows most likely it will fail. diff --git a/recipes-core/icedtea/openjdk-7-release-03b147.inc b/recipes-core/icedtea/openjdk-7-release-03b147.inc index dbdc045..83b087c 100644 --- a/recipes-core/icedtea/openjdk-7-release-03b147.inc +++ b/recipes-core/icedtea/openjdk-7-release-03b147.inc @@ -86,6 +86,7 @@ OPENJDK_PATCHES = " \ file://icedtea-disable-sun.applet-for-tools-in-headless.patch;apply=no \ file://icedtea-hotspot-fix-undefined-behaviour.patch;apply=no \ file://icedtea-x11_extension_cleanup.patch;apply=no \ + file://icedtea-CVE-2014-1876-unpack.patch;apply=no \ " OPENJDK_HEADLESS_PATCHES = " \ @@ -106,5 +107,6 @@ export DISTRIBUTION_PATCHES = " \ patches/icedtea-change-to-gdb-debug-format.patch \ patches/icedtea-hotspot-fix-undefined-behaviour.patch \ patches/icedtea-x11_extension_cleanup.patch \ + patches/icedtea-CVE-2014-1876-unpack.patch \ ${CLEAN_X11_DISTRIBUTION_PATCH} \ " -- cgit v1.2.3-54-g00ecf