This provides a fix for the security vulnerability reported in http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876 The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8, and Oracle Java JDK, does not securely create temporary files when a log file cannot be opened, which allows local users to overwrite arbitrary files via a symlink attack on /tmp/unpack.log. Rather than trying to open a /tmp/unpack.log file, this fix comments out that segment and goes to the fallback options which include redirecting error to /dev/null, or failing that, redirecting to stderr. Upstream-Status: Pending Signed-off-by: Amy Fong Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp =================================================================== --- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp @@ -4757,6 +4757,15 @@ return; } else { char log_file_name[PATH_MAX+100]; +#if 0 +/* +The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, +7, and 8, and Oracle Java JDK, does not securely create temporary files when a +log file cannot be opened, which allows local users to overwrite arbitrary +files via a symlink attack on /tmp/unpack.log. + +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876 +*/ char tmpdir[PATH_MAX]; #ifdef WIN32 int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\' @@ -4781,6 +4790,7 @@ log_file = errstrm_name = saveStr(log_file_name); return ; } +#endif #ifndef WIN32 sprintf(log_file_name, "/dev/null"); // On windows most likely it will fail.