1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
This provides a fix for the security vulnerability reported in
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
7, and 8, and Oracle Java JDK, does not securely create temporary files when a
log file cannot be opened, which allows local users to overwrite arbitrary
files via a symlink attack on /tmp/unpack.log.
Rather than trying to open a /tmp/unpack.log file, this fix comments
out that segment and goes to the fallback options which include
redirecting error to /dev/null, or failing that, redirecting to stderr.
Upstream-Status: Pending
Signed-off-by: Amy Fong <amy.fong@windriver.com>
Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
===================================================================
--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -4757,6 +4757,15 @@
return;
} else {
char log_file_name[PATH_MAX+100];
+#if 0
+/*
+The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+log file cannot be opened, which allows local users to overwrite arbitrary
+files via a symlink attack on /tmp/unpack.log.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+*/
char tmpdir[PATH_MAX];
#ifdef WIN32
int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
@@ -4781,6 +4790,7 @@
log_file = errstrm_name = saveStr(log_file_name);
return ;
}
+#endif
#ifndef WIN32
sprintf(log_file_name, "/dev/null");
// On windows most likely it will fail.
|