Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libhawtjni-runtime-java: /tmp race condition with arbitrary code execution (CVE-2013-2035)

Related Vulnerabilities: CVE-2013-2035  

Source

Debian Bug report logs - #708293
libhawtjni-runtime-java: /tmp race condition with arbitrary code execution (CVE-2013-2035)

version graph

Package: libhawtjni-runtime-java; Maintainer for libhawtjni-runtime-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for libhawtjni-runtime-java is src:hawtjni (PTS, buildd, popcon).

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Tue, 14 May 2013 20:33:01 UTC

Severity: grave

Tags: security

Found in version hawtjni/1.0~+git0c502e20c4-3

Fixed in version hawtjni/1.10-1

Done: Markus Koschany <apo@gambaru.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#708293; Package libhawtjni-runtime-java. (Tue, 14 May 2013 20:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 14 May 2013 20:33:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: libhawtjni-runtime-java: /tmp race condition with arbitrary code execution (CVE-2013-2035)
Date: Tue, 14 May 2013 22:14:21 +0200
Package: libhawtjni-runtime-java
Version: 1.0~+git0c502e20c4-3
Tags: security
Severity: important

A /tmp race condition which can be abused by local users to execute
arbitrary code with the privileges of a process using hawtjni has been
fixed:

<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035>
<https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5>

I'm not sure how widely hawtjni is used.  This might be a candidate
for a DSA.  Please prepare an update for stable/wheezy, and we can
then decide whether to fix this through stable-proposed-updates or the
security archive.

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Fri, 17 Jan 2014 14:18:09 GMT) (full text, mbox, link).

Reply sent to Markus Koschany <apo@gambaru.de>:
You have taken responsibility. (Sat, 12 Jul 2014 21:39:11 GMT) (full text, mbox, link).

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. (Sat, 12 Jul 2014 21:39:12 GMT) (full text, mbox, link).

Message #12 received at 708293-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>
To: 708293-close@bugs.debian.org
Subject: Bug#708293: fixed in hawtjni 1.10-1
Date: Sat, 12 Jul 2014 21:36:14 +0000
Source: hawtjni
Source-Version: 1.10-1

We believe that the bug you reported is fixed in the latest version of
hawtjni, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 708293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated hawtjni package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Jul 2014 14:04:47 +0200
Source: hawtjni
Binary: libhawtjni-runtime-java
Architecture: source all
Version: 1.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libhawtjni-runtime-java - Java library that provide JNI code generation
Closes: 708293
Changes:
 hawtjni (1.10-1) unstable; urgency=medium
 .
   * Team upload.
   * Imported Upstream version 1.10.
     - Fixes /tmp race condition with arbitrary code execution.
       (Closes: #708293)
   * Use compat level 9 and require debhelper >= 9.
   * wrap-and-sort -sa
   * Remove obsolete "DM-Upload-Allowed" field.
   * Declare compliance with Debian Policy 3.9.5.
   * Use canonical Vcs-URI.
   * Update get-orig-source target and add versioned dpkg-dev
     build-dependency to debian/control. Drop orig-tar.sh.
   * Update debian/copyright to copyright format 1.0.
   * Update maintainer email address.
Checksums-Sha1:
 0fd0700dec33999bdf9d141697887ea3269ce904 2010 hawtjni_1.10-1.dsc
 164a3ac1d6ce6352e7543f26a3a2d658015541d5 1439532 hawtjni_1.10.orig.tar.xz
 1c1d0967b73b58aa88773f3df71866a55d593e15 6844 hawtjni_1.10-1.debian.tar.xz
 fa5d1a2a40a11adcb2626397aeb5f9bb104272ed 55242 libhawtjni-runtime-java_1.10-1_all.deb
Checksums-Sha256:
 3323dd1e00b2f982ecd3d278e28763a1e571fbe65abdd1117c2c022add068d2e 2010 hawtjni_1.10-1.dsc
 56f33428a6dae4abbeb4d4a6f7f52e3e916873ac3ea36130dc1e45203e1e7cc1 1439532 hawtjni_1.10.orig.tar.xz
 67e8688c56f45a131d75d5a0793522bd778cb5d97b06395de98f50813d6783d1 6844 hawtjni_1.10-1.debian.tar.xz
 9b0a4485ac6569efa212e50ba8589a32a960a55fec97c149fc6970fdf9ae8fa3 55242 libhawtjni-runtime-java_1.10-1_all.deb
Files:
 afdd31b2a9df8f8896a619d798a4c0bf 55242 java optional libhawtjni-runtime-java_1.10-1_all.deb
 4303787fb0227d725e383b00443df0ae 2010 java optional hawtjni_1.10-1.dsc
 005fd649217566aff7286e0dc2978cfe 1439532 java optional hawtjni_1.10.orig.tar.xz
 94bd26453a6ccf564eda1d4e1d06fea3 6844 java optional hawtjni_1.10-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJTwZmSAAoJEGIODQuJV82l5foP/RLoCkjRAIUWlN9wzj+TDBoK
1NgfX5FbAc+sSr+x9/rXy5cjUiQVjY3/Bb307hrZR2kLCBjvvmfrrTI80g1MWxeW
dHk0eY3MwJdfrjEMvAVxAUa98aF5RSlU4mdZhzZtZ3ybWAGZevEyUXO8ZyIQuzK1
MISZimpeUXZ7yg0yrLHyJIy6lH7WvaNxN61xY6PB53jFWhMmRKzz/8gg3xRgIbeT
x941WYEVQU2ARKrDjr9ovzpeQIjTeWBPt5IWwTrvySYLV/eG1g1vHjWgwaGNDwsD
L3jXSbXOsiTPXn61ITFoGz1LwPj1FSIYCTOFCOQ8qVZ42J6iCnHTxjVvVDp7W2lv
UXUqWFYBNOXDV1N1KbAQ67I6/0P/qd3D9RFkID/wNfzZN1SaSsmLvGVE4a7d7fCb
IjSYbA/uKZ6a5dx/znr9RrWWYNJwJacW1jsTMX1D08v1iEeO0F/n5wPoQeJFsFb0
gZ63Iml9YqZU5xSYM/yJrJAR0LAo1ibY3T0P58zTezCgIwidvC0oEt9lu1hViMdz
5BMKqSc+56xO5BnamZnWHZlMmoOsTfOoUV5AMlYBNkgIrXuIGIZ/qU4SKbahyEEP
h7piIVwuBiHbAXa+TisFN18QZGfxv4QN1hRd7AzGoZ0+5796BbGi0q/2MjAc5w1K
A1wJzjZtEGL+jiG30ggc
=HpSE
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 May 2015 08:09:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:18:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started