Debian Bug report logs -
#737562
unpack200: CVE-2014-1876: insecure use of /tmp
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Mon, 3 Feb 2014 19:45:01 UTC
Severity: normal
Tags: security
Found in version openjdk-7/7u51-2.4.5-1
Fixed in version 7u55-2.4.7-1
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, OpenJDK Team <openjdk@lists.launchpad.net>:
Bug#737562; Package openjdk-7-jre-headless.
(Mon, 03 Feb 2014 19:45:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openjdk-7-jre-headless
Version: 7u51-2.4.5-1
Tags: security
If unpack200 cannot open logfile, it creates a file in /tmp in an
insecure way:
$ strace -o '| grep /tmp' unpack200 --log-file=/cannot/open test.pack.gz test.jar
open("/tmp/unpack.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 3
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openjdk-7-jre-headless:i386 depends on:
ii ca-certificates-java 20130815
ii java-common 0.51
ii libc6 2.18-0experimental1
ii libcups2 1.7.1-3
ii libfontconfig1 2.11.0-2
ii libfreetype6 2.5.2-1
ii libgcc1 1:4.9-20140122-1
ii libglib2.0-0 2.36.4-1
ii libjpeg8 8d-2
ii libkrb5-3 1.12+dfsg-2
ii liblcms2-2 2.2+git20110628-2.3+b1
ii libnss3 2:3.15.3.1-1.1
ii libpcsclite1 1.8.10-1
ii libstdc++6 4.9-20140122-1
ii multiarch-support 2.18-0experimental1
ii tzdata-java 2013i-1
ii zlib1g 1:1.2.8.dfsg-1
--
Jakub Wilk
Changed Bug title to 'unpack200: CVE-2014-1876: insecure use of /tmp' from 'unpack200: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 08 Feb 2014 07:39:05 GMT) (full text, mbox, link).
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility.
(Mon, 12 May 2014 14:54:18 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Mon, 12 May 2014 14:54:18 GMT) (full text, mbox, link).
Message #10 received at 737562-done@bugs.debian.org (full text, mbox, reply):
Version: 7u55-2.4.7-1
On Mon, Feb 03, 2014 at 08:40:42PM +0100, Jakub Wilk wrote:
> Package: openjdk-7-jre-headless
> Version: 7u51-2.4.5-1
> Tags: security
>
> If unpack200 cannot open logfile, it creates a file in /tmp in an
> insecure way:
>
> $ strace -o '| grep /tmp' unpack200 --log-file=/cannot/open test.pack.gz test.jar
> open("/tmp/unpack.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 3
This was fixed in the latest OpenJDK security update round.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 Jun 2014 07:31:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:15:11 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon