Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 7 Feb 2014 19:52:46 -0500 (EST)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I'm not sure if this affects IBM's JDK, but it seems to affect
> Oracle's (based on a quick test on my mac)
> 
> the unpack200 program included in OpenJDK did not properly handle the
> logfile properly. If the the log file was unable to be opened, it
> would create /tmp/unpack.log instead as the fallback, but do so in an
> insecure manner, as shown in unpack.cpp (the below is from OpenJDK 6):
> 
> 4732 void unpacker::redirect_stdio() {
> ...
> 4759     sprintf(log_file_name, "/tmp/unpack.log");

> 4761     if ((errstrm = fopen(log_file_name, "a+")) != NULL) {
> 
> The same exists in OpenJDK 7 and 8.
> 
> This could allow a malicious local attacker to conduct local attacks,
> such as symlink attacks, where a file could be overwritten if the user
> running unpack200 had write permissions.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562
> https://bugzilla.redhat.com/show_bug.cgi?id=1060907

Use CVE-2014-1876.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9X4vAAoJEKllVAevmvmsY18H/jhe8ReMewYm51zFXb3Ma5vg
hzG5hmArGvX6DaEXj8qwtT1ifUys2KFq/EaIYcQVtoivWeZgXh5LERfjUybl0aPY
4pr9U1quWra7QJtTTr49mi48mJS/Ef1Lj0yQ2GxwYyOVN7250SuUMjkT6euXWBxd
ol6/Y/rYzabU+k/1OXRSU1auHvjX3nj++vontWv5clIDDDTPMacStLn5JbYImcoi
UQJjuVFhAwu2Ue9ztpC0+OBpftFkMsX+y3Xzx92c2+orerDPioqdE5JzVBSp8Ei1
F7Ai06g0QOjxZc9SUFdgGAzQyLyM3gPfk2P8HnMVvNeps9u9Wt8DiEWM8/xKCkg=
=d/PB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.