Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201402080052.s180qkHq003809@linus.mitre.org>
Date: Fri, 7 Feb 2014 19:52:46 -0500 (EST)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I'm not sure if this affects IBM's JDK, but it seems to affect
> Oracle's (based on a quick test on my mac)
> 
> the unpack200 program included in OpenJDK did not properly handle the
> logfile properly. If the the log file was unable to be opened, it
> would create /tmp/unpack.log instead as the fallback, but do so in an
> insecure manner, as shown in unpack.cpp (the below is from OpenJDK 6):
> 
> 4732 void unpacker::redirect_stdio() {
> ...
> 4759     sprintf(log_file_name, "/tmp/unpack.log");

> 4761     if ((errstrm = fopen(log_file_name, "a+")) != NULL) {
> 
> The same exists in OpenJDK 7 and 8.
> 
> This could allow a malicious local attacker to conduct local attacks,
> such as symlink attacks, where a file could be overwritten if the user
> running unpack200 had write permissions.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562
> https://bugzilla.redhat.com/show_bug.cgi?id=1060907

Use CVE-2014-1876.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9X4vAAoJEKllVAevmvmsY18H/jhe8ReMewYm51zFXb3Ma5vg
hzG5hmArGvX6DaEXj8qwtT1ifUys2KFq/EaIYcQVtoivWeZgXh5LERfjUybl0aPY
4pr9U1quWra7QJtTTr49mi48mJS/Ef1Lj0yQ2GxwYyOVN7250SuUMjkT6euXWBxd
ol6/Y/rYzabU+k/1OXRSU1auHvjX3nj++vontWv5clIDDDTPMacStLn5JbYImcoi
UQJjuVFhAwu2Ue9ztpC0+OBpftFkMsX+y3Xzx92c2+orerDPioqdE5JzVBSp8Ei1
F7Ai06g0QOjxZc9SUFdgGAzQyLyM3gPfk2P8HnMVvNeps9u9Wt8DiEWM8/xKCkg=
=d/PB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.