[oe] [meta-java][PATCH 11/15] openjdk: fix CVE-2014-1876
jackie.huang at windriver.com
jackie.huang at windriver.com
Fri Dec 25 07:56:31 UTC 2015
From: Amy Fong <amy.fong at windriver.com>
Rather than creating /tmp/unpack.log and insecure permissions,
if unpack cannot create teh specified log file, it defaults to writing
to /dev/null, failing that, stderr. (These are the default options if
it cannot write to /tmp/unpack.log)
Signed-off-by: Amy Fong <amy.fong at windriver.com>
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
---
.../icedtea-CVE-2014-1876-unpack.patch | 44 ++++++++++++++++++++++
recipes-core/icedtea/openjdk-7-release-03b147.inc | 2 +
2 files changed, 46 insertions(+)
create mode 100644 recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
new file mode 100644
index 0000000..d0717c4
--- /dev/null
+++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,44 @@
+This provides a fix for the security vulnerability reported in
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+
+ The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+ 7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+ log file cannot be opened, which allows local users to overwrite arbitrary
+ files via a symlink attack on /tmp/unpack.log.
+
+Rather than trying to open a /tmp/unpack.log file, this fix comments
+out that segment and goes to the fallback options which include
+redirecting error to /dev/null, or failing that, redirecting to stderr.
+
+Upstream-Status: Pending
+
+Signed-off-by: Amy Fong <amy.fong at windriver.com>
+
+Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+===================================================================
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
++++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -4757,6 +4757,15 @@
+ return;
+ } else {
+ char log_file_name[PATH_MAX+100];
++#if 0
++/*
++The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
++7, and 8, and Oracle Java JDK, does not securely create temporary files when a
++log file cannot be opened, which allows local users to overwrite arbitrary
++files via a symlink attack on /tmp/unpack.log.
++
++http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
++*/
+ char tmpdir[PATH_MAX];
+ #ifdef WIN32
+ int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
+@@ -4781,6 +4790,7 @@
+ log_file = errstrm_name = saveStr(log_file_name);
+ return ;
+ }
++#endif
+ #ifndef WIN32
+ sprintf(log_file_name, "/dev/null");
+ // On windows most likely it will fail.
diff --git a/recipes-core/icedtea/openjdk-7-release-03b147.inc b/recipes-core/icedtea/openjdk-7-release-03b147.inc
index dbdc045..83b087c 100644
--- a/recipes-core/icedtea/openjdk-7-release-03b147.inc
+++ b/recipes-core/icedtea/openjdk-7-release-03b147.inc
@@ -86,6 +86,7 @@ OPENJDK_PATCHES = " \
file://icedtea-disable-sun.applet-for-tools-in-headless.patch;apply=no \
file://icedtea-hotspot-fix-undefined-behaviour.patch;apply=no \
file://icedtea-x11_extension_cleanup.patch;apply=no \
+ file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
"
OPENJDK_HEADLESS_PATCHES = " \
@@ -106,5 +107,6 @@ export DISTRIBUTION_PATCHES = " \
patches/icedtea-change-to-gdb-debug-format.patch \
patches/icedtea-hotspot-fix-undefined-behaviour.patch \
patches/icedtea-x11_extension_cleanup.patch \
+ patches/icedtea-CVE-2014-1876-unpack.patch \
${CLEAN_X11_DISTRIBUTION_PATCH} \
"
--
1.9.1
More information about the Openembedded-devel
mailing list