Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request and heads-up on insecure temp file handling in unpack200 (OpenJDK, Oracle Java)
From: cve-assign () mitre org
Date: Fri, 7 Feb 2014 19:52:46 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not sure if this affects IBM's JDK, but it seems to affect
Oracle's (based on a quick test on my mac)

the unpack200 program included in OpenJDK did not properly handle the
logfile properly. If the the log file was unable to be opened, it
would create /tmp/unpack.log instead as the fallback, but do so in an
insecure manner, as shown in unpack.cpp (the below is from OpenJDK 6):

4732 void unpacker::redirect_stdio() {
...
4759     sprintf(log_file_name, "/tmp/unpack.log");

4761     if ((errstrm = fopen(log_file_name, "a+")) != NULL) {

The same exists in OpenJDK 7 and 8.

This could allow a malicious local attacker to conduct local attacks,
such as symlink attacks, where a file could be overwritten if the user
running unpack200 had write permissions.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562
https://bugzilla.redhat.com/show_bug.cgi?id=1060907

Use CVE-2014-1876.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9X4vAAoJEKllVAevmvmsY18H/jhe8ReMewYm51zFXb3Ma5vg
hzG5hmArGvX6DaEXj8qwtT1ifUys2KFq/EaIYcQVtoivWeZgXh5LERfjUybl0aPY
4pr9U1quWra7QJtTTr49mi48mJS/Ef1Lj0yQ2GxwYyOVN7250SuUMjkT6euXWBxd
ol6/Y/rYzabU+k/1OXRSU1auHvjX3nj++vontWv5clIDDDTPMacStLn5JbYImcoi
UQJjuVFhAwu2Ue9ztpC0+OBpftFkMsX+y3Xzx92c2+orerDPioqdE5JzVBSp8Ei1
F7Ai06g0QOjxZc9SUFdgGAzQyLyM3gPfk2P8HnMVvNeps9u9Wt8DiEWM8/xKCkg=
=d/PB
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault