Your message dated Sat, 18 Oct 2014 12:06:30 +0100 with message-id <E1XfRqA-0002Re-A8@jacala> and subject line Closing bugs for updates in 7.7 has caused the Debian Bug report #755018, regarding pu: package hawtjni/1.0~+git0c502e20c4-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 755018: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755018 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Markus Koschany <apo@gambaru.de>
- Subject: pu: package hawtjni/1.0~+git0c502e20c4-3
- From: Miguel Landaeta <nomadium@debian.org>
- Date: Wed, 16 Jul 2014 17:47:15 -0300
- Message-id: <20140716204715.GA19290@alice.nomadium.lan>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Hello folks, Markus has prepared a new version of hawtjni to fix CVE-2013-2035 (#708293) by backporting the corresponding upstream commits. Please find attached the debdiff against the hawtjni version in stable. Please let me know if the changes qualify for an upload to s-p-u. Description =========== * CVE-2013-2035 Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp. Cheers, -- System Information: Debian Release: 7.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzschediff -Nru hawtjni-1.0~+git0c502e20c4/debian/changelog hawtjni-1.0~+git0c502e20c4/debian/changelog --- hawtjni-1.0~+git0c502e20c4/debian/changelog 2011-07-30 14:14:39.000000000 -0300 +++ hawtjni-1.0~+git0c502e20c4/debian/changelog 2014-07-13 23:08:26.000000000 -0300 @@ -1,3 +1,11 @@ +hawtjni (1.0~+git0c502e20c4-3+deb7u1) wheezy-security; urgency=medium + + * Add CVE-2013-2035.patch. + - Fix /tmp race condition with arbitrary code execution. + (CVE-2013-2035) + + -- Markus Koschany <apo@gambaru.de> Fri, 11 Jul 2014 15:14:35 +0200 + hawtjni (1.0~+git0c502e20c4-3) unstable; urgency=low * Team upload. diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch --- hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch 1969-12-31 21:00:00.000000000 -0300 +++ hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch 2014-07-13 23:08:26.000000000 -0300 @@ -0,0 +1,151 @@ +From: Hiram Chirino <hiram@hiramchirino.com> +Date: Fri, 11 Jul 2014 15:11:14 +0200 +Subject: CVE 2013-2035 + +Bug: https://bugs.debian.org/708293 +Forwarded: https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5 +--- + .../org/fusesource/hawtjni/runtime/Library.java | 80 ++++++++-------------- + 1 file changed, 30 insertions(+), 50 deletions(-) + +diff --git a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java +index 28e15ea..0c3145d 100755 +--- a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java ++++ b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java +@@ -9,13 +9,11 @@ + *******************************************************************************/ + package org.fusesource.hawtjni.runtime; + +-import java.io.File; +-import java.io.FileOutputStream; +-import java.io.IOException; +-import java.io.InputStream; ++import java.io.*; + import java.net.MalformedURLException; + import java.net.URL; + import java.util.ArrayList; ++import java.util.Random; + import java.util.regex.Pattern; + + /** +@@ -205,15 +203,19 @@ public class Library { + URL resource = classLoader.getResource(resourcePath); + if( resource !=null ) { + +- String libName = name; ++ String libName = name + "-" + getBitModel(); + if( version !=null) { + libName += "-" + version; + } +- ++ ++ String []libNameParts = map(libName).split("\\."); ++ String prefix = libNameParts[0]+"-"; ++ String suffix = "."+libNameParts[1]; ++ + if( customPath!=null ) { + // Try to extract it to the custom path... +- File target = file(customPath, map(libName)); +- if( extract(errors, resource, target) ) { ++ File target = extract(errors, resource, prefix, suffix, file(customPath)); ++ if( target!=null ) { + if( load(errors, target) ) { + return true; + } +@@ -222,8 +224,8 @@ public class Library { + + // Fall back to extracting to the tmp dir + customPath = System.getProperty("java.io.tmpdir"); +- File target = file(customPath, map(libName)); +- if( extract(errors, resource, target) ) { ++ File target = extract(errors, resource, prefix, suffix, file(customPath)); ++ if( target!=null ) { + if( load(errors, target) ) { + return true; + } +@@ -257,67 +259,45 @@ public class Library { + return libName; + } + +- private boolean extract(ArrayList<String> errors, URL source, File target) { +- FileOutputStream os = null; +- InputStream is = null; +- boolean extracting = false; ++ private File extract(ArrayList<String> errors, URL source, String prefix, String suffix, File directory) { ++ File target = null; + try { +- if (!target.exists() || isStale(source, target) ) { ++ FileOutputStream os = null; ++ InputStream is = null; ++ try { ++ target = File.createTempFile(prefix, suffix, directory); + is = source.openStream(); + if (is != null) { + byte[] buffer = new byte[4096]; + os = new FileOutputStream(target); +- extracting = true; + int read; + while ((read = is.read(buffer)) != -1) { + os.write(buffer, 0, read); + } +- os.close(); +- is.close(); + chmod("755", target); + } ++ target.deleteOnExit(); ++ return target; ++ } finally { ++ close(os); ++ close(is); + } + } catch (Throwable e) { +- try { +- if (os != null) +- os.close(); +- } catch (IOException e1) { +- } +- try { +- if (is != null) +- is.close(); +- } catch (IOException e1) { +- } +- if (extracting && target.exists()) ++ if( target!=null ) { + target.delete(); ++ } + errors.add(e.getMessage()); +- return false; + } +- return true; ++ return null; + } + +- private boolean isStale(URL source, File target) { +- +- if( source.getProtocol().equals("jar") ) { +- // unwrap the jar protocol... ++ static private void close(Closeable file) { ++ if(file!=null) { + try { +- String parts[] = source.getFile().split(Pattern.quote("!")); +- source = new URL(parts[0]); +- } catch (MalformedURLException e) { +- return false; +- } +- } +- +- File sourceFile=null; +- if( source.getProtocol().equals("file") ) { +- sourceFile = new File(source.getFile()); +- } +- if( sourceFile!=null && sourceFile.exists() ) { +- if( sourceFile.lastModified() > target.lastModified() ) { +- return true; ++ file.close(); ++ } catch (Exception ignore) { + } + } +- return false; + } + + private void chmod(String permision, File path) { diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/series hawtjni-1.0~+git0c502e20c4/debian/patches/series --- hawtjni-1.0~+git0c502e20c4/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ hawtjni-1.0~+git0c502e20c4/debian/patches/series 2014-07-13 23:08:26.000000000 -0300 @@ -0,0 +1 @@ +CVE-2013-2035.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 755018-done@bugs.debian.org
- Subject: Closing bugs for updates in 7.7
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 18 Oct 2014 12:06:30 +0100
- Message-id: <E1XfRqA-0002Re-A8@jacala>
Version: 7.7 The upload discussed in this bug was included in the 7.7 point release. Regards, Adam
--- End Message ---