[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#755018: marked as done (pu: package hawtjni/1.0~+git0c502e20c4-3)

Your message dated Sat, 18 Oct 2014 12:06:30 +0100
with message-id <E1XfRqA-0002Re-A8@jacala>
and subject line Closing bugs for updates in 7.7
has caused the Debian Bug report #755018,
regarding pu: package hawtjni/1.0~+git0c502e20c4-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
755018: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755018
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hello folks,

Markus has prepared a new version of hawtjni to fix CVE-2013-2035
(#708293) by backporting the corresponding upstream commits.
Please find attached the debdiff against the hawtjni version in
stable.

Please let me know if the changes qualify for an upload to s-p-u.

Description
===========

* CVE-2013-2035
Race condition in
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
in HawtJNI before 1.8, when a custom library path is not specified,
allows local users to execute arbitrary Java code by overwriting a
temporary JAR file with a predictable name in /tmp.


Cheers,


-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche

diff -Nru hawtjni-1.0~+git0c502e20c4/debian/changelog hawtjni-1.0~+git0c502e20c4/debian/changelog
--- hawtjni-1.0~+git0c502e20c4/debian/changelog	2011-07-30 14:14:39.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/changelog	2014-07-13 23:08:26.000000000 -0300
@@ -1,3 +1,11 @@
+hawtjni (1.0~+git0c502e20c4-3+deb7u1) wheezy-security; urgency=medium
+
+  * Add CVE-2013-2035.patch.
+    - Fix /tmp race condition with arbitrary code execution.
+      (CVE-2013-2035)
+
+ -- Markus Koschany <apo@gambaru.de>  Fri, 11 Jul 2014 15:14:35 +0200
+
 hawtjni (1.0~+git0c502e20c4-3) unstable; urgency=low
 
   * Team upload.
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch
--- hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch	1969-12-31 21:00:00.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch	2014-07-13 23:08:26.000000000 -0300
@@ -0,0 +1,151 @@
+From: Hiram Chirino <hiram@hiramchirino.com>
+Date: Fri, 11 Jul 2014 15:11:14 +0200
+Subject: CVE 2013-2035
+
+Bug: https://bugs.debian.org/708293
+Forwarded: https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5
+---
+ .../org/fusesource/hawtjni/runtime/Library.java    | 80 ++++++++--------------
+ 1 file changed, 30 insertions(+), 50 deletions(-)
+
+diff --git a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+index 28e15ea..0c3145d 100755
+--- a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
++++ b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+@@ -9,13 +9,11 @@
+  *******************************************************************************/
+ package org.fusesource.hawtjni.runtime;
+ 
+-import java.io.File;
+-import java.io.FileOutputStream;
+-import java.io.IOException;
+-import java.io.InputStream;
++import java.io.*;
+ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.util.ArrayList;
++import java.util.Random;
+ import java.util.regex.Pattern;
+ 
+ /**
+@@ -205,15 +203,19 @@ public class Library {
+         URL resource = classLoader.getResource(resourcePath);
+         if( resource !=null ) {
+             
+-            String libName = name;
++            String libName = name + "-" + getBitModel();
+             if( version !=null) {
+                 libName += "-" + version;
+             }
+-            
++
++            String []libNameParts = map(libName).split("\\.");
++            String prefix = libNameParts[0]+"-";
++            String suffix = "."+libNameParts[1];
++
+             if( customPath!=null ) {
+                 // Try to extract it to the custom path...
+-                File target = file(customPath, map(libName));
+-                if( extract(errors, resource, target) ) {
++                File target = extract(errors, resource, prefix, suffix, file(customPath));
++                if( target!=null ) {
+                     if( load(errors, target) ) {
+                         return true;
+                     }
+@@ -222,8 +224,8 @@ public class Library {
+             
+             // Fall back to extracting to the tmp dir
+             customPath = System.getProperty("java.io.tmpdir");
+-            File target = file(customPath, map(libName));
+-            if( extract(errors, resource, target) ) {
++            File target = extract(errors, resource, prefix, suffix, file(customPath));
++            if( target!=null ) {
+                 if( load(errors, target) ) {
+                     return true;
+                 }
+@@ -257,67 +259,45 @@ public class Library {
+         return libName;
+     }
+ 
+-    private boolean extract(ArrayList<String> errors, URL source, File target) {
+-        FileOutputStream os = null;
+-        InputStream is = null;
+-        boolean extracting = false;
++    private File extract(ArrayList<String> errors, URL source, String prefix, String suffix, File directory) {
++        File target = null;
+         try {
+-            if (!target.exists() || isStale(source, target) ) {
++            FileOutputStream os = null;
++            InputStream is = null;
++            try {
++                target = File.createTempFile(prefix, suffix, directory);
+                 is = source.openStream();
+                 if (is != null) {
+                     byte[] buffer = new byte[4096];
+                     os = new FileOutputStream(target);
+-                    extracting = true;
+                     int read;
+                     while ((read = is.read(buffer)) != -1) {
+                         os.write(buffer, 0, read);
+                     }
+-                    os.close();
+-                    is.close();
+                     chmod("755", target);
+                 }
++                target.deleteOnExit();
++                return target;
++            } finally {
++                close(os);
++                close(is);
+             }
+         } catch (Throwable e) {
+-            try {
+-                if (os != null)
+-                    os.close();
+-            } catch (IOException e1) {
+-            }
+-            try {
+-                if (is != null)
+-                    is.close();
+-            } catch (IOException e1) {
+-            }
+-            if (extracting && target.exists())
++            if( target!=null ) {
+                 target.delete();
++            }
+             errors.add(e.getMessage());
+-            return false;
+         }
+-        return true;
++        return null;
+     }
+ 
+-    private boolean isStale(URL source, File target) {
+-        
+-        if( source.getProtocol().equals("jar") ) {
+-            // unwrap the jar protocol...
++    static private void close(Closeable file) {
++        if(file!=null) {
+             try {
+-                String parts[] = source.getFile().split(Pattern.quote("!"));
+-                source = new URL(parts[0]);
+-            } catch (MalformedURLException e) {
+-                return false;
+-            }
+-        }
+-        
+-        File sourceFile=null;
+-        if( source.getProtocol().equals("file") ) {
+-            sourceFile = new File(source.getFile());
+-        }
+-        if( sourceFile!=null && sourceFile.exists() ) {
+-            if( sourceFile.lastModified() > target.lastModified() ) {
+-                return true;
++                file.close();
++            } catch (Exception ignore) {
+             }
+         }
+-        return false;
+     }
+ 
+     private void chmod(String permision, File path) {
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/series hawtjni-1.0~+git0c502e20c4/debian/patches/series
--- hawtjni-1.0~+git0c502e20c4/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/patches/series	2014-07-13 23:08:26.000000000 -0300
@@ -0,0 +1 @@
+CVE-2013-2035.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Version: 7.7

The upload discussed in this bug was included in the 7.7 point release.

Regards,

Adam

--- End Message ---
Reply to: