Bug#755018: pu: package hawtjni/1.0~+git0c502e20c4-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Markus Koschany <apo@gambaru.de>
Subject: Bug#755018: pu: package hawtjni/1.0~+git0c502e20c4-3
From: Miguel Landaeta <nomadium@debian.org>
Date: Wed, 16 Jul 2014 17:47:15 -0300
Message-id: <20140716204715.GA19290@alice.nomadium.lan>
Reply-to: Miguel Landaeta <nomadium@debian.org>, 755018@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hello folks,

Markus has prepared a new version of hawtjni to fix CVE-2013-2035
(#708293) by backporting the corresponding upstream commits.
Please find attached the debdiff against the hawtjni version in
stable.

Please let me know if the changes qualify for an upload to s-p-u.

Description
===========

* CVE-2013-2035
Race condition in
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
in HawtJNI before 1.8, when a custom library path is not specified,
allows local users to execute arbitrary Java code by overwriting a
temporary JAR file with a predictable name in /tmp.


Cheers,


-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche

diff -Nru hawtjni-1.0~+git0c502e20c4/debian/changelog hawtjni-1.0~+git0c502e20c4/debian/changelog
--- hawtjni-1.0~+git0c502e20c4/debian/changelog	2011-07-30 14:14:39.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/changelog	2014-07-13 23:08:26.000000000 -0300
@@ -1,3 +1,11 @@
+hawtjni (1.0~+git0c502e20c4-3+deb7u1) wheezy-security; urgency=medium
+
+  * Add CVE-2013-2035.patch.
+    - Fix /tmp race condition with arbitrary code execution.
+      (CVE-2013-2035)
+
+ -- Markus Koschany <apo@gambaru.de>  Fri, 11 Jul 2014 15:14:35 +0200
+
 hawtjni (1.0~+git0c502e20c4-3) unstable; urgency=low
 
   * Team upload.
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch
--- hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch	1969-12-31 21:00:00.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch	2014-07-13 23:08:26.000000000 -0300
@@ -0,0 +1,151 @@
+From: Hiram Chirino <hiram@hiramchirino.com>
+Date: Fri, 11 Jul 2014 15:11:14 +0200
+Subject: CVE 2013-2035
+
+Bug: https://bugs.debian.org/708293
+Forwarded: https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5
+---
+ .../org/fusesource/hawtjni/runtime/Library.java    | 80 ++++++++--------------
+ 1 file changed, 30 insertions(+), 50 deletions(-)
+
+diff --git a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+index 28e15ea..0c3145d 100755
+--- a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
++++ b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+@@ -9,13 +9,11 @@
+  *******************************************************************************/
+ package org.fusesource.hawtjni.runtime;
+ 
+-import java.io.File;
+-import java.io.FileOutputStream;
+-import java.io.IOException;
+-import java.io.InputStream;
++import java.io.*;
+ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.util.ArrayList;
++import java.util.Random;
+ import java.util.regex.Pattern;
+ 
+ /**
+@@ -205,15 +203,19 @@ public class Library {
+         URL resource = classLoader.getResource(resourcePath);
+         if( resource !=null ) {
+             
+-            String libName = name;
++            String libName = name + "-" + getBitModel();
+             if( version !=null) {
+                 libName += "-" + version;
+             }
+-            
++
++            String []libNameParts = map(libName).split("\\.");
++            String prefix = libNameParts[0]+"-";
++            String suffix = "."+libNameParts[1];
++
+             if( customPath!=null ) {
+                 // Try to extract it to the custom path...
+-                File target = file(customPath, map(libName));
+-                if( extract(errors, resource, target) ) {
++                File target = extract(errors, resource, prefix, suffix, file(customPath));
++                if( target!=null ) {
+                     if( load(errors, target) ) {
+                         return true;
+                     }
+@@ -222,8 +224,8 @@ public class Library {
+             
+             // Fall back to extracting to the tmp dir
+             customPath = System.getProperty("java.io.tmpdir");
+-            File target = file(customPath, map(libName));
+-            if( extract(errors, resource, target) ) {
++            File target = extract(errors, resource, prefix, suffix, file(customPath));
++            if( target!=null ) {
+                 if( load(errors, target) ) {
+                     return true;
+                 }
+@@ -257,67 +259,45 @@ public class Library {
+         return libName;
+     }
+ 
+-    private boolean extract(ArrayList<String> errors, URL source, File target) {
+-        FileOutputStream os = null;
+-        InputStream is = null;
+-        boolean extracting = false;
++    private File extract(ArrayList<String> errors, URL source, String prefix, String suffix, File directory) {
++        File target = null;
+         try {
+-            if (!target.exists() || isStale(source, target) ) {
++            FileOutputStream os = null;
++            InputStream is = null;
++            try {
++                target = File.createTempFile(prefix, suffix, directory);
+                 is = source.openStream();
+                 if (is != null) {
+                     byte[] buffer = new byte[4096];
+                     os = new FileOutputStream(target);
+-                    extracting = true;
+                     int read;
+                     while ((read = is.read(buffer)) != -1) {
+                         os.write(buffer, 0, read);
+                     }
+-                    os.close();
+-                    is.close();
+                     chmod("755", target);
+                 }
++                target.deleteOnExit();
++                return target;
++            } finally {
++                close(os);
++                close(is);
+             }
+         } catch (Throwable e) {
+-            try {
+-                if (os != null)
+-                    os.close();
+-            } catch (IOException e1) {
+-            }
+-            try {
+-                if (is != null)
+-                    is.close();
+-            } catch (IOException e1) {
+-            }
+-            if (extracting && target.exists())
++            if( target!=null ) {
+                 target.delete();
++            }
+             errors.add(e.getMessage());
+-            return false;
+         }
+-        return true;
++        return null;
+     }
+ 
+-    private boolean isStale(URL source, File target) {
+-        
+-        if( source.getProtocol().equals("jar") ) {
+-            // unwrap the jar protocol...
++    static private void close(Closeable file) {
++        if(file!=null) {
+             try {
+-                String parts[] = source.getFile().split(Pattern.quote("!"));
+-                source = new URL(parts[0]);
+-            } catch (MalformedURLException e) {
+-                return false;
+-            }
+-        }
+-        
+-        File sourceFile=null;
+-        if( source.getProtocol().equals("file") ) {
+-            sourceFile = new File(source.getFile());
+-        }
+-        if( sourceFile!=null && sourceFile.exists() ) {
+-            if( sourceFile.lastModified() > target.lastModified() ) {
+-                return true;
++                file.close();
++            } catch (Exception ignore) {
+             }
+         }
+-        return false;
+     }
+ 
+     private void chmod(String permision, File path) {
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/series hawtjni-1.0~+git0c502e20c4/debian/patches/series
--- hawtjni-1.0~+git0c502e20c4/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/patches/series	2014-07-13 23:08:26.000000000 -0300
@@ -0,0 +1 @@
+CVE-2013-2035.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#749560: problem of transmission under new miniupnpc
Next by Date: Bug#754981: RM: rails-3.2/3.2.18-1
Previous by thread: Bug#749560: problem of transmission under new miniupnpc
Next by thread: Processed: Re: Bug#754992: transition: libtrio 1.16
Index(es):
- Date
- Thread