Bugzilla Bug 86585

the sun-jdk ebuild uses a predictable tmp filename for it's extraction log.

users could abuse this by creating files at arbitrary locations via a symlink attack. example:

$ ls -l /etc/nologin
ls: /etc/nologin: No such file or directory
$ ln -fs /etc/nologin /tmp/unpack.log
# wait for root to emerge java
$ ls -l /etc/nologin
-rw-r--r--  1 root root 390 Mar 24 22:36 /etc/nologin

I've thought of a solution, 

$ cvs diff sun-jdk-1.4.2.07.ebuild 
Index: sun-jdk-1.4.2.07.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/dev-java/sun-jdk/sun-jdk-1.4.2.07.ebuild,v
retrieving revision 1.2
diff -u -w -r1.2 sun-jdk-1.4.2.07.ebuild
--- sun-jdk-1.4.2.07.ebuild     3 Feb 2005 05:43:51 -0000       1.2
+++ sun-jdk-1.4.2.07.ebuild     24 Mar 2005 22:38:56 -0000
@@ -76,6 +76,7 @@
        if [ -f ${S}/lib/unpack ]; then
                UNPACK_CMD=${S}/lib/unpack
                chmod +x $UNPACK_CMD
+               perl -pi -e 's#/tmp/unpack.log#/dev/null\x00\x00\x00\x00\x00\x00#sg' $UNPACK_CMD
                for i in $PACKED_JARS; do
                        PACK_FILE=${S}/`dirname $i`/`basename $i .jar`.pack
                        if [ -f ${PACK_FILE} ]; then

replace the hardcoded predictable name with /dev/null (note the null padding is required).

ok, patch applied

Is this bug Gentoo-ebuild-specific ? Or does it affect every JDK installer ? In
which case we should transmit to Sun.

luckyduck: you should revbump so that if we issue a GLSA about this we get a
"fixed" from version.

Koon: it's part of the installation routine from sun (ie, not gentoo's fault),
so we should inform upstream?

these are also affected:

dev-java/sun-jre-bin
dev-java/blackdown-jdk 
dev-java/blackdown-jre

the same patch should work

can this be done with sed too?
don't want to be DEPEND'ing on perl 

axxo: yep, if you'ld prefer.

This works fine:

sed -i 's#/tmp/unpack.log#/dev/null\x00\x00\x00\x00\x00\x00#g' $UNPACK_CMD

applied to all vulnerable packages/versions. old and vulnerable revisions are
removed from the tree, the new revisions which aren't vulnerable are:

sun-jdk-1.4.2.07-r1
sun-jdk-1.5.0.02-r1

sun-jre-bin-1.4.2.07-r1
sun-jre-bin-1.5.0.01-r1

blackdown-jdk-1.4.2.01-r2

blackdown-jre-1.4.2.01-r1


there are versions in the tree which don't make use of $UNPACK_CMD at all. i
havn't touch these version.

Arches please test and mark stable (if possible)

blackdown-jdk-1.4.2.01-r2: amd64, ppc?, sparc?, x86
blackdown-jre-1.4.2.01-r1: ppc?, sparc?

Jan, please check that the Sun packages have proper keywords.

ppc doesn't use blackdown.

blackdown-jdk-1.4.2.01-r2 stable on amd64

At last check, there was no blackdown-j*-1.4.2* for SPARC.  The latest we have
is 1.4.1.  Not sure how you want to handle that.

i think the keywords are fine now, there was no sparc and no ppc keyword in any
of the vulnerable versions. version <=1.4.1 don't make use of this installing
scheme and $UNPACK_CMD etc. seems that everything is fine now

Removing SPARC then since we aren't affected.

This one is ready for GLSA decision.

I would vote no... My logic being that upgrading won't solve anything. People
with the affected package already installed are not vulnerable to anything.
Only people re-installing old versions would be.

So I would remove all affected versions and close this one without GLSA.

i don't have a right to vote, but i agree. all affected versions aren't in the
tree any longer.

I agree -> closing without GLSA.