Bug 86585 - dev-java/sun-jdk: ebuild insecure temporary file handling
|
Bug#:
86585
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: taviso@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: dev-java/sun-jdk: ebuild insecure temporary file handling
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa] jaervosz
|
|
Opened: 2005-03-24 14:42 0000
|
the sun-jdk ebuild uses a predictable tmp filename for it's extraction log.
users could abuse this by creating files at arbitrary locations via a symlink attack. example:
$ ls -l /etc/nologin
ls: /etc/nologin: No such file or directory
$ ln -fs /etc/nologin /tmp/unpack.log
# wait for root to emerge java
$ ls -l /etc/nologin
-rw-r--r-- 1 root root 390 Mar 24 22:36 /etc/nologin
I've thought of a solution,
$ cvs diff sun-jdk-1.4.2.07.ebuild
Index: sun-jdk-1.4.2.07.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/dev-java/sun-jdk/sun-jdk-1.4.2.07.ebuild,v
retrieving revision 1.2
diff -u -w -r1.2 sun-jdk-1.4.2.07.ebuild
--- sun-jdk-1.4.2.07.ebuild 3 Feb 2005 05:43:51 -0000 1.2
+++ sun-jdk-1.4.2.07.ebuild 24 Mar 2005 22:38:56 -0000
@@ -76,6 +76,7 @@
if [ -f ${S}/lib/unpack ]; then
UNPACK_CMD=${S}/lib/unpack
chmod +x $UNPACK_CMD
+ perl -pi -e 's#/tmp/unpack.log#/dev/null\x00\x00\x00\x00\x00\x00#sg' $UNPACK_CMD
for i in $PACKED_JARS; do
PACK_FILE=${S}/`dirname $i`/`basename $i .jar`.pack
if [ -f ${PACK_FILE} ]; then
replace the hardcoded predictable name with /dev/null (note the null padding is required).
Is this bug Gentoo-ebuild-specific ? Or does it affect every JDK installer ? In
which case we should transmit to Sun.
luckyduck: you should revbump so that if we issue a GLSA about this we get a
"fixed" from version.
Koon: it's part of the installation routine from sun (ie, not gentoo's fault),
so we should inform upstream?
these are also affected:
dev-java/sun-jre-bin
dev-java/blackdown-jdk
dev-java/blackdown-jre
the same patch should work
can this be done with sed too?
don't want to be DEPEND'ing on perl
axxo: yep, if you'ld prefer.
This works fine:
sed -i 's#/tmp/unpack.log#/dev/null\x00\x00\x00\x00\x00\x00#g' $UNPACK_CMD
applied to all vulnerable packages/versions. old and vulnerable revisions are
removed from the tree, the new revisions which aren't vulnerable are:
sun-jdk-1.4.2.07-r1
sun-jdk-1.5.0.02-r1
sun-jre-bin-1.4.2.07-r1
sun-jre-bin-1.5.0.01-r1
blackdown-jdk-1.4.2.01-r2
blackdown-jre-1.4.2.01-r1
there are versions in the tree which don't make use of $UNPACK_CMD at all. i
havn't touch these version.
Arches please test and mark stable (if possible)
blackdown-jdk-1.4.2.01-r2: amd64, ppc?, sparc?, x86
blackdown-jre-1.4.2.01-r1: ppc?, sparc?
Jan, please check that the Sun packages have proper keywords.
ppc doesn't use blackdown.
blackdown-jdk-1.4.2.01-r2 stable on amd64
At last check, there was no blackdown-j*-1.4.2* for SPARC. The latest we have
is 1.4.1. Not sure how you want to handle that.
i think the keywords are fine now, there was no sparc and no ppc keyword in any
of the vulnerable versions. version <=1.4.1 don't make use of this installing
scheme and $UNPACK_CMD etc. seems that everything is fine now
Removing SPARC then since we aren't affected.
This one is ready for GLSA decision.
I would vote no... My logic being that upgrading won't solve anything. People
with the affected package already installed are not vulnerable to anything.
Only people re-installing old versions would be.
So I would remove all affected versions and close this one without GLSA.
i don't have a right to vote, but i agree. all affected versions aren't in the
tree any longer.
I agree -> closing without GLSA.
