Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hello folks, Markus has prepared a new version of hawtjni to fix CVE-2013-2035 (#708293) by backporting the corresponding upstream commits. Please find attached the debdiff against the hawtjni version in stable. Please let me know if the changes qualify for an upload to s-p-u. Description =========== * CVE-2013-2035 Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp. Cheers, -- System Information: Debian Release: 7.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/changelog hawtjni-1.0~+git0c502e20c4/debian/changelog --- hawtjni-1.0~+git0c502e20c4/debian/changelog 2011-07-30 14:14:39.000000000 -0300 +++ hawtjni-1.0~+git0c502e20c4/debian/changelog 2014-07-13 23:08:26.000000000 -0300 @@ -1,3 +1,11 @@ +hawtjni (1.0~+git0c502e20c4-3+deb7u1) wheezy-security; urgency=medium + + * Add CVE-2013-2035.patch. + - Fix /tmp race condition with arbitrary code execution. + (CVE-2013-2035) + + -- Markus Koschany <a...@gambaru.de> Fri, 11 Jul 2014 15:14:35 +0200 + hawtjni (1.0~+git0c502e20c4-3) unstable; urgency=low * Team upload. diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch --- hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch 1969-12-31 21:00:00.000000000 -0300 +++ hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch 2014-07-13 23:08:26.000000000 -0300 @@ -0,0 +1,151 @@ +From: Hiram Chirino <hi...@hiramchirino.com> +Date: Fri, 11 Jul 2014 15:11:14 +0200 +Subject: CVE 2013-2035 + +Bug: https://bugs.debian.org/708293 +Forwarded: https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5 +--- + .../org/fusesource/hawtjni/runtime/Library.java | 80 ++++++++-------------- + 1 file changed, 30 insertions(+), 50 deletions(-) + +diff --git a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java +index 28e15ea..0c3145d 100755 +--- a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java ++++ b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java +@@ -9,13 +9,11 @@ + *******************************************************************************/ + package org.fusesource.hawtjni.runtime; + +-import java.io.File; +-import java.io.FileOutputStream; +-import java.io.IOException; +-import java.io.InputStream; ++import java.io.*; + import java.net.MalformedURLException; + import java.net.URL; + import java.util.ArrayList; ++import java.util.Random; + import java.util.regex.Pattern; + + /** +@@ -205,15 +203,19 @@ public class Library { + URL resource = classLoader.getResource(resourcePath); + if( resource !=null ) { + +- String libName = name; ++ String libName = name + "-" + getBitModel(); + if( version !=null) { + libName += "-" + version; + } +- ++ ++ String []libNameParts = map(libName).split("\\."); ++ String prefix = libNameParts[0]+"-"; ++ String suffix = "."+libNameParts[1]; ++ + if( customPath!=null ) { + // Try to extract it to the custom path... +- File target = file(customPath, map(libName)); +- if( extract(errors, resource, target) ) { ++ File target = extract(errors, resource, prefix, suffix, file(customPath)); ++ if( target!=null ) { + if( load(errors, target) ) { + return true; + } +@@ -222,8 +224,8 @@ public class Library { + + // Fall back to extracting to the tmp dir + customPath = System.getProperty("java.io.tmpdir"); +- File target = file(customPath, map(libName)); +- if( extract(errors, resource, target) ) { ++ File target = extract(errors, resource, prefix, suffix, file(customPath)); ++ if( target!=null ) { + if( load(errors, target) ) { + return true; + } +@@ -257,67 +259,45 @@ public class Library { + return libName; + } + +- private boolean extract(ArrayList<String> errors, URL source, File target) { +- FileOutputStream os = null; +- InputStream is = null; +- boolean extracting = false; ++ private File extract(ArrayList<String> errors, URL source, String prefix, String suffix, File directory) { ++ File target = null; + try { +- if (!target.exists() || isStale(source, target) ) { ++ FileOutputStream os = null; ++ InputStream is = null; ++ try { ++ target = File.createTempFile(prefix, suffix, directory); + is = source.openStream(); + if (is != null) { + byte[] buffer = new byte[4096]; + os = new FileOutputStream(target); +- extracting = true; + int read; + while ((read = is.read(buffer)) != -1) { + os.write(buffer, 0, read); + } +- os.close(); +- is.close(); + chmod("755", target); + } ++ target.deleteOnExit(); ++ return target; ++ } finally { ++ close(os); ++ close(is); + } + } catch (Throwable e) { +- try { +- if (os != null) +- os.close(); +- } catch (IOException e1) { +- } +- try { +- if (is != null) +- is.close(); +- } catch (IOException e1) { +- } +- if (extracting && target.exists()) ++ if( target!=null ) { + target.delete(); ++ } + errors.add(e.getMessage()); +- return false; + } +- return true; ++ return null; + } + +- private boolean isStale(URL source, File target) { +- +- if( source.getProtocol().equals("jar") ) { +- // unwrap the jar protocol... ++ static private void close(Closeable file) { ++ if(file!=null) { + try { +- String parts[] = source.getFile().split(Pattern.quote("!")); +- source = new URL(parts[0]); +- } catch (MalformedURLException e) { +- return false; +- } +- } +- +- File sourceFile=null; +- if( source.getProtocol().equals("file") ) { +- sourceFile = new File(source.getFile()); +- } +- if( sourceFile!=null && sourceFile.exists() ) { +- if( sourceFile.lastModified() > target.lastModified() ) { +- return true; ++ file.close(); ++ } catch (Exception ignore) { + } + } +- return false; + } + + private void chmod(String permision, File path) { diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/series hawtjni-1.0~+git0c502e20c4/debian/patches/series --- hawtjni-1.0~+git0c502e20c4/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ hawtjni-1.0~+git0c502e20c4/debian/patches/series 2014-07-13 23:08:26.000000000 -0300 @@ -0,0 +1 @@ +CVE-2013-2035.patch
signature.asc
Description: Digital signature
