This bug was fixed in the package openjdk-lts - 11.0.20.1+1-0ubuntu1~22.04 --------------- openjdk-lts (11.0.20.1+1-0ubuntu1~22.04) jammy-security; urgency=medium
* Upload to Ubuntu 22.04. openjdk-lts (11.0.20.1+1-0ubuntu1) mantic; urgency=medium * OpenJDK 11.0.20.1 release, build 1. - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data field size) (LP: #2032865). * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass. -- Vladimir Petko <vladimir.pe...@canonical.com> Fri, 25 Aug 2023 10:33:08 +1200 ** Changed in: openjdk-lts (Ubuntu Jammy) Status: New => Fix Released ** Changed in: openjdk-17 (Ubuntu Focal) Status: New => Fix Released -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-lts in Ubuntu. https://bugs.launchpad.net/bugs/2032865 Title: Please update openjdk-lts to 11.0.20.1+1 and openjdk-17 to 17.0.8.1+1 to fix JDK-8313765 Status in openjdk-17 package in Ubuntu: New Status in openjdk-lts package in Ubuntu: New Status in openjdk-17 source package in Focal: Fix Released Status in openjdk-lts source package in Focal: New Status in openjdk-17 source package in Jammy: New Status in openjdk-lts source package in Jammy: Fix Released Status in openjdk-17 source package in Lunar: New Status in openjdk-lts source package in Lunar: New Status in openjdk-17 source package in Mantic: New Status in openjdk-lts source package in Mantic: New Bug description: [Background] JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1. -------------- The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic: Invalid CEN header (invalid zip64 extra data field size) The ZipException may occur due to: 1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023). 2. Extra field includes padding not included in the Extra data field headers 3. The BND tool added problematic data to the extra field - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3 The issue can demonstrated via the following ant script : ?xml version="1.0"?> <project name="zip 64 jar test" basedir="." default="jar"> <property name="jarFile" value="test.jar"/> <property name="builddir" value="classes"/> <target name="jar"> <jar destfile="${jarFile}" zip64mode="always" basedir="${builddir}"/> </target> </project> ---------------- [1] [Impact] This means that zip64 jar files made by older versions of commons- compress and more importantly Ant are not readable by the July security update JDKs (11.0.20 and 17.0.8). The user is unable to run existing software. The latest version of ant in the archive is 1.10.13[2] which means that all relevant Ubuntu versions (bionic, focal, jammy, lunar, mantic) are affected. The behaviour can be worked around with jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the user to CVE-2023-22036 - JDK crash when unpacking malicious zip file which can be problematic for the server-side workloads. [Suggested Fix] Release upstream versions 11.0.20.1+1 and 17.0.8.1+1 to affected versions - bionic (esm), focal, jammy, lunar, mantic. [Test Plan] Ensure that the test jar file can be run using the fixed version. ----------------------- #!/bin/bash for release in bionic focal jammy lunar mantic; do for jdk in openjdk-11-jdk-headless openjdk-17-jdk-headless; do echo -------testing $release with $jdk lxc launch ubuntu-daily:$release tester lxc exec tester -- apt-get update lxc exec tester -- apt-get -y install ${jdk} ant lxc file push validate-fix.sh tester/home/ubuntu/validate-fix.sh lxc exec tester -- /bin/bash /home/ubuntu/validate-fix.sh lxc stop tester lxc delete tester echo -------DONE testing $release with $jdk done done ----------------------- validate-fix.sh is attached to the bug. [Where the problems can occur] - validate that the zip file can run when Security manager is enabled and a permission to read 'jdk.util.zip.disableZip64ExtraFieldValidation' is not granted [1] https://bugs.openjdk.org/browse/JDK-8313765 [2] https://launchpad.net/ubuntu/+source/ant To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-17/+bug/2032865/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp