Public bug reported:
Since JDK 11, the Ubuntu "open jdk" packages have a defect which does
not appear in the actual Open JDK distros available from java.net. The
problem was discovered by Derby users (see
https://issues.apache.org/jira/browse/DERBY-7122) and reported as an
Open JDK bug (see https://bugs.openjdk.java.net/browse/JDK-8272157).
This is the problem: When trying to persist a java.util.Properties
object, an exception is raised when running under the java
SecurityManager. The exception occurs when java.util.Properties.store0()
calls java.util.Properties.getFormattedTimestamp() in order to format
the timestamp required by the contract of java.util.Properties.store().
The getFormattedTimestamp() method does not appear in Open JDK. There
the timestamp is formatted thusly:
bw.write("#" + new Date().toString());
The exception stack trace (see the repro below) is:
Exception in thread "main" java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "getenv.SOURCE_DATE_EPOCH")
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.base/java.lang.System.getenv(System.java:1016)
at
java.base/java.util.Properties.getFormattedTimestamp(Properties.java:1599)
at java.base/java.util.Properties.store0(Properties.java:926)
at java.base/java.util.Properties.store(Properties.java:868)
at DERBY_7122.main(DERBY_7122.java:37)
At a minimum, could someone explain (with CVE numbers if available) the
security risk incurred by probing the value of the Linux environment
variable SOURCE_DATE_EPOCH?
Here is a sample program which demonstrates this problem. This program
runs fine on Open JDK distros from java.net.
import java.io.PrintWriter;
import java.util.Properties;
/**
* Demonstrate that Properties.store() fails under a security manager on Ubuntu.
*/
public class DERBY_7122
{
private static final String PROPERTY_FILE_NAME =
"/tmp/derby-7122.properties";
private static final String SECURITY_POLICY_FILE_NAME =
"/tmp/derby-7122.policy";
private static final String SECURITY_POLICY_FILE_URL = "file:" +
SECURITY_POLICY_FILE_NAME;
private final static String POLICY_FILE_PROPERTY =
"java.security.policy";
private static final String SECURITY_FILE_CONTENTS =
"grant\n" +
"{\n" +
" permission java.io.FilePermission \"/tmp/-\",
\"read,write,delete\";\n" +
"};\n"
;
public static void main(String... args) throws Exception
{
// write the policy file
try (PrintWriter pw = new PrintWriter(SECURITY_POLICY_FILE_NAME))
{ pw.write(SECURITY_FILE_CONTENTS); }
// start up a security manager using the policy file we just wrote
System.setProperty( POLICY_FILE_PROPERTY, SECURITY_POLICY_FILE_URL );
System.setSecurityManager( new SecurityManager() );
// create a small Properties object
Properties props = new Properties();
props.setProperty("foo", "bar");
// write the properties to disk.
props.store(new PrintWriter(PROPERTY_FILE_NAME), "this fails on ubuntu
with JVMs at level 11 and higher");
}
}
** Affects: openjdk-16 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939339
Title:
Security exception raised by java.util.Properties.store() when using
openjdk-16-jdk
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-16/+bug/1939339/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
