Public bug reported: Since JDK 11, the Ubuntu "open jdk" packages have a defect which does not appear in the actual Open JDK distros available from java.net. The problem was discovered by Derby users (see https://issues.apache.org/jira/browse/DERBY-7122) and reported as an Open JDK bug (see https://bugs.openjdk.java.net/browse/JDK-8272157).
This is the problem: When trying to persist a java.util.Properties object, an exception is raised when running under the java SecurityManager. The exception occurs when java.util.Properties.store0() calls java.util.Properties.getFormattedTimestamp() in order to format the timestamp required by the contract of java.util.Properties.store(). The getFormattedTimestamp() method does not appear in Open JDK. There the timestamp is formatted thusly: bw.write("#" + new Date().toString()); The exception stack trace (see the repro below) is: Exception in thread "main" java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.SOURCE_DATE_EPOCH") at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.base/java.security.AccessController.checkPermission(AccessController.java:1036) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408) at java.base/java.lang.System.getenv(System.java:1016) at java.base/java.util.Properties.getFormattedTimestamp(Properties.java:1599) at java.base/java.util.Properties.store0(Properties.java:926) at java.base/java.util.Properties.store(Properties.java:868) at DERBY_7122.main(DERBY_7122.java:37) At a minimum, could someone explain (with CVE numbers if available) the security risk incurred by probing the value of the Linux environment variable SOURCE_DATE_EPOCH? Here is a sample program which demonstrates this problem. This program runs fine on Open JDK distros from java.net. import java.io.PrintWriter; import java.util.Properties; /** * Demonstrate that Properties.store() fails under a security manager on Ubuntu. */ public class DERBY_7122 { private static final String PROPERTY_FILE_NAME = "/tmp/derby-7122.properties"; private static final String SECURITY_POLICY_FILE_NAME = "/tmp/derby-7122.policy"; private static final String SECURITY_POLICY_FILE_URL = "file:" + SECURITY_POLICY_FILE_NAME; private final static String POLICY_FILE_PROPERTY = "java.security.policy"; private static final String SECURITY_FILE_CONTENTS = "grant\n" + "{\n" + " permission java.io.FilePermission \"/tmp/-\", \"read,write,delete\";\n" + "};\n" ; public static void main(String... args) throws Exception { // write the policy file try (PrintWriter pw = new PrintWriter(SECURITY_POLICY_FILE_NAME)) { pw.write(SECURITY_FILE_CONTENTS); } // start up a security manager using the policy file we just wrote System.setProperty( POLICY_FILE_PROPERTY, SECURITY_POLICY_FILE_URL ); System.setSecurityManager( new SecurityManager() ); // create a small Properties object Properties props = new Properties(); props.setProperty("foo", "bar"); // write the properties to disk. props.store(new PrintWriter(PROPERTY_FILE_NAME), "this fails on ubuntu with JVMs at level 11 and higher"); } } ** Affects: openjdk-16 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939339 Title: Security exception raised by java.util.Properties.store() when using openjdk-16-jdk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-16/+bug/1939339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs