First published: Mon Feb 03 2014(Updated: )
Jakub Wilk reported in a Debian bug report [1] that the unpack200 program included in OpenJDK did not properly handle the logfile properly. If the the log file was unable to be opened, it would create /tmp/unpack.log instead as the fallback, but do so in an insecure manner, as shown in unpack.cpp (the below is from OpenJDK 6): 4732 void unpacker::redirect_stdio() { ... 4757 #else 4758 sprintf(tmpdir,"/tmp"); 4759 sprintf(log_file_name, "/tmp/unpack.log"); 4760 #endif 4761 if ((errstrm = fopen(log_file_name, "a+")) != NULL) { 4762 log_file = errstrm_name = saveStr(log_file_name); 4763 return ; 4764 } 4765 4766 char *tname = tempnam(tmpdir,"#upkg"); 4767 sprintf(log_file_name, "%s", tname); 4768 if ((errstrm = fopen(log_file_name, "a+")) != NULL) { 4769 log_file = errstrm_name = saveStr(log_file_name); 4770 return ; 4771 } The same exists in OpenJDK 7 and 8. This could allow a malicious local attacker to conduct local attacks, such as symlink attacks, where a file could be overwritten if the user running unpack200 had write permissions. [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.7.0-oracle-1:1.7.0.55-1jpp.2.el5_10 | 1.7.0-oracle-1:1.7.0.55-1jpp.2.el5_10 |
redhat/java | <1.6.0-sun-1:1.6.0.75-1jpp.3.el5_10 | 1.6.0-sun-1:1.6.0.75-1jpp.3.el5_10 |
redhat/java | <1.7.0-oracle-1:1.7.0.55-1jpp.1.el6_5 | 1.7.0-oracle-1:1.7.0.55-1jpp.1.el6_5 |
redhat/java | <1.6.0-sun-1:1.6.0.75-1jpp.1.el6_5 | 1.6.0-sun-1:1.6.0.75-1jpp.1.el6_5 |
redhat/java | <1.7.0-openjdk-1:1.7.0.55-2.4.7.1.el5_10 | 1.7.0-openjdk-1:1.7.0.55-2.4.7.1.el5_10 |
redhat/java | <1.6.0-openjdk-1:1.6.0.0-5.1.13.3.el5_10 | 1.6.0-openjdk-1:1.6.0.0-5.1.13.3.el5_10 |
redhat/java | <1.7.0-openjdk-1:1.7.0.55-2.4.7.1.el6_5 | 1.7.0-openjdk-1:1.7.0.55-2.4.7.1.el6_5 |
redhat/java | <1.6.0-openjdk-1:1.6.0.0-5.1.13.3.el6_5 | 1.6.0-openjdk-1:1.6.0.0-5.1.13.3.el6_5 |
redhat/java | <1.7.0-openjdk-1:1.7.0.55-2.4.7.2.el7_0 | 1.7.0-openjdk-1:1.7.0.55-2.4.7.2.el7_0 |
redhat/java | <1.6.0-openjdk-1:1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-1:1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.0-1jpp.1.el5 | 1.6.0-ibm-1:1.6.0.16.0-1jpp.1.el5 |
redhat/java | <1.7.0-ibm-1:1.7.0.7.0-1jpp.1.el5_10 | 1.7.0-ibm-1:1.7.0.7.0-1jpp.1.el5_10 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.0-1jpp.1.el5_10 | 1.6.0-ibm-1:1.6.0.16.0-1jpp.1.el5_10 |
redhat/java | <1.5.0-ibm-1:1.5.0.16.6-1jpp.1.el5_10 | 1.5.0-ibm-1:1.5.0.16.6-1jpp.1.el5_10 |
redhat/java | <1.7.0-ibm-1:1.7.0.7.0-1jpp.1.el6_5 | 1.7.0-ibm-1:1.7.0.7.0-1jpp.1.el6_5 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.0-1jpp.1.el6_5 | 1.6.0-ibm-1:1.6.0.16.0-1jpp.1.el6_5 |
redhat/java | <1.5.0-ibm-1:1.5.0.16.6-1jpp.1.el6_5 | 1.5.0-ibm-1:1.5.0.16.6-1jpp.1.el6_5 |
redhat/java | <1.7.1-ibm-1:1.7.1.1.0-1jpp.2.el7_0 | 1.7.1-ibm-1:1.7.1.1.0-1jpp.2.el7_0 |
redhat/icedtea | <1.13.3 | 1.13.3 |
redhat/icedtea | <2.4.7 | 2.4.7 |
Oracle OpenJDK | =1.6.0 | |
Oracle OpenJDK | =1.7.0 | |
Oracle OpenJDK | =1.8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)