Your message dated Sat, 18 Oct 2014 12:06:30 +0100
with message-id <E1XfRqA-0002Re-A8@jacala>
and subject line Closing bugs for updates in 7.7
has caused the Debian Bug report #755018,
regarding pu: package hawtjni/1.0~+git0c502e20c4-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
755018: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755018
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: pu
Hello folks,
Markus has prepared a new version of hawtjni to fix CVE-2013-2035
(#708293) by backporting the corresponding upstream commits.
Please find attached the debdiff against the hawtjni version in
stable.
Please let me know if the changes qualify for an upload to s-p-u.
Description
===========
* CVE-2013-2035
Race condition in
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
in HawtJNI before 1.8, when a custom library path is not specified,
allows local users to execute arbitrary Java code by overwriting a
temporary JAR file with a predictable name in /tmp.
Cheers,
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/changelog
hawtjni-1.0~+git0c502e20c4/debian/changelog
--- hawtjni-1.0~+git0c502e20c4/debian/changelog 2011-07-30 14:14:39.000000000
-0300
+++ hawtjni-1.0~+git0c502e20c4/debian/changelog 2014-07-13 23:08:26.000000000
-0300
@@ -1,3 +1,11 @@
+hawtjni (1.0~+git0c502e20c4-3+deb7u1) wheezy-security; urgency=medium
+
+ * Add CVE-2013-2035.patch.
+ - Fix /tmp race condition with arbitrary code execution.
+ (CVE-2013-2035)
+
+ -- Markus Koschany <[email protected]> Fri, 11 Jul 2014 15:14:35 +0200
+
hawtjni (1.0~+git0c502e20c4-3) unstable; urgency=low
* Team upload.
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch
hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch
--- hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch
1969-12-31 21:00:00.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/patches/CVE-2013-2035.patch
2014-07-13 23:08:26.000000000 -0300
@@ -0,0 +1,151 @@
+From: Hiram Chirino <[email protected]>
+Date: Fri, 11 Jul 2014 15:11:14 +0200
+Subject: CVE 2013-2035
+
+Bug: https://bugs.debian.org/708293
+Forwarded:
https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5
+---
+ .../org/fusesource/hawtjni/runtime/Library.java | 80 ++++++++--------------
+ 1 file changed, 30 insertions(+), 50 deletions(-)
+
+diff --git
a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+index 28e15ea..0c3145d 100755
+--- a/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
++++ b/hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java
+@@ -9,13 +9,11 @@
+
*******************************************************************************/
+ package org.fusesource.hawtjni.runtime;
+
+-import java.io.File;
+-import java.io.FileOutputStream;
+-import java.io.IOException;
+-import java.io.InputStream;
++import java.io.*;
+ import java.net.MalformedURLException;
+ import java.net.URL;
+ import java.util.ArrayList;
++import java.util.Random;
+ import java.util.regex.Pattern;
+
+ /**
+@@ -205,15 +203,19 @@ public class Library {
+ URL resource = classLoader.getResource(resourcePath);
+ if( resource !=null ) {
+
+- String libName = name;
++ String libName = name + "-" + getBitModel();
+ if( version !=null) {
+ libName += "-" + version;
+ }
+-
++
++ String []libNameParts = map(libName).split("\\.");
++ String prefix = libNameParts[0]+"-";
++ String suffix = "."+libNameParts[1];
++
+ if( customPath!=null ) {
+ // Try to extract it to the custom path...
+- File target = file(customPath, map(libName));
+- if( extract(errors, resource, target) ) {
++ File target = extract(errors, resource, prefix, suffix,
file(customPath));
++ if( target!=null ) {
+ if( load(errors, target) ) {
+ return true;
+ }
+@@ -222,8 +224,8 @@ public class Library {
+
+ // Fall back to extracting to the tmp dir
+ customPath = System.getProperty("java.io.tmpdir");
+- File target = file(customPath, map(libName));
+- if( extract(errors, resource, target) ) {
++ File target = extract(errors, resource, prefix, suffix,
file(customPath));
++ if( target!=null ) {
+ if( load(errors, target) ) {
+ return true;
+ }
+@@ -257,67 +259,45 @@ public class Library {
+ return libName;
+ }
+
+- private boolean extract(ArrayList<String> errors, URL source, File
target) {
+- FileOutputStream os = null;
+- InputStream is = null;
+- boolean extracting = false;
++ private File extract(ArrayList<String> errors, URL source, String prefix,
String suffix, File directory) {
++ File target = null;
+ try {
+- if (!target.exists() || isStale(source, target) ) {
++ FileOutputStream os = null;
++ InputStream is = null;
++ try {
++ target = File.createTempFile(prefix, suffix, directory);
+ is = source.openStream();
+ if (is != null) {
+ byte[] buffer = new byte[4096];
+ os = new FileOutputStream(target);
+- extracting = true;
+ int read;
+ while ((read = is.read(buffer)) != -1) {
+ os.write(buffer, 0, read);
+ }
+- os.close();
+- is.close();
+ chmod("755", target);
+ }
++ target.deleteOnExit();
++ return target;
++ } finally {
++ close(os);
++ close(is);
+ }
+ } catch (Throwable e) {
+- try {
+- if (os != null)
+- os.close();
+- } catch (IOException e1) {
+- }
+- try {
+- if (is != null)
+- is.close();
+- } catch (IOException e1) {
+- }
+- if (extracting && target.exists())
++ if( target!=null ) {
+ target.delete();
++ }
+ errors.add(e.getMessage());
+- return false;
+ }
+- return true;
++ return null;
+ }
+
+- private boolean isStale(URL source, File target) {
+-
+- if( source.getProtocol().equals("jar") ) {
+- // unwrap the jar protocol...
++ static private void close(Closeable file) {
++ if(file!=null) {
+ try {
+- String parts[] = source.getFile().split(Pattern.quote("!"));
+- source = new URL(parts[0]);
+- } catch (MalformedURLException e) {
+- return false;
+- }
+- }
+-
+- File sourceFile=null;
+- if( source.getProtocol().equals("file") ) {
+- sourceFile = new File(source.getFile());
+- }
+- if( sourceFile!=null && sourceFile.exists() ) {
+- if( sourceFile.lastModified() > target.lastModified() ) {
+- return true;
++ file.close();
++ } catch (Exception ignore) {
+ }
+ }
+- return false;
+ }
+
+ private void chmod(String permision, File path) {
diff -Nru hawtjni-1.0~+git0c502e20c4/debian/patches/series
hawtjni-1.0~+git0c502e20c4/debian/patches/series
--- hawtjni-1.0~+git0c502e20c4/debian/patches/series 1969-12-31
21:00:00.000000000 -0300
+++ hawtjni-1.0~+git0c502e20c4/debian/patches/series 2014-07-13
23:08:26.000000000 -0300
@@ -0,0 +1 @@
+CVE-2013-2035.patch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 7.7
The upload discussed in this bug was included in the 7.7 point release.
Regards,
Adam
--- End Message ---
