* [meta-java][PATCH 1/2] Security Advisory - openjdk - CVE-2014-1876
@ 2014-09-23 23:37 Zibo Zhao
2014-09-23 23:37 ` [meta-java][PATCH 2/2] icedtea: CVE-2013-4160: integrate Non happy path fixes Zibo Zhao
0 siblings, 1 reply; 3+ messages in thread
From: Zibo Zhao @ 2014-09-23 23:37 UTC (permalink / raw)
To: openembedded-devel
From: Amy Fong <Amy.Fong@windriver.com>
Rather than creating /tmp/unpack.log and insecure permissions,
if unpack cannot create teh specified log file, it defaults to writing
to /dev/null, failing that, stderr. (These are the default options if
it cannot write to /tmp/unpack.log)
Signed-off-by: Amy Fong <Amy.Fong@windriver.com>
Signed-off-by: Zibo Zhao <zibo.zhao@windriver.com>
---
.../icedtea-CVE-2014-1876-unpack.patch | 42 ++++++++++++++++++++++
recipes-core/icedtea/openjdk-7-release-03b147.inc | 2 ++
.../icedtea-CVE-2014-1876-unpack.patch | 42 ++++++++++++++++++++++
recipes-core/openjdk/openjdk-7-release-03b21.inc | 2 ++
4 files changed, 88 insertions(+)
create mode 100644 recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
create mode 100644 recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2014-1876-unpack.patch
diff --git a/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
new file mode 100644
index 0000000..22f051d
--- /dev/null
+++ b/recipes-core/icedtea/openjdk-7-03b147/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,42 @@
+This provides a fix for the security vulnerability reported in
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+
+ The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+ 7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+ log file cannot be opened, which allows local users to overwrite arbitrary
+ files via a symlink attack on /tmp/unpack.log.
+
+Rather than trying to open a /tmp/unpack.log file, this fix comments
+out that segment and goes to the fallback options which include
+redirecting error to /dev/null, or failing that, redirecting to stderr.
+
+Signed-off-by: Amy Fong <amy.fong@windriver.com>
+
+Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+===================================================================
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
++++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -4757,6 +4757,15 @@
+ return;
+ } else {
+ char log_file_name[PATH_MAX+100];
++#if 0
++/*
++The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
++7, and 8, and Oracle Java JDK, does not securely create temporary files when a
++log file cannot be opened, which allows local users to overwrite arbitrary
++files via a symlink attack on /tmp/unpack.log.
++
++http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
++*/
+ char tmpdir[PATH_MAX];
+ #ifdef WIN32
+ int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
+@@ -4781,6 +4790,7 @@
+ log_file = errstrm_name = saveStr(log_file_name);
+ return ;
+ }
++#endif
+ #ifndef WIN32
+ sprintf(log_file_name, "/dev/null");
+ // On windows most likely it will fail.
diff --git a/recipes-core/icedtea/openjdk-7-release-03b147.inc b/recipes-core/icedtea/openjdk-7-release-03b147.inc
index f561e42..a4dbe67 100644
--- a/recipes-core/icedtea/openjdk-7-release-03b147.inc
+++ b/recipes-core/icedtea/openjdk-7-release-03b147.inc
@@ -80,6 +80,7 @@ OPENJDK_PATCHES = " \
file://icedtea-hotspot-make-arch-sane-for-x86.patch;apply=no \
file://icedtea-jdk-sane-x86-arch.patch;apply=no \
file://icedtea-flags.patch;apply=no \
+ file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
"
export DISTRIBUTION_PATCHES = " \
@@ -89,4 +90,5 @@ export DISTRIBUTION_PATCHES = " \
patches/icedtea-hotspot-make-arch-sane-for-x86.patch \
patches/icedtea-jdk-sane-x86-arch.patch \
patches/icedtea-flags.patch \
+ patches/icedtea-CVE-2014-1876-unpack.patch \
"
diff --git a/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2014-1876-unpack.patch b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2014-1876-unpack.patch
new file mode 100644
index 0000000..22f051d
--- /dev/null
+++ b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2014-1876-unpack.patch
@@ -0,0 +1,42 @@
+This provides a fix for the security vulnerability reported in
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
+
+ The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
+ 7, and 8, and Oracle Java JDK, does not securely create temporary files when a
+ log file cannot be opened, which allows local users to overwrite arbitrary
+ files via a symlink attack on /tmp/unpack.log.
+
+Rather than trying to open a /tmp/unpack.log file, this fix comments
+out that segment and goes to the fallback options which include
+redirecting error to /dev/null, or failing that, redirecting to stderr.
+
+Signed-off-by: Amy Fong <amy.fong@windriver.com>
+
+Index: openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+===================================================================
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
++++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -4757,6 +4757,15 @@
+ return;
+ } else {
+ char log_file_name[PATH_MAX+100];
++#if 0
++/*
++The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6,
++7, and 8, and Oracle Java JDK, does not securely create temporary files when a
++log file cannot be opened, which allows local users to overwrite arbitrary
++files via a symlink attack on /tmp/unpack.log.
++
++http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1876
++*/
+ char tmpdir[PATH_MAX];
+ #ifdef WIN32
+ int n = GetTempPath(PATH_MAX,tmpdir); //API returns with trailing '\'
+@@ -4781,6 +4790,7 @@
+ log_file = errstrm_name = saveStr(log_file_name);
+ return ;
+ }
++#endif
+ #ifndef WIN32
+ sprintf(log_file_name, "/dev/null");
+ // On windows most likely it will fail.
diff --git a/recipes-core/openjdk/openjdk-7-release-03b21.inc b/recipes-core/openjdk/openjdk-7-release-03b21.inc
index 07b1f7a..6f78d10 100644
--- a/recipes-core/openjdk/openjdk-7-release-03b21.inc
+++ b/recipes-core/openjdk/openjdk-7-release-03b21.inc
@@ -93,6 +93,7 @@ ICEDTEAPATCHES = "\
file://icedtea-shark-arm-linux-cpu-detection.patch;apply=no \
file://icedtea-corba-parallel-make.patch;apply=no \
file://icedtea-zero-hotspotfix.patch;apply=no \
+ file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
"
ICEDTEAPATCHES_append_powerpc = " \
file://icedtea-jdk-nio-use-host-cc.patch;apply=no \
@@ -125,6 +126,7 @@ DISTRIBUTION_PATCHES = "\
patches/icedtea-shark-arm-linux-cpu-detection.patch \
patches/icedtea-corba-parallel-make.patch \
patches/icedtea-zero-hotspotfix.patch \
+ patches/icedtea-CVE-2014-1876-unpack.patch \
"
DISTRIBUTION_PATCHES_append_libc-uclibc = "\
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [meta-java][PATCH 2/2] icedtea: CVE-2013-4160: integrate Non happy path fixes
2014-09-23 23:37 [meta-java][PATCH 1/2] Security Advisory - openjdk - CVE-2014-1876 Zibo Zhao
@ 2014-09-23 23:37 ` Zibo Zhao
2014-10-02 5:57 ` Henning Heinold
0 siblings, 1 reply; 3+ messages in thread
From: Zibo Zhao @ 2014-09-23 23:37 UTC (permalink / raw)
To: openembedded-devel
From: Michel Thebeau <michel.thebeau@windriver.com>
Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly
other products, allows remote attackers to cause a denial of
service(NULL ptr deref).
Adding NULL pointer checks fix the issue.
Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
Signed-off-by: Zibo Zhao <zibo.zhao@windriver.com>
---
...cedtea-CVE-2013-4160-Non-happy-path-fixes.patch | 74 ++++++++++++++++++++++
recipes-core/openjdk/openjdk-7-release-03b21.inc | 2 +
2 files changed, 76 insertions(+)
create mode 100644 recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
diff --git a/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
new file mode 100644
index 0000000..75e11c4
--- /dev/null
+++ b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
@@ -0,0 +1,74 @@
+From 91c2db7f2559be504211b283bc3a2c631d6f06d9 Mon Sep 17 00:00:00 2001
+From: Marti Maria <info@littlecms.com>
+Date: Tue, 25 Jun 2013 16:09:16 +0200
+Subject: [PATCH] Non happy-path fixes
+
+commit 91c2db7f2559be504211b283bc3a2c631d6f06d9 from
+https://github.com/mm2/Little-CMS
+[modified for Little-CMS 2.0]
+
+Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
+Signed-off-by: Zibo Zhao <Zibo.Zhao@windriver.com>
+---
+ src/cmsnamed.c | 12 +++++++----
+ src/cmsopt.c | 10 ++++++++++
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
+index a916e17..acfd1c8 100644
+--- openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
++++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
+@@ -514,8 +514,8 @@ cmsNAMEDCOLORLIST* CMSEXPORT cmsAllocNamedColorList(cmsContext ContextID, cmsUIn
+ while (v -> Allocated < n)
+ GrowNamedColorList(v);
+
+- strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix));
+- strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix));
++ strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix)-1);
++ strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix)-1);
+ v -> ColorantCount = ColorantCount;
+
+ return v;
+@@ -571,6 +571,5 @@ cmsBool CMSEXPORT cmsAppendNamedColor(cmsNAMEDCOLORLIST* NamedColorList,
+
+ if (Name != NULL)
+- strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name,
+- sizeof(NamedColorList ->List[NamedColorList ->nColors].Name));
++ strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name, cmsMAX_PATH-1);
+ else
+ NamedColorList ->List[NamedColorList ->nColors].Name[0] = 0;
+@@ -735,6 +733,10 @@ cmsSEQ* CMSEXPORT cmsAllocProfileSequenceDescription(cmsContext ContextID, cmsUI
+ Seq -> seq = (cmsPSEQDESC*) _cmsCalloc(ContextID, n, sizeof(cmsPSEQDESC));
+ Seq -> n = n;
+
++ if (Seq -> seq == NULL) {
++ _cmsFree(ContextID, Seq);
++ return NULL;
++ }
+
+ for (i=0; i < n; i++) {
+ Seq -> seq[i].Manufacturer = NULL;
+diff --git openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
+index 7478e5e..4bdf0a7 100644
+--- openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
++++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
+@@ -1179,6 +1179,16 @@ Curves16Data* CurvesAlloc(cmsContext ContextID, int nCurves, int nElements, cmsT
+
+ c16->Curves[i] = _cmsCalloc(ContextID, nElements, sizeof(cmsUInt16Number));
+
++ if (c16->Curves[i] == NULL) {
++
++ for (j=0; j < i; j++) {
++ _cmsFree(ContextID, c16->Curves[j]);
++ }
++ _cmsFree(ContextID, c16->Curves);
++ _cmsFree(ContextID, c16);
++ return NULL;
++ }
++
+ if (nElements == 256) {
+
+ for (j=0; j < nElements; j++) {
+--
+1.9.1
+
diff --git a/recipes-core/openjdk/openjdk-7-release-03b21.inc b/recipes-core/openjdk/openjdk-7-release-03b21.inc
index 6f78d10..5b5caff 100644
--- a/recipes-core/openjdk/openjdk-7-release-03b21.inc
+++ b/recipes-core/openjdk/openjdk-7-release-03b21.inc
@@ -94,6 +94,7 @@ ICEDTEAPATCHES = "\
file://icedtea-corba-parallel-make.patch;apply=no \
file://icedtea-zero-hotspotfix.patch;apply=no \
file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
+ file://icedtea-CVE-2013-4160-Non-happy-path-fixes.patch;apply=no \
"
ICEDTEAPATCHES_append_powerpc = " \
file://icedtea-jdk-nio-use-host-cc.patch;apply=no \
@@ -127,6 +128,7 @@ DISTRIBUTION_PATCHES = "\
patches/icedtea-corba-parallel-make.patch \
patches/icedtea-zero-hotspotfix.patch \
patches/icedtea-CVE-2014-1876-unpack.patch \
+ patches/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch \
"
DISTRIBUTION_PATCHES_append_libc-uclibc = "\
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-java][PATCH 2/2] icedtea: CVE-2013-4160: integrate Non happy path fixes
2014-09-23 23:37 ` [meta-java][PATCH 2/2] icedtea: CVE-2013-4160: integrate Non happy path fixes Zibo Zhao
@ 2014-10-02 5:57 ` Henning Heinold
0 siblings, 0 replies; 3+ messages in thread
From: Henning Heinold @ 2014-10-02 5:57 UTC (permalink / raw)
To: openembedded-devel
On Tue, Sep 23, 2014 at 07:37:47PM -0400, Zibo Zhao wrote:
> From: Michel Thebeau <michel.thebeau@windriver.com>
>
> Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly
> other products, allows remote attackers to cause a denial of
> service(NULL ptr deref).
>
> Adding NULL pointer checks fix the issue.
>
> Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
> Signed-off-by: Zibo Zhao <zibo.zhao@windriver.com>
> ---
> ...cedtea-CVE-2013-4160-Non-happy-path-fixes.patch | 74 ++++++++++++++++++++++
> recipes-core/openjdk/openjdk-7-release-03b21.inc | 2 +
> 2 files changed, 76 insertions(+)
> create mode 100644 recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
>
> diff --git a/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
> new file mode 100644
> index 0000000..75e11c4
> --- /dev/null
> +++ b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
> @@ -0,0 +1,74 @@
> +From 91c2db7f2559be504211b283bc3a2c631d6f06d9 Mon Sep 17 00:00:00 2001
> +From: Marti Maria <info@littlecms.com>
> +Date: Tue, 25 Jun 2013 16:09:16 +0200
> +Subject: [PATCH] Non happy-path fixes
> +
> +commit 91c2db7f2559be504211b283bc3a2c631d6f06d9 from
> +https://github.com/mm2/Little-CMS
> +[modified for Little-CMS 2.0]
> +
> +Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
> +Signed-off-by: Zibo Zhao <Zibo.Zhao@windriver.com>
> +---
> + src/cmsnamed.c | 12 +++++++----
> + src/cmsopt.c | 10 ++++++++++
> + 2 files changed, 18 insertions(+), 4 deletions(-)
> +
> +diff --git openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
> +index a916e17..acfd1c8 100644
> +--- openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
> ++++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
> +@@ -514,8 +514,8 @@ cmsNAMEDCOLORLIST* CMSEXPORT cmsAllocNamedColorList(cmsContext ContextID, cmsUIn
> + while (v -> Allocated < n)
> + GrowNamedColorList(v);
> +
> +- strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix));
> +- strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix));
> ++ strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix)-1);
> ++ strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix)-1);
> + v -> ColorantCount = ColorantCount;
> +
> + return v;
> +@@ -571,6 +571,5 @@ cmsBool CMSEXPORT cmsAppendNamedColor(cmsNAMEDCOLORLIST* NamedColorList,
> +
> + if (Name != NULL)
> +- strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name,
> +- sizeof(NamedColorList ->List[NamedColorList ->nColors].Name));
> ++ strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name, cmsMAX_PATH-1);
> + else
> + NamedColorList ->List[NamedColorList ->nColors].Name[0] = 0;
> +@@ -735,6 +733,10 @@ cmsSEQ* CMSEXPORT cmsAllocProfileSequenceDescription(cmsContext ContextID, cmsUI
> + Seq -> seq = (cmsPSEQDESC*) _cmsCalloc(ContextID, n, sizeof(cmsPSEQDESC));
> + Seq -> n = n;
> +
> ++ if (Seq -> seq == NULL) {
> ++ _cmsFree(ContextID, Seq);
> ++ return NULL;
> ++ }
> +
> + for (i=0; i < n; i++) {
> + Seq -> seq[i].Manufacturer = NULL;
> +diff --git openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
> +index 7478e5e..4bdf0a7 100644
> +--- openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
> ++++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
> +@@ -1179,6 +1179,16 @@ Curves16Data* CurvesAlloc(cmsContext ContextID, int nCurves, int nElements, cmsT
> +
> + c16->Curves[i] = _cmsCalloc(ContextID, nElements, sizeof(cmsUInt16Number));
> +
> ++ if (c16->Curves[i] == NULL) {
> ++
> ++ for (j=0; j < i; j++) {
> ++ _cmsFree(ContextID, c16->Curves[j]);
> ++ }
> ++ _cmsFree(ContextID, c16->Curves);
> ++ _cmsFree(ContextID, c16);
> ++ return NULL;
> ++ }
> ++
> + if (nElements == 256) {
> +
> + for (j=0; j < nElements; j++) {
> +--
> +1.9.1
> +
> diff --git a/recipes-core/openjdk/openjdk-7-release-03b21.inc b/recipes-core/openjdk/openjdk-7-release-03b21.inc
> index 6f78d10..5b5caff 100644
> --- a/recipes-core/openjdk/openjdk-7-release-03b21.inc
> +++ b/recipes-core/openjdk/openjdk-7-release-03b21.inc
> @@ -94,6 +94,7 @@ ICEDTEAPATCHES = "\
> file://icedtea-corba-parallel-make.patch;apply=no \
> file://icedtea-zero-hotspotfix.patch;apply=no \
> file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
> + file://icedtea-CVE-2013-4160-Non-happy-path-fixes.patch;apply=no \
> "
> ICEDTEAPATCHES_append_powerpc = " \
> file://icedtea-jdk-nio-use-host-cc.patch;apply=no \
> @@ -127,6 +128,7 @@ DISTRIBUTION_PATCHES = "\
> patches/icedtea-corba-parallel-make.patch \
> patches/icedtea-zero-hotspotfix.patch \
> patches/icedtea-CVE-2014-1876-unpack.patch \
> + patches/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch \
> "
>
> DISTRIBUTION_PATCHES_append_libc-uclibc = "\
> --
> 1.9.1
Thank you very much for the patches. Unfornatly I do not have much time at the moment
for meta-java. So it will last a bit until I can integrate them. Maybe
I will switch anyway to the 2.5 release of icedtea, which includes
the patches already.
Bye Henning
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-10-02 6:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-23 23:37 [meta-java][PATCH 1/2] Security Advisory - openjdk - CVE-2014-1876 Zibo Zhao
2014-09-23 23:37 ` [meta-java][PATCH 2/2] icedtea: CVE-2013-4160: integrate Non happy path fixes Zibo Zhao
2014-10-02 5:57 ` Henning Heinold
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.