← Back to team overview

openjdk team mailing list archive

Bug#761683: openjdk-7-jre-headless: insecure use of /tmp/hsperfdata_*

 

Package: openjdk-7-jre-headless
Version: 7u65-2.5.2-3
Severity: important
Tags: security

java tries to mkdir /tmp/hsperfdata_$USER/. But if the directory already exists, it will use the existing one, even when it's owned my another (potentially malicious) user:

# whoami
root

# ls -ld /tmp/hsperfdata_root/
drwxr-xr-x 2 mallory mallory 4096 Sep 15 20:17 /tmp/hsperfdata_root/

# strace -o '| grep hsperfdata' -f java 2>/dev/null
1047  openat(AT_FDCWD, "/tmp/hsperfdata_root", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
1047  lstat("/tmp/hsperfdata_root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
1047  mkdir("/tmp/hsperfdata_root", 0755) = -1 EEXIST (File exists)
1047  lstat("/tmp/hsperfdata_root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
1047  open("/tmp/hsperfdata_root/1045", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3
1047  unlink("/tmp/hsperfdata_root/1045") = 0


-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages openjdk-7-jre-headless depends on:
ii  ca-certificates-java  20140324
ii  java-common           0.52
ii  libc6                 2.19-11
ii  libcups2              1.7.5-1
ii  libfontconfig1        2.11.0-6.1
ii  libfreetype6          2.5.2-1.1
ii  libgcc1               1:4.9.1-14
ii  libglib2.0-0          2.40.0-5
ii  libjpeg8              8d1-1
ii  libkrb5-3             1.12.1+dfsg-9
ii  liblcms2-2            2.6-3
ii  libnss3               2:3.17-1
ii  libpcsclite1          1.8.11-3
ii  libstdc++6            4.9.1-14
ii  multiarch-support     2.19-11
ii  tzdata-java           2014g-1
ii  zlib1g                1:1.2.8.dfsg-2

--
Jakub Wilk