openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #10491
Bug#761683: openjdk-7-jre-headless: insecure use of /tmp/hsperfdata_*
Package: openjdk-7-jre-headless
Version: 7u65-2.5.2-3
Severity: important
Tags: security
java tries to mkdir /tmp/hsperfdata_$USER/. But if the directory already
exists, it will use the existing one, even when it's owned my another
(potentially malicious) user:
# whoami
root
# ls -ld /tmp/hsperfdata_root/
drwxr-xr-x 2 mallory mallory 4096 Sep 15 20:17 /tmp/hsperfdata_root/
# strace -o '| grep hsperfdata' -f java 2>/dev/null
1047 openat(AT_FDCWD, "/tmp/hsperfdata_root", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
1047 lstat("/tmp/hsperfdata_root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
1047 mkdir("/tmp/hsperfdata_root", 0755) = -1 EEXIST (File exists)
1047 lstat("/tmp/hsperfdata_root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
1047 open("/tmp/hsperfdata_root/1045", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3
1047 unlink("/tmp/hsperfdata_root/1045") = 0
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages openjdk-7-jre-headless depends on:
ii ca-certificates-java 20140324
ii java-common 0.52
ii libc6 2.19-11
ii libcups2 1.7.5-1
ii libfontconfig1 2.11.0-6.1
ii libfreetype6 2.5.2-1.1
ii libgcc1 1:4.9.1-14
ii libglib2.0-0 2.40.0-5
ii libjpeg8 8d1-1
ii libkrb5-3 1.12.1+dfsg-9
ii liblcms2-2 2.6-3
ii libnss3 2:3.17-1
ii libpcsclite1 1.8.11-3
ii libstdc++6 4.9.1-14
ii multiarch-support 2.19-11
ii tzdata-java 2014g-1
ii zlib1g 1:1.2.8.dfsg-2
--
Jakub Wilk