← Back to team overview

openjdk team mailing list archive

[Bug 2032865] Re: Please update openjdk-lts to 11.0.20.1+1 and openjdk-17 to 17.0.8.1+1 to fix JDK-8313765

 

** Changed in: openjdk-lts (Ubuntu Mantic)
       Status: New => Fix Released

** Changed in: openjdk-lts (Ubuntu)
       Status: New => Fix Released

** Changed in: openjdk-17 (Ubuntu)
       Status: New => Fix Released

** Changed in: openjdk-17 (Ubuntu Mantic)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-lts in Ubuntu.
https://bugs.launchpad.net/bugs/2032865

Title:
  Please update openjdk-lts to 11.0.20.1+1 and openjdk-17 to 17.0.8.1+1
  to fix  JDK-8313765

Status in openjdk-17 package in Ubuntu:
  Fix Released
Status in openjdk-lts package in Ubuntu:
  Fix Released
Status in openjdk-17 source package in Focal:
  Fix Released
Status in openjdk-lts source package in Focal:
  Fix Released
Status in openjdk-17 source package in Jammy:
  Fix Released
Status in openjdk-lts source package in Jammy:
  Fix Released
Status in openjdk-17 source package in Lunar:
  Fix Released
Status in openjdk-lts source package in Lunar:
  Fix Released
Status in openjdk-17 source package in Mantic:
  Fix Released
Status in openjdk-lts source package in Mantic:
  Fix Released

Bug description:
  [Background]

  JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1.
  --------------
  The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic:

        Invalid CEN header (invalid zip64 extra data field size)

  The ZipException may occur due to:

   1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required
     - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023).
   2. Extra field includes padding not included in the Extra data field headers
   3. The BND tool added problematic data to the extra field
      - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3

  The issue can demonstrated via the following ant script :

  ?xml version="1.0"?>
  <project name="zip 64 jar test" basedir="." default="jar">
      <property name="jarFile" value="test.jar"/>
      <property name="builddir" value="classes"/>

      <target name="jar">
          <jar destfile="${jarFile}"
               zip64mode="always"
               basedir="${builddir}"/>
      </target>
  </project>
  ----------------
  [1]

  [Impact]

  This means that zip64 jar files made by older versions of commons-
  compress and more importantly Ant are not readable by the July
  security update JDKs (11.0.20 and 17.0.8). The user is unable to run
  existing software. The latest version of ant in the archive is
  1.10.13[2] which means that all relevant Ubuntu versions (bionic,
  focal, jammy, lunar, mantic) are affected.

  The behaviour can be worked around with
  jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the
  user to CVE-2023-22036 - JDK crash when unpacking malicious zip file
  which can be problematic for the server-side workloads.

  [Suggested Fix]

  Release upstream versions 11.0.20.1+1  and 17.0.8.1+1 to affected
  versions - bionic (esm), focal, jammy, lunar, mantic.

  [Test Plan]

  Ensure that the test jar file can be run using the fixed version.
  -----------------------
  #!/bin/bash

  for release in bionic focal jammy lunar mantic; do
    for jdk in openjdk-11-jdk-headless openjdk-17-jdk-headless; do
      echo -------testing $release with $jdk
      lxc launch ubuntu-daily:$release tester
      lxc exec tester -- apt-get update
      lxc exec tester -- apt-get -y install ${jdk} ant
      lxc file push validate-fix.sh tester/home/ubuntu/validate-fix.sh
      lxc exec tester -- /bin/bash /home/ubuntu/validate-fix.sh
      lxc stop tester
      lxc delete tester
      echo -------DONE testing $release with $jdk
    done
  done
  -----------------------
  validate-fix.sh is attached to the bug.

  [Where the problems can occur]

  - validate that the zip file can run when Security manager is enabled
  and a permission to read
  'jdk.util.zip.disableZip64ExtraFieldValidation' is not granted

  [1] https://bugs.openjdk.org/browse/JDK-8313765
  [2] https://launchpad.net/ubuntu/+source/ant

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-17/+bug/2032865/+subscriptions