Date: Fri, 31 Oct 2003 02:05:12 -0500
From: Stan Bubrouski <[email protected]>
To: [email protected]Subject: Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linux installers
--=-iCe6tX+n+DZ2yBVj2AJU
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Author: Stan Bubrouski
Date: October 31, 2003
Package(s): j2re/j2sdk
OS: Linux (possibly others, see below)
Versions: 1.4.2 - 1.4.2_02
Severity: Local users may overwrite any file owned by the user who
installs java due to insecure file handling while unpacking/installing
java.
Problem: There are two sources of insecure file-creation while
installing java on linux: the unpack program that is used to unpack[1]
the install files and the RPM scripts[2].
I'll start off by describing [1]. Regardless of whether you downloaded
the Linux .bin or rpm.bin installer, when you run the .bin and accept
the license or install the rpm, sun invokes it's own unpack program.=20
The program is stored in /usr/java/j2re<version>/lib/unpack while java
is being installed, and it is erased after the install.
Every time unpack is invoked it insecurely creates the file
/tmp/unpack.log
So a simple symlink and you can overwrite any file owned by the person
installing java. This is most often root if installing the RPM.
The second problem [2] lies in the scripts for postinstall which
insecurely create the files /tmp/.mailcap1 and /tmp/.mime.types1, same
possibilities as with [1].
To give you an idea of just how ugly the scripts are, a grep:
[null@fedora null]# rpm -q --scripts j2re | grep /tmp
tfile=3D/tmp/getjrelist$$.tmp
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
tfile=3D/tmp/getjrelist$$.tmp
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web Start" >
/tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
grep -v ${MIME_TYPE} < $MIME_FILE > /tmp/.mime.types1
cp -p /tmp/.mime.types1 $MIME_FILE
rm /tmp/.mime.types1
grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
cp -p /tmp/.mailcap1 $MAILCAP_FILE
rm /tmp/.mailcap1
Needless to say check /tmp before installing these rpms and binaries. I
have not tested packages for other platforms like Solaris, but if they
make use of the same unpack program they would be vulnerable too.
Solution: Be cautious when installing these packages, check /tmp
Regards,
Stan Bubrouski
--=-iCe6tX+n+DZ2yBVj2AJU
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA/ogmmQHy9+2ztQiARAhoSAJwODvb0FoULo7tqy7lZD9nM36KM/wCgoz+Q
iSCVQj7f6aKmz1lcGHemp3c=
=LCii
-----END PGP SIGNATURE-----
--=-iCe6tX+n+DZ2yBVj2AJU--
