TUCoPS :: Linux :: Apps N-Z :: bt1604.txt

Sun's jre/jdk 1.4.2 multiple vulernabilities in linuxinstallers JAV:
 


--=-iCe6tX+n+DZ2yBVj2AJU
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Author: Stan Bubrouski
Date: October 31, 2003
Package(s): j2re/j2sdk
OS: Linux (possibly others, see below)
Versions: 1.4.2 - 1.4.2_02
Severity: Local users may overwrite any file owned by the user who
installs java due to insecure file handling while unpacking/installing
java.

Problem:  There are two sources of insecure file-creation while
installing java on linux: the unpack program that is used to unpack[1]
the install files and the RPM scripts[2].

I'll start off by describing [1].  Regardless of whether you downloaded
the Linux .bin or rpm.bin installer, when you run the .bin and accept
the license or install the rpm, sun invokes it's own unpack program.=20
The program is stored in /usr/java/j2re<version>/lib/unpack while java
is being installed, and it is erased after the install.

Every time unpack is invoked it insecurely creates the file
/tmp/unpack.log

So a simple symlink and you can overwrite any file owned by the person
installing java.  This is most often root if installing the RPM.

The second problem [2] lies in the scripts for postinstall which
insecurely create the files /tmp/.mailcap1 and /tmp/.mime.types1, same
possibilities as with [1].

To give you an idea of just how ugly the scripts are, a grep:

[null@fedora null]# rpm -q --scripts j2re | grep /tmp
   tfile=3D/tmp/getjrelist$$.tmp
          grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
          cp -p /tmp/.mailcap1 $MAILCAP_FILE
          rm /tmp/.mailcap1
   tfile=3D/tmp/getjrelist$$.tmp
    grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web Start" >
/tmp/.mailcap1
    cp -p /tmp/.mailcap1 $MAILCAP_FILE
    rm /tmp/.mailcap1
    grep -v ${MIME_TYPE} < $MIME_FILE > /tmp/.mime.types1
    cp -p /tmp/.mime.types1 $MIME_FILE
    rm /tmp/.mime.types1
          grep -v ${MIME_TYPE} < $MAILCAP_FILE | grep -v "# Java Web
Start" > /tmp/.mailcap1
          cp -p /tmp/.mailcap1 $MAILCAP_FILE
          rm /tmp/.mailcap1

Needless to say check /tmp before installing these rpms and binaries.  I
have not tested packages for other platforms like Solaris, but if they
make use of the same unpack program they would be vulnerable too.

Solution: Be cautious when installing these packages, check /tmp

Regards,

Stan Bubrouski

--=-iCe6tX+n+DZ2yBVj2AJU
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/ogmmQHy9+2ztQiARAhoSAJwODvb0FoULo7tqy7lZD9nM36KM/wCgoz+Q
iSCVQj7f6aKmz1lcGHemp3c=
=LCii
-----END PGP SIGNATURE-----

--=-iCe6tX+n+DZ2yBVj2AJU--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH