916224 – (CVE-2013-2027) VUL-1: CVE-2013-2027: jython: Creates executables class files with wrong permissions

Bug 916224 (CVE-2013-2027) - VUL-1: CVE-2013-2027: jython: Creates executables class files with wrong permissions

Summary: VUL-1: CVE-2013-2027: jython: Creates executables class files with wrong perm...

Status:	RESOLVED FIXED

Alias:	CVE-2013-2027

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Minor
Target Milestone:	---
Deadline:	2015-03-04
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/113498/
Whiteboard:	maint:running:60538:low CVSSv2:RedHat...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-02-04 13:08 UTC by Johannes Segitz
Modified:	2020-04-01 22:12 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-04 13:08:09 UTC

Lubomir Rintel 2013-04-03 11:29:50 EDT
Description of problem:

There are serveral problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure.

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw-. 1 root root 52874 Apr  3 17:24 /usr/share/jython/Lib/xmllib$py.class

Jython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file.

Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure.

The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions.

It is currently even not possible to easily disable the caching, since the configuration file is not marked with %config and resides in /usr/share instead of /etc.

References:
http://bugs.jython.org/msg8004
https://bugzilla.redhat.com/show_bug.cgi?id=947949
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2027

Comment 2 Swamp Workflow Management 2015-02-04 14:44:25 UTC

An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-03-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60538

Comment 3 Bernhard Wiedemann 2015-02-04 15:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (916224) was mentioned in
https://build.opensuse.org/request/show/284056 Factory / jython
https://build.opensuse.org/request/show/284057 13.2 / jython
https://build.opensuse.org/request/show/284058 13.1 / jython

Comment 5 Tomáš Chvátal 2015-02-04 16:12:35 UTC

All should be done, let me know if something is wrong. Also for sle11 I had to tweak a lot the jython-cached-classes.patch compared to other products, so I think it should be right, but if someone could look at it too might be good idea :)

I hate when they change the code this lot :)

Comment 8 Swamp Workflow Management 2015-02-12 12:05:07 UTC

openSUSE-SU-2015:0269-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 916224
CVE References: CVE-2013-2027
Sources used:
openSUSE 13.2 (src):    jython-2.2.1-13.4.2
openSUSE 13.1 (src):    jython-2.2.1-11.4.2

Comment 9 Victor Pereira 2015-02-16 09:21:39 UTC

released for opensuse.