Bug 12934

Summary: hawtjni new security issue CVE-2013-2035
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, rverschelde, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589236/
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK advisory
Source RPM: hawtjni-1.6-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-03-04 19:00:56 CET 
RedHat has issued an advisory on March 3:
https://rhn.redhat.com/errata/RHSA-2014-0245.html

It is not clear what any of the vulnerabilities listed have to do with the activemq package listed in the advisory.

CVE-2013-4152 is for springframework, and we already fixed that one.

CVE-2013-4330 and CVE-2013-0003 are for something called "Apache Camel" which I don't believe we have packaged and can't immediately see the relation to activemq.

CVE-2013-2035 is for a Java class embedded in jansi, jline2, and jruby, all of which may require updates.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-04 19:01:07 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-10-21 14:55:42 CEST 
It looks like the actual activemq issues are listed in this advisory from July 9, 2013:
https://rhn.redhat.com/errata/RHSA-2013-1029.html

It appears that they are fixed upstream in 5.8.0 and that they have not been addressed in Fedora either.  If this package is unmaintained, it should be dropped (in both distros).

As for jansi/jline2/jruby, it looks like the *binary* versions of those are affected as they bundle each other (jruby bundles jline2 which bundles jansi which bundles the affected hawtjni), but the source versions don't actually bundle the affected code.

So, what we really have here is CVE-2013-2035 for hawtjni, which we do have packaged.  It was fixed upstream in 1.8, so only Mageia 3 is affected.

Summary: jansi, jline2, jruby, activemq possible security vulnerabilities => hawtjni new security issue CVE-2013-2035 (plus activemq possible security vulnerabilities)
Source RPM: (none) => hawtjni-1.6-1.mga3.src.rpm

David Walser 2014-10-26 16:19:06 CET

Blocks: (none) => 14377

David Walser 2014-10-26 16:20:22 CET

Blocks: 14377 => (none)

Comment 2 David Walser 2014-10-26 16:39:33 CET 
Updated package uploaded for Mageia 3.

Advisory:
========================

Updated hawtjni package fixes security vulnerability:

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed (CVE-2013-2035).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2035
https://rhn.redhat.com/errata/RHSA-2014-0245.html
========================

Updated packages in core/updates_testing:
========================
hawtjni-1.9-1.mga3
hawtjni-javadoc-1.9-1.mga3
maven-hawtjni-plugin-1.9-1.mga3

from hawtjni-1.9-1.mga3.src.rpm

Version: Cauldron => 3
Assignee: dmorganec => qa-bugs
Summary: hawtjni new security issue CVE-2013-2035 (plus activemq possible security vulnerabilities) => hawtjni new security issue CVE-2013-2035
Whiteboard: MGA4TOO, MGA3TOO => (none)

Comment 3 David Walser 2014-11-17 20:15:02 CET 
Tested that the packages install cleanly, Mageia 3 i586.

Whiteboard: (none) => has_procedure MGA3-32-OK

Comment 4 olivier charles 2014-11-18 07:23:29 CET 
On Mageia3-64 real HW

Before update-testing :

# rpm -q hawtjni hawtjni-javadoc maven-hawtjni-plugin
hawtjni-1.6-1.mga3
hawtjni-javadoc-1.6-1.mga3
maven-hawtjni-plugin-1.6-1.mga3

After update-testing :

# rpm -q hawtjni hawtjni-javadoc maven-hawtjni-plugin
hawtjni-1.9-1.mga3
hawtjni-javadoc-1.9-1.mga3
maven-hawtjni-plugin-1.9-1.mga3

Installation OK

CC: (none) => olchal
Whiteboard: has_procedure MGA3-32-OK => has_procedure MGA3-32-OK MGA3-64-OK

Comment 5 RĂ©mi Verschelde 2014-11-19 13:49:11 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2014-11-21 13:45:23 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0461.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED