Bug 15275 - jython new security issue CVE-2013-2027
Summary: jython new security issue CVE-2013-2027
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/633095/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Reported: 2015-02-12 16:47 CET by David Walser
Modified: 2015-03-06 19:09 CET (History)
4 users (show)

See Also:
Source RPM: jython-2.2.1-13.mga4.src.rpm
Status comment:


Description David Walser 2015-02-12 16:47:18 CET
OpenSuSE has issued an advisory today (February 12):

Patched packages uploaded for Mageia 4 and Cauldron.


Updated jython packages fix security vulnerability:

There are serveral problems with the way Jython creates class cache files,
potentially leading to arbitrary code execution or information disclosure


Updated packages in core/updates_testing:

from jython-2.2.1-13.1.mga4.src.rpm


Steps to Reproduce:
Comment 1 David Walser 2015-02-12 16:48:04 CET
In other news, this package is clearly unmaintained in Mageia.  It's still outdated in Cauldron even though a new version has been available in Fedora since May 30, 2014.  This looks like it should be dropped.

CC: (none) => geiger.david68210, pterjan

Comment 2 Otto Leipälä 2015-02-13 14:20:23 CET
Yes it seems to be unmaitaned jtext source code editor needs it so it need to dropped it too.

CC: (none) => ozkyster

Comment 3 David Walser 2015-02-19 17:28:49 CET
See the Novell bug for more info on the behavior of this issue:
Comment 4 claire robinson 2015-02-27 15:18:29 CET
Testing mga4 64

tl;dr; The update doesn't appear to fix the problem, but jython does work.

From the PoC

# ls -l '/usr/share/jython/Lib/xmllib$py.class'
ls: cannot access /usr/share/jython/Lib/xmllib$py.class: No such file or directory

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw- 1 root root 52885 Feb 27 14:09 /usr/share/jython/Lib/xmllib$py.class

# rm -f '/usr/share/jython/Lib/xmllib$py.class'

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw- 1 root root 52885 Feb 27 14:10 /usr/share/jython/Lib/xmllib$py.class

For general testing, jython has a cli too. Examples here

$ jython
Type "copyright", "credits" or "license" for more information.
>>> from java.util import Random
>>> r = Random()
>>> r.nextInt()
>>> for i in range(5):
...     print r.nextDouble()

Whiteboard: (none) => has_procedure feedback

Comment 5 David Walser 2015-02-27 16:03:31 CET
Thanks.  The patches were in the SPEC but not actually applied.  Not sure how I did that.  Fixed now (freeze push requested for the same problem in Cauldron).

Updated packages in core/updates_testing:

from jython-2.2.1-13.2.mga4.src.rpm

Whiteboard: has_procedure feedback => has_procedure

Comment 6 claire robinson 2015-02-27 17:10:54 CET
Testing complete mga4 64

It also moves the storage location from /usr/share to the user home.

# ls -l '/usr/share/jython/Lib/xmllib$py.class'
ls: cannot access /usr/share/jython/Lib/xmllib$py.class: No such file or directory

# (umask 000; jython -c 'import xmllib')       
*sys-package-mgr*: processing modified jar, '/usr/share/java/jython.jar'

# ls -l '/usr/share/jython/Lib/xmllib$py.class'
ls: cannot access /usr/share/jython/Lib/xmllib$py.class: No such file or directory

# ll '.jython/cachedir/classes/usr/share/jython/Lib/xmllib0$py.class' 
-rw-rw-rw- 1 root root 52885 Feb 27 16:05 .jython/cachedir/classes/usr/share/jython/Lib/xmllib$py.class

So moved to $HOME but still open perms.

# ll -d .jython/
drwxrwxrwx 3 root root 4096 Feb 27 16:05 .jython//

# ll -d .jython/cachedir/
drwxrwxrwx 4 root root 4096 Feb 27 16:05 .jython/cachedir//

# ll -d .jython/cachedir/classes/
drwxrwxrwx 3 root root 4096 Feb 27 16:05 .jython/cachedir/classes//

# ll -d .jython/cachedir/classes/usr/
drwxrwxrwx 3 root root 4096 Feb 27 16:05 .jython/cachedir/classes/usr//

# ll -d .jython/cachedir/classes/usr/share/
drwxrwxrwx 3 root root 4096 Feb 27 16:05 .jython/cachedir/classes/usr/share//

# ll -d .jython/cachedir/classes/usr/share/jython/
drwxrwxrwx 3 root root 4096 Feb 27 16:05 .jython/cachedir/classes/usr/share/jython//

# ll -d .jython/cachedir/classes/usr/share/jython/Lib/
drwxrwxrwx 2 root root 4096 Feb 27 16:05 .jython/cachedir/classes/usr/share/jython/Lib//
# ll .jython/cachedir/classes/usr/share/jython/Lib/
total 284
-rw-rw-rw- 1 root root  7126 Feb 27 16:05 copy_reg$py.class
-rw-rw-rw- 1 root root 28876 Feb 27 16:05 javaos$py.class
-rw-rw-rw- 1 root root 21057 Feb 27 16:05 javapath$py.class
-rw-rw-rw- 1 root root  3655 Feb 27 16:05 re$py.class
-rw-rw-rw- 1 root root 15857 Feb 27 16:05 site$py.class
-rw-rw-rw- 1 root root 22364 Feb 27 16:05 sre_compile$py.class
-rw-rw-rw- 1 root root 15480 Feb 27 16:05 sre_constants$py.class
-rw-rw-rw- 1 root root 38468 Feb 27 16:05 sre_parse$py.class
-rw-rw-rw- 1 root root 21385 Feb 27 16:05 sre$py.class
-rw-rw-rw- 1 root root  6431 Feb 27 16:05 stat$py.class
-rw-rw-rw- 1 root root 22002 Feb 27 16:05 string$py.class
-rw-rw-rw- 1 root root  9255 Feb 27 16:05 UserDict$py.class
-rw-rw-rw- 1 root root 52885 Feb 27 16:05 xmllib$py.class
Comment 7 David Walser 2015-02-27 17:17:09 CET
Yeah the approach they made to fix the permissions was to just adjust the directory instead of the files, but the patch for that looks a bit fishy:

If it doesn't restrict the permissions on ~/.jython or ~/.jython/cachedir or ~/.jython/cachedir/classes (removing "other" executable permissions would be the most effective method), then it's not a very effective solution.
Comment 8 David Walser 2015-02-27 17:37:19 CET
I posted a comment in RedHat's bugzilla:

I also e-mailed the SuSE packager who did their update.
Comment 9 claire robinson 2015-02-27 17:43:02 CET
Using the PoC, the file is 644 if the directory structure is created by jython cli, the dirs themselves have 655. 

If the directory structure is created with the PoC instead then dirs are 777 and file is 666

ie. If jython cli is run first, then the PoC..

$ ll -d .jython
drwxr-xr-x 3 claire claire 4096 Feb 27 16:27 .jython/

$ ll .jython/cachedir/classes/usr/share/jython/Lib/xmllib\$py.class 
-rw-r--r-- 1 claire claire 52885 Feb 27 16:29 .jython/cachedir/classes/usr/share/jython/Lib/xmllib$py.class

If ~/.jython is not yet created when the PoC is run..

$ rm -rf .jython/
$ (umask 000; jython -c 'import xmllib')

$ ll -d .jython
drwxrwxrwx 3 claire claire 4096 Feb 27 16:41 .jython/

$ ll .jython/cachedir/classes/usr/share/jython/Lib/xmllib\$py.class 
-rw-rw-rw- 1 claire claire 52885 Feb 27 16:41 .jython/cachedir/classes/usr/share/jython/Lib/xmllib$py.class
Comment 10 David Walser 2015-02-27 17:46:52 CET
So basically the umask is effectively being used to control the permissions of the things being created, which makes sense.  The original bug report says that it creates class files with insecure permissions if a weak umask is used, so I guess the fix is partially effective in that it respects the umask and doesn't just use 666 permissions on the class files all the time, but still doesn't address what happens with a weak umask by ensuring that the class files aren't world-writable.  I guess one could argue it should, but maybe it's debatable whether it's still a security issue now.  If you set a weak umask, maybe you deserve what you get.
Comment 11 claire robinson 2015-02-27 17:50:15 CET
Yes, seems like a partial fix.
Comment 12 claire robinson 2015-02-27 17:56:28 CET
Adding feedback marker for now

Whiteboard: has_procedure => has_procedure feedback

Comment 13 David Walser 2015-03-05 21:12:35 CET
A response has been posted on the RedHat bug:

We can go ahead and OK this.  Thanks again Claire.

Whiteboard: has_procedure feedback => has_procedure

claire robinson 2015-03-05 22:33:19 CET

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 14 claire robinson 2015-03-06 17:29:46 CET
Testing complete mga4 32

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 15 claire robinson 2015-03-06 17:52:21 CET
Validating. Advisory uploaded with srpm from comment 5

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-03-06 19:09:36 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.