- Added patches to fix CVE-2013-2027 bnc#916224:

* jython-cached-classes.patch * jython-cacheperms.patch * jython-makeCompiledFilename.patch OBS-URL: https://build.opensuse.org/package/show/Java:packages/jython?expand=0&rev=12
2015-02-04 14:24:57 +00:00 · 2015-02-04 14:24:57 +00:00 · 14adf8d273
commit 14adf8d273
parent fc32b1720e
5 changed files with 149 additions and 1 deletions
--- a/jython-cached-classes.patch
+++ b/jython-cached-classes.patch
@ -0,0 +1,68 @@
+From 85a88bcffe2d61d143b4f8c545bd28b152d8d05b Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lubo.rintel@gooddata.com>
+Date: Wed, 3 Apr 2013 18:31:40 +0200
+Subject: [PATCH 3/3] Use cache dir for classes too
+
+Instead of attempting to write them next to source files.
+Java 6 API does not allow for setting sane permissions (i.e. same as
+those of a source file) and relying on defaults is a security hazard
+which can lead to information disclosure, or, in case of a too relaxed
+umask, arbitrary code execution.
+
+Also, this will likely improve performance for non-privileged users
+which can not write to their distribution's packaged jython tree.
+---
+ src/org/python/core/PySystemState.java |  6 ++++++
+ src/org/python/core/imp.java           | 12 ++++++++++--
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/org/python/core/PySystemState.java b/src/org/python/core/PySystemState.java
+index 9de34e3..a124228 100644
+--- a/src/org/python/core/PySystemState.java
+++ b/src/org/python/core/PySystemState.java
+@@ -539,6 +539,12 @@ public class PySystemState extends PyObject
+     public static PackageManager packageManager;
+     public static File cachedir;
+     
+    public static File classCache() {
+        if (cachedir == null)
+	    return null;
+        return new File(cachedir, "classes");
+    }
+
+     public static boolean isPackageCacheEnabled() {
+         return cachedir != null;
+     }
+diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java
+index a9868dd..67c33d6 100644
+--- a/src/org/python/core/imp.java
+++ b/src/org/python/core/imp.java
+@@ -117,8 +117,15 @@ public class imp {
+     }
+ 
+     private static String makeCompiledFilename(String filename) {
+-        return filename.substring(0, filename.length() - 3)
+-                + "$py.class";
+	String basename = filename.substring(0, filename.length() - 3)
+                        + "$py.class";
+        File cache = Py.getSystemState().classCache();
+
+        if (cache == null) {
+            return basename;
+        } else {
+            return new File(cache, basename).getPath();
+        }
+     }
+     
+     /**
+@@ -144,6 +151,7 @@ public class imp {
+         }
+         FileOutputStream fop = null;
+         try {
+            new File(compiledFilename).getParentFile().mkdirs();
+             fop = new FileOutputStream(compiledFilename);
+             fop.write(compiledSource);
+             fop.close();
+-- 
+1.8.3.1
+
--- a/jython-cacheperms.patch
+++ b/jython-cacheperms.patch
@ -0,0 +1,31 @@
+From 517883617472d53c3346ad419f0af42a7dd83705 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lubo.rintel@gooddata.com>
+Date: Wed, 3 Apr 2013 18:24:46 +0200
+Subject: [PATCH 1/3] Make cache not accessible by anyone else
+
+Sensitive information might be being cached or umask can be too relaxed,
+allowing writes.
+---
+ src/org/python/core/CachedJarsPackageManager.java | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/org/python/core/CachedJarsPackageManager.java b/src/org/python/core/CachedJarsPackageManager.java
+index 6953136..764f2f3 100644
+--- a/src/org/python/core/CachedJarsPackageManager.java
+++ b/src/org/python/core/CachedJarsPackageManager.java
+@@ -587,6 +587,12 @@ public abstract class CachedJarsPackageManager extends PackageManager {
+             return false;
+         }
+ 
+        aCachedir1.setReadable(false, false);
+        aCachedir1.setWritable(false, false);
+        aCachedir1.setExecutable(false, false);
+        aCachedir1.setReadable(true, true);
+        aCachedir1.setWritable(true, true);
+        aCachedir1.setExecutable(true, true);
+         this.cachedir = aCachedir1;
+ 
+         return true;
+-- 
+1.8.3.1
+
--- a/jython-makeCompiledFilename.patch
+++ b/jython-makeCompiledFilename.patch
@ -0,0 +1,34 @@
+From 9adf26828ecf5650a86885b344b93242f6617220 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lubo.rintel@gooddata.com>
+Date: Wed, 3 Apr 2013 18:32:14 +0200
+Subject: [PATCH 2/3] Avoid code duplication with makeCompiledFilename()
+
+---
+ src/org/python/core/imp.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java
+index a902079..a9868dd 100644
+--- a/src/org/python/core/imp.java
+++ b/src/org/python/core/imp.java
+@@ -424,7 +424,7 @@ public class imp {
+ 
+         int nlen = name.length();
+         String sourceName = "__init__.py";
+-        String compiledName = "__init__$py.class";
+        String compiledName = makeCompiledFilename(sourceName);
+         String directoryName = defaultEmptyPathDirectory(entry.toString());
+ 
+         // First check for packages
+@@ -437,7 +437,7 @@ public class imp {
+         if (!pkg) {
+             Py.writeDebug(IMPORT_LOG, "trying source " + dir.getPath());
+             sourceName = name + ".py";
+-            compiledName = name + "$py.class";
+            compiledName = makeCompiledFilename(sourceName);
+             sourceFile = new File(directoryName, sourceName);
+             compiledFile = new File(directoryName, compiledName);
+         } else {
+-- 
+1.8.3.1
+
--- a/jython.changes
+++ b/jython.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Feb  4 14:23:46 UTC 2015 - tchvatal@suse.com
+
+- Added patches to fix CVE-2013-2027 bnc#916224:
+  * jython-cached-classes.patch
+  * jython-cacheperms.patch
+  * jython-makeCompiledFilename.patch
+
 -------------------------------------------------------------------
 Mon Sep  9 11:06:09 UTC 2013 - tchvatal@suse.com

--- a/jython.spec
+++ b/jython.spec
@ -1,7 +1,7 @@
 #
 # spec file for package jython
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -42,6 +42,10 @@ Patch0:         %{name}-cachedir.patch
 # Also, copy python's license from source directory and not
 # ${python.home}
 Patch1:         %{name}-nofullbuildpath.patch
+# These address CVE-2013-2027 (http://bugs.jython.org/msg8004)
+Patch3:         %{name}-cacheperms.patch
+Patch4:         %{name}-makeCompiledFilename.patch
+Patch5:         %{name}-cached-classes.patch
 Requires:       jakarta-oro
 Requires:       javapackages-tools
 Requires:       libreadline-java >= 0.8.0-16
@ -166,6 +170,9 @@ development and in shipping products.
 %setup -q -n %{name}-svn-%{svn_tag}
 %patch0 -p1
 %patch1 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1

 %build
 export CLASSPATH=$(build-classpath mysql-connector-java oro servlet)