Issue2044

classification
Title: Jython creates executables class files with wrong permissions
Type: security Severity: major
Components: Core Versions: Jython 2.2
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: kseifried
Priority: Keywords:

Created on 2013-05-02.07:16:19 by kseifried, last changed 2013-05-02.07:16:47 by kseifried.

Messages
msg8004 (view) Author: Kurt Seifried (kseifried) Date: 2013-05-02.07:16:18
Lubomir Rintel 2013-04-03 11:29:50 EDT
Description of problem:

There are serveral problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure.

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw-. 1 root root 52874 Apr  3 17:24 /usr/share/jython/Lib/xmllib$py.class

Jython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file.

Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure.

The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions.

It is currently even not possible to easily disable the caching, since the configuration file is not marked with %config and resides in /usr/share instead of /etc.

Version-Release number of selected component (if applicable):

jython-2.2.1-4.8.el6.x86_64
msg8005 (view) Author: Kurt Seifried (kseifried) Date: 2013-05-02.07:16:47
This was assigned CVE-2013-2027
History
Date User Action Args
2013-05-02 07:16:47kseifriedsetmessages: + msg8005
2013-05-02 07:16:19kseifriedcreate