Message8004

Author	kseifried
Recipients	kseifried
Date	2013-05-02.07:16:18
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1367478979.3.0.10819571174.issue2044@psf.upfronthosting.co.za>
In-reply-to

Content
Lubomir Rintel 2013-04-03 11:29:50 EDT Description of problem: There are serveral problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure. # (umask 000; jython -c 'import xmllib') # ls -l '/usr/share/jython/Lib/xmllib$py.class' -rw-rw-rw-. 1 root root 52874 Apr 3 17:24 /usr/share/jython/Lib/xmllib$py.class Jython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file. Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure. The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions. It is currently even not possible to easily disable the caching, since the configuration file is not marked with %config and resides in /usr/share instead of /etc. Version-Release number of selected component (if applicable): jython-2.2.1-4.8.el6.x86_64

Lubomir Rintel 2013-04-03 11:29:50 EDT
Description of problem:

There are serveral problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure.

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw-. 1 root root 52874 Apr  3 17:24 /usr/share/jython/Lib/xmllib$py.class

Jython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file.

Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure.

The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions.

It is currently even not possible to easily disable the caching, since the configuration file is not marked with %config and resides in /usr/share instead of /etc.

Version-Release number of selected component (if applicable):

jython-2.2.1-4.8.el6.x86_64

History
Date	User	Action	Args
2013-05-02 07:16:19	kseifried	set	recipients: + kseifried
2013-05-02 07:16:19	kseifried	set	messageid: <1367478979.3.0.10819571174.issue2044@psf.upfronthosting.co.za>
2013-05-02 07:16:19	kseifried	link	issue2044 messages
2013-05-02 07:16:18	kseifried	create