Title: Jython creates executables class files with wrong permissions
Type: security Severity: major
Components: Core Versions: Jython 2.2
Milestone: Jython 2.7.2
Status: open Resolution: accepted
Dependencies: Superseder:
Assigned To: Nosy List: jeff.allen, kseifried, zyasoft
Priority: normal Keywords:

Created on 2013-05-02.07:16:19 by kseifried, last changed 2019-11-06.22:05:11 by jeff.allen.

msg8004 (view) Author: Kurt Seifried (kseifried) Date: 2013-05-02.07:16:18
Lubomir Rintel 2013-04-03 11:29:50 EDT
Description of problem:

There are serveral problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure.

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw-. 1 root root 52874 Apr  3 17:24 /usr/share/jython/Lib/xmllib$py.class

Jython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file.

Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure.

The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions.

It is currently even not possible to easily disable the caching, since the configuration file is not marked with %config and resides in /usr/share instead of /etc.

Version-Release number of selected component (if applicable):

msg8005 (view) Author: Kurt Seifried (kseifried) Date: 2013-05-02.07:16:47
This was assigned CVE-2013-2027
msg9363 (view) Author: Jim Baker (zyasoft) Date: 2015-01-09.03:26:24
This no longer appears to be the case with at least 2.7, possibly because we have better control of setting file permissions with JNR-Posix.

2.2 is not something we would fix.
msg12766 (view) Author: Jeff Allen (jeff.allen) Date: 2019-11-06.22:05:11
I observe this still to be a problem on Linux. If, following the OP's example, I set umask 000 and provoke the creation of class files in Lib, they have permissions 0666.
Date User Action Args
2019-11-06 22:05:11jeff.allensetstatus: closed -> open
nosy: + jeff.allen
messages: + msg12766
priority: normal
milestone: Jython 2.7.2
resolution: out of date -> accepted
2015-01-09 03:26:24zyasoftsetstatus: open -> closed
resolution: out of date
messages: + msg9363
nosy: + zyasoft
2013-05-02 07:16:47kseifriedsetmessages: + msg8005
2013-05-02 07:16:19kseifriedcreate