|
|
Subscribe / Log in / New account

jython: code execution

Package(s):jython CVE #(s):CVE-2013-2027
Created:February 12, 2015 Updated:March 30, 2015
Description: From the SUSE bugzilla entry:

There are [several] problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure. 

# (umask 000; jython -c 'import xmllib')
# ls -l '/usr/share/jython/Lib/xmllib$py.class'
-rw-rw-rw-. 1 root root 52874 Apr  3 17:24 /usr/share/jython/Lib/xmllib$py.class
Jython does not explicitly set permissions of the class files; therefore with weak umask it creates world-writable files, or discloses sensitive data that would be in a non-world-readable package file.

Also, the package writes to /usr/share, which it shouldn't; /var/cache would be more appropriate, but would still lead to a possibility of a content disclosure.

The only really portable and secure way to cache class files would be a directory in user's home with 0700 permissions.

Alerts:
Mandriva MDVSA-2015:158 jython 2015-03-29
Mageia MGASA-2015-0096 jython 2015-03-06
openSUSE openSUSE-SU-2015:0269-1 jython 2015-02-12
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds