[CVEs] Creates executables class files with wrong permissions, Unsafe deserialization leads to code execution

Bug #1714728 reported by Simon Quigley on 2017-09-03
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jython (Ubuntu)
Status tracked in Artful
Trusty
High
Simon Quigley
Xenial
High
Simon Quigley
Zesty
High
Simon Quigley
Artful
Medium
Simon Quigley

Bug Description

This aims to fix two CVEs:

 - CVE-2013-2027: Creates executables class files with wrong permissions
 - CVE-2016-4000: Unsafe deserialization leads to code execution

While CVE-2013-2027 is not shown as fixed in Debian and Red Hat, it is fixed in OpenSUSE (openSUSE-SU-2015:0269-1), we can backport their patches.

CVE-2016-4000 was fixed in Debian in 2.5.3-17, and that's in Artful, but we still need fixes for Trusty, Xenial, and Zesty.

CVE References

Simon Quigley (tsimonq2) wrote :

Since CVE-2016-4000 is High priority, marking as High priority in all releases affected, marking as Medium in Artful.

Changed in jython (Ubuntu Trusty):
importance: Undecided → High
Changed in jython (Ubuntu Xenial):
importance: Undecided → High
Changed in jython (Ubuntu Zesty):
importance: Undecided → High
Changed in jython (Ubuntu Artful):
importance: Undecided → Medium
Changed in jython (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in jython (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in jython (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in jython (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in jython (Ubuntu Trusty):
status: New → In Progress
Changed in jython (Ubuntu Xenial):
status: New → In Progress
Changed in jython (Ubuntu Zesty):
status: New → In Progress
Changed in jython (Ubuntu Artful):
status: New → In Progress
Changed in jython (Ubuntu Trusty):
milestone: none → trusty-updates
Changed in jython (Ubuntu Xenial):
milestone: none → xenial-updates
Changed in jython (Ubuntu Zesty):
milestone: none → zesty-updates
Changed in jython (Ubuntu Artful):
milestone: none → ubuntu-17.09
tags: added: artful trusty xenial zesty
Simon Quigley (tsimonq2) on 2017-09-03
Changed in jython (Ubuntu Artful):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jython - 2.5.3-17ubuntu1

---------------
jython (2.5.3-17ubuntu1) artful; urgency=medium

  * SECURITY UPDATE: Creates executables class files with wrong permissions
    (LP: #1714728)
    - CVE-2013-2027
    - 1-CVE-2013-2027.patch
    - 2-CVE-2013-2027.patch
    - 3-CVE-2013-2027.patch
    - Thanks to Lubomir Rintel for the patches!

 -- Simon Quigley <email address hidden> Sat, 02 Sep 2017 21:26:38 -0500

Changed in jython (Ubuntu Artful):
status: Fix Committed → Fix Released
Simon Quigley (tsimonq2) wrote :

Uploaded the fixes to ppa:tsimonq2/security-builds if anybody would like to test.

Simon Quigley (tsimonq2) wrote :

Attached is a patch for Zesty applicable to 2.5.3-15.

I tested it on a Ubuntu 17.04 install and it works as intended.

Simon Quigley (tsimonq2) wrote :

Attached is a patch for Xenial applicable to 2.5.3-9.

I tested it on a Lubuntu 16.04 install and it works as intended.

Simon Quigley (tsimonq2) wrote :

Attached is a patch for Trusty applicable to 2.5.3-1.

I tested it on a Lubuntu 14.04 install and it works as intended.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jython - 2.5.3-9ubuntu0.1

---------------
jython (2.5.3-9ubuntu0.1) xenial-security; urgency=high

  [ Simon Quigley ]
  * SECURITY UPDATE: Creates executables class files with wrong permissions
    (LP: #1714728)
    - CVE-2013-2027
    - 1-CVE-2013-2027.patch
    - 2-CVE-2013-2027.patch
    - 3-CVE-2013-2027.patch
    - Thanks to Lubomir Rintel for the patches!

  [ Markus Koschany ]
  * SECURITY UPDATE: Unsafe deserialization may lead to arbitrary code
    execution
    - CVE-2016-4000
    - CVE-2016-4000.patch

 -- Simon Quigley <email address hidden> Mon, 18 Sep 2017 06:25:00 -0500

Changed in jython (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jython - 2.5.3-1ubuntu0.1

---------------
jython (2.5.3-1ubuntu0.1) trusty-security; urgency=high

  [ Simon Quigley ]
  * SECURITY UPDATE: Creates executables class files with wrong permissions
    (LP: #1714728)
    - CVE-2013-2027
    - 1-CVE-2013-2027.patch
    - 2-CVE-2013-2027.patch
    - 3-CVE-2013-2027.patch
    - Thanks to Lubomir Rintel for the patches!

  [ Markus Koschany ]
  * SECURITY UPDATE: Unsafe deserialization may lead to arbitrary code
    execution
    - CVE-2016-4000
    - CVE-2016-4000.patch

 -- Simon Quigley <email address hidden> Wed, 20 Sep 2017 21:10:50 -0500

Changed in jython (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jython - 2.5.3-15ubuntu0.1

---------------
jython (2.5.3-15ubuntu0.1) zesty-security; urgency=high

  [ Simon Quigley ]
  * SECURITY UPDATE: Creates executables class files with wrong permissions
    (LP: #1714728)
    - CVE-2013-2027
    - 1-CVE-2013-2027.patch
    - 2-CVE-2013-2027.patch
    - 3-CVE-2013-2027.patch
    - Thanks to Lubomir Rintel for the patches!

  [ Markus Koschany ]
  * SECURITY UPDATE: Unsafe deserialization may lead to arbitrary code
    execution
    - CVE-2016-4000
    - CVE-2016-4000.patch

 -- Simon Quigley <email address hidden> Mon, 18 Sep 2017 00:43:55 -0500

Changed in jython (Ubuntu Zesty):
status: In Progress → Fix Released
Seth Arnold (seth-arnold) wrote :

Thanks Simon!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers