Ubuntu
openjdk-17 package

  1. Bug #2032865
  2. Activity log

Activity log for bug #2032865

Date Who What changed Old value New value Message
2023-08-24 01:56:56 Vladimir Petko bug added bug
2023-08-24 01:57:11 Vladimir Petko bug task added openjdk-lts (Ubuntu)
2023-08-24 01:57:29 Vladimir Petko nominated for series Ubuntu Jammy
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-lts (Ubuntu Jammy)
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-17 (Ubuntu Jammy)
2023-08-24 01:57:29 Vladimir Petko nominated for series Ubuntu Mantic
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-lts (Ubuntu Mantic)
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-17 (Ubuntu Mantic)
2023-08-24 01:57:29 Vladimir Petko nominated for series Ubuntu Lunar
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-lts (Ubuntu Lunar)
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-17 (Ubuntu Lunar)
2023-08-24 01:57:29 Vladimir Petko nominated for series Ubuntu Focal
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-lts (Ubuntu Focal)
2023-08-24 01:57:29 Vladimir Petko bug task added openjdk-17 (Ubuntu Focal)
2023-08-24 02:46:18 Vladimir Petko attachment added validate-fix.sh https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/2032865/+attachment/5694485/+files/validate-fix.sh
2023-08-24 03:03:04 Vladimir Petko description [Background] JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1. -------------- The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic: Invalid CEN header (invalid zip64 extra data field size) The ZipException may occur due to: 1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023). 2. Extra field includes padding not included in the Extra data field headers 3. The BND tool added problematic data to the extra field - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3 The issue can demonstrated via the following ant script : ?xml version="1.0"?> <project name="zip 64 jar test" basedir="." default="jar"> <property name="jarFile" value="test.jar"/> <property name="builddir" value="classes"/> <target name="jar"> <jar destfile="${jarFile}" zip64mode="always" basedir="${builddir}"/> </target> </project> ---------------- [1] [Impact] This means that zip64 jar files made by older versions of commons-compress and more importantly Ant are not readable by the July security update JDKs (11.0.20 and 17.0.8). The user is unable to run existing software. The latest version of ant in the archive is 1.10.13[2] which means that all relevant Ubuntu versions (bionic, focal, jammy, lunar, mantic) are affected. The behaviour can be worked around with jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the user to CVE-2023-22036 - JDK crash when unpacking malicious zip file which can be problematic for the server-side workloads. [Suggested Fix] Release upstream versions 11.0.20.1+1 and 17.0.8.1+1 to affected versions - bionic, focal, jammy, lunar, mantic. [Test Plan] Ensure that the test jar file can be run using the fixed version. [Where the problems can occur] - validate that the zip file can run when Security manager is enabled and a permission to read 'jdk.util.zip.disableZip64ExtraFieldValidation' is not granted [1] https://bugs.openjdk.org/browse/JDK-8313765 [2] https://launchpad.net/ubuntu/+source/ant [Background] JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1. -------------- The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic:       Invalid CEN header (invalid zip64 extra data field size) The ZipException may occur due to:  1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required    - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023).  2. Extra field includes padding not included in the Extra data field headers  3. The BND tool added problematic data to the extra field     - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3 The issue can demonstrated via the following ant script : ?xml version="1.0"?> <project name="zip 64 jar test" basedir="." default="jar">     <property name="jarFile" value="test.jar"/>     <property name="builddir" value="classes"/>     <target name="jar">         <jar destfile="${jarFile}"              zip64mode="always"              basedir="${builddir}"/>     </target> </project> ---------------- [1] [Impact] This means that zip64 jar files made by older versions of commons-compress and more importantly Ant are not readable by the July security update JDKs (11.0.20 and 17.0.8). The user is unable to run existing software. The latest version of ant in the archive is 1.10.13[2] which means that all relevant Ubuntu versions (bionic, focal, jammy, lunar, mantic) are affected. The behaviour can be worked around with jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the user to CVE-2023-22036 - JDK crash when unpacking malicious zip file which can be problematic for the server-side workloads. [Suggested Fix] Release upstream versions 11.0.20.1+1 and 17.0.8.1+1 to affected versions - bionic (esm), focal, jammy, lunar, mantic. [Test Plan] Ensure that the test jar file can be run using the fixed version. ----------------------- #!/bin/bash for release in bionic focal jammy lunar mantic; do for jdk in openjdk-11-jdk-headless openjdk-17-jdk-headless; do echo -------testing $release with $jdk lxc launch ubuntu-daily:$release tester lxc exec tester -- apt-get update lxc exec tester -- apt-get -y install ${jdk} ant lxc file push validate-fix.sh tester/home/ubuntu/validate-fix.sh lxc exec tester -- /bin/bash /home/ubuntu/validate-fix.sh lxc stop tester lxc delete tester echo -------DONE testing $release with $jdk done done ----------------------- validate-fix.sh is attached to the bug. [Where the problems can occur] - validate that the zip file can run when Security manager is enabled and a permission to read 'jdk.util.zip.disableZip64ExtraFieldValidation' is not granted [1] https://bugs.openjdk.org/browse/JDK-8313765 [2] https://launchpad.net/ubuntu/+source/ant
2023-08-24 03:05:39 Vladimir Petko attachment removed validate-fix.sh https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/2032865/+attachment/5694485/+files/validate-fix.sh
2023-08-24 03:06:01 Vladimir Petko attachment added validate-fix.sh https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/2032865/+attachment/5694489/+files/validate-fix.sh
2023-08-24 03:41:47 Vladimir Petko merge proposal linked https://code.launchpad.net/~vpa1977/ubuntu/+source/openjdk-17/+git/openjdk-17/+merge/449794
2023-08-24 03:44:18 Vladimir Petko merge proposal linked https://code.launchpad.net/~vpa1977/ubuntu/+source/openjdk-lts/+git/openjdk-lts/+merge/449796
2023-08-30 09:42:32 Launchpad Janitor openjdk-lts (Ubuntu Jammy): status New Fix Released
2023-08-30 09:42:40 Launchpad Janitor openjdk-17 (Ubuntu Focal): status New Fix Released
2023-08-30 09:56:11 Launchpad Janitor openjdk-lts (Ubuntu Lunar): status New Fix Released
2023-08-30 09:56:12 Launchpad Janitor openjdk-lts (Ubuntu Focal): status New Fix Released
2023-08-30 09:56:16 Launchpad Janitor openjdk-17 (Ubuntu Lunar): status New Fix Released
2023-08-30 09:56:18 Launchpad Janitor openjdk-17 (Ubuntu Jammy): status New Fix Released
2024-02-28 19:12:17 Vladimir Petko openjdk-lts (Ubuntu Mantic): status New Fix Released
2024-02-28 19:12:26 Vladimir Petko openjdk-lts (Ubuntu): status New Fix Released
2024-02-28 19:12:35 Vladimir Petko openjdk-17 (Ubuntu): status New Fix Released
2024-02-28 19:12:47 Vladimir Petko openjdk-17 (Ubuntu Mantic): status New Fix Released