Security exception raised by java.util.Properties.store() when using openjdk-16-jdk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openjdk-11 (Debian) |
New
|
Unknown
|
|||
openjdk-16 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
openjdk-lts (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Since JDK 11, the Ubuntu "open jdk" packages have a defect which does not appear in the actual Open JDK distros available from java.net. The problem was discovered by Derby users (see https:/
This is the problem: When trying to persist a java.util.
bw.write("#" + new Date().toString());
The exception stack trace (see the repro below) is:
Exception in thread "main" java.security.
at java.base/
at java.base/
at java.base/
at java.base/
at java.base/
at java.base/
at java.base/
at DERBY_7122.
At a minimum, could someone explain (with CVE numbers if available) the security risk incurred by probing the value of the Linux environment variable SOURCE_DATE_EPOCH?
Here is a sample program which demonstrates this problem. This program runs fine on Open JDK distros from java.net.
import java.io.
import java.util.
/**
* Demonstrate that Properties.store() fails under a security manager on Ubuntu.
*/
public class DERBY_7122
{
private static final String PROPERTY_FILE_NAME = "/tmp/derby-
private static final String SECURITY_
private static final String SECURITY_
private final static String POLICY_
private static final String SECURITY_
"grant\n" +
"{\n" +
" permission java.io.
"};\n"
;
public static void main(String... args) throws Exception
{
// write the policy file
try (PrintWriter pw = new PrintWriter(
{ pw.write(
// start up a security manager using the policy file we just wrote
// create a small Properties object
Properties props = new Properties();
// write the properties to disk.
}
}
summary: |
Security exception raised by java.util.Properties.store() when using - openjdk-16-jdk-headless + openjdk-16-jdk |
tags: | added: fr-3396 |
tags: | added: reviewed |
Changed in openjdk-11 (Debian): | |
status: | Unknown → New |
Status changed to 'Confirmed' because the bug affects multiple users.