[Spacewalk-list] OpenJDK update breaks taskomatic (1.2)
Sander Grendelman
sander at grendelman.com
Wed Feb 23 10:18:43 UTC 2011
On Tue, Feb 22, 2011 at 09:27:25AM +0100, Lukas Zapletal wrote:
> On 02/21/2011 02:51 PM, Sander Grendelman wrote:
>> Hi List,
>>
>> Can anyone confirm that applying the latest OpenJDK security erratum
>> (RHSA-2011:0281) for rhel5.6 on i386 breaks the taskomatic daemon for
>> spacewalk 1.2?
>>
>>> From /var/log/rhn/rhn_taskomatic_daemon.log
>>
>
> The reason is probably described in the errata details:
>
> It was found that the Java launcher provided by OpenJDK did not check
> the LD_LIBRARY_PATH environment variable for insecure empty path
> elements. A local attacker able to trick a user into running the Java
> launcher while working from an attacker-writable directory could use
> this flaw to load an untrusted library, subverting the Java security
> model. (CVE-2010-4450)
>
> The workaround would be include only one valid path in LD_LIBRARY_PATH.
> There are currently both lib and lib64 paths.
Hi Lukas,
I can confirm that removing the 64-bit paths from the java library path
in /etc/rhn/default/rhn_taskomatic_daemon.conf fixes this issue.
I don't know the inner workings of the tanuki wrapper but does it set
the LD_LIBRARY_PATH according to the java library path?
--- /etc/rhn/default/rhn_taskomatic_daemon.conf-broken 2011-02-23
11:12:16.000000000 +0100
+++ /etc/rhn/default/rhn_taskomatic_daemon.conf 2011-02-23
11:13:07.000000000 +0100
@@ -17,9 +17,10 @@
# Java Library Path (location of Wrapper.DLL or libwrapper.so)
# TODO need to make this work on AMD64 which would be /usr/lib64
wrapper.java.library.path.1=/usr/lib
-wrapper.java.library.path.2=/usr/lib64
-wrapper.java.library.path.3=/usr/lib/oracle/10.2.0.4/client64/lib
-wrapper.java.library.path.4=/usr/lib/oracle/10.2.0.4/client/lib
+wrapper.java.library.path.2=/usr/lib/oracle/10.2.0.4/client/lib
+#wrapper.java.library.path.2=/usr/lib64
+#wrapper.java.library.path.3=/usr/lib/oracle/10.2.0.4/client64/lib
+#wrapper.java.library.path.4=/usr/lib/oracle/10.2.0.4/client/lib
wrapper.java.classpath.1=/usr/share/java/tanukiwrapper.jar
wrapper.java.classpath.2=/usr/share/rhn/classes
>
> LZ
>
> --
> Later,
> Lukas "lzap" Zapletal
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list