Ubuntu
openjdk-17 package

Please update openjdk-lts to 11.0.20.1+1 and openjdk-17 to 17.0.8.1+1 to fix JDK-8313765

Bug #2032865 reported by Vladimir Petko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openjdk-17 (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned
openjdk-lts (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned

Bug Description

[Background]

JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1.
--------------
The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic:

      Invalid CEN header (invalid zip64 extra data field size)

The ZipException may occur due to:

 1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required
   - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023).
 2. Extra field includes padding not included in the Extra data field headers
 3. The BND tool added problematic data to the extra field
    - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3

The issue can demonstrated via the following ant script :

?xml version="1.0"?>
<project name="zip 64 jar test" basedir="." default="jar">
    <property name="jarFile" value="test.jar"/>
    <property name="builddir" value="classes"/>

    <target name="jar">
        <jar destfile="${jarFile}"
             zip64mode="always"
             basedir="${builddir}"/>
    </target>
</project>
----------------
[1]

[Impact]

This means that zip64 jar files made by older versions of commons-compress and more importantly Ant are not readable by the July security update JDKs (11.0.20 and 17.0.8). The user is unable to run existing software. The latest version of ant in the archive is 1.10.13[2] which means that all relevant Ubuntu versions (bionic, focal, jammy, lunar, mantic) are affected.

The behaviour can be worked around with jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the user to CVE-2023-22036 - JDK crash when unpacking malicious zip file which can be problematic for the server-side workloads.

[Suggested Fix]

Release upstream versions 11.0.20.1+1 and 17.0.8.1+1 to affected versions - bionic (esm), focal, jammy, lunar, mantic.

[Test Plan]

Ensure that the test jar file can be run using the fixed version.
-----------------------
#!/bin/bash

for release in bionic focal jammy lunar mantic; do
  for jdk in openjdk-11-jdk-headless openjdk-17-jdk-headless; do
    echo -------testing $release with $jdk
    lxc launch ubuntu-daily:$release tester
    lxc exec tester -- apt-get update
    lxc exec tester -- apt-get -y install ${jdk} ant
    lxc file push validate-fix.sh tester/home/ubuntu/validate-fix.sh
    lxc exec tester -- /bin/bash /home/ubuntu/validate-fix.sh
    lxc stop tester
    lxc delete tester
    echo -------DONE testing $release with $jdk
  done
done
-----------------------
validate-fix.sh is attached to the bug.

[Where the problems can occur]

- validate that the zip file can run when Security manager is enabled and a permission to read 'jdk.util.zip.disableZip64ExtraFieldValidation' is not granted

[1] https://bugs.openjdk.org/browse/JDK-8313765
[2] https://launchpad.net/ubuntu/+source/ant

See original description

Related branches

~vpa1977/ubuntu/+source/openjdk-lts:extra-security-release
Steve Beattie (community): Approve
git-ubuntu import: Pending requested
Diff: 1188 lines (+1015/-17)
9 files modified
.jcheck/conf (+1/-1)
debian/changelog (+10/-0)
debian/tests/jtreg-autopkgtest.in (+1/-0)
debian/tests/jtreg-autopkgtest.sh (+1/-0)
make/autoconf/version-numbers (+2/-2)
src/java.base/share/classes/java/util/zip/ZipFile.java (+43/-10)
src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java (+13/-1)
test/jdk/java/util/zip/ZipFile/CorruptedZipFiles.java (+4/-3)
test/jdk/java/util/zip/ZipFile/ReadNonStandardExtraHeadersTest.java (+940/-0)
~vpa1977/ubuntu/+source/openjdk-17:extra-security-release
Steve Beattie (community): Approve
git-ubuntu import: Pending requested
Diff: 1304 lines (+1039/-25)
15 files modified
.jcheck/conf (+1/-1)
debian/changelog (+16/-0)
debian/control (+2/-1)
debian/control.in (+2/-1)
debian/patches/build_gtest.patch (+5/-3)
debian/patches/exclude-broken-tests.patch (+6/-3)
debian/rules (+1/-1)
debian/tests/jtreg-autopkgtest.in (+1/-0)
debian/tests/jtreg-autopkgtest.sh (+1/-0)
debian/tests/problems-armhf.txt (+4/-0)
make/conf/version-numbers.conf (+2/-2)
src/java.base/share/classes/java/util/zip/ZipFile.java (+43/-9)
src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java (+13/-1)
test/jdk/java/util/zip/ZipFile/CorruptedZipFiles.java (+4/-3)
test/jdk/java/util/zip/ZipFile/ReadNonStandardExtraHeadersTest.java (+938/-0)
Revision history for this message
Vladimir Petko (vpa1977) wrote :

Reproducer for the issue.
----
$ ./validate-fix.sh
/tmp/tmp.VPUpz6BvYH ~/git/make-openjdk/extra-security-release
openjdk 17.0.8 2023-07-18
OpenJDK Runtime Environment (build 17.0.8+7-Ubuntu-123.04)
OpenJDK 64-Bit Server VM (build 17.0.8+7-Ubuntu-123.04, mixed mode, sharing)
Buildfile: /tmp/tmp.VPUpz6BvYH/build.xml

build:
    [javac] /tmp/tmp.VPUpz6BvYH/build.xml:4: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds
    [javac] Compiling 1 source file to /tmp/tmp.VPUpz6BvYH/classes

jar:
      [jar] Building jar: /tmp/tmp.VPUpz6BvYH/test.jar

BUILD SUCCESSFUL
Total time: 0 seconds
1. Validation enabled and class not found due to the bug
Error: Could not find or load main class Test
Caused by: java.lang.ClassNotFoundException: Test
2. Validation disabled and class is found
Hello world!
--------------

Revision history for this message
Vladimir Petko (vpa1977) wrote :
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-lts - 11.0.20.1+1-0ubuntu1~22.04

---------------
openjdk-lts (11.0.20.1+1-0ubuntu1~22.04) jammy-security; urgency=medium

  * Upload to Ubuntu 22.04.

openjdk-lts (11.0.20.1+1-0ubuntu1) mantic; urgency=medium

  * OpenJDK 11.0.20.1 release, build 1.
    - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data
      field size) (LP: #2032865).
  * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE
    to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass.

 -- Vladimir Petko <email address hidden> Fri, 25 Aug 2023 10:33:08 +1200

Changed in openjdk-lts (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-17 - 17.0.8.1+1~us1-0ubuntu1~20.04

---------------
openjdk-17 (17.0.8.1+1~us1-0ubuntu1~20.04) focal-security; urgency=high

  * Upload to Ubuntu 20.04.

openjdk-17 (17.0.8.1+1~us1-0ubuntu1) mantic; urgency=high

  * OpenJDK 17.0.8.1 release, build 1.
    - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data
      field size) (LP: #2032865).
  * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE
    to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass.
  * d/p/exclude-broken-tests.patch: disable pkcs11 tests failing with
    NSS 3.91.
  * d/t/problems-armhf.txt: disable armf tests -
    java/util/Random/RandomTestBsi1999.java (deadlock in CI),
    java/net/httpclient/ManyRequestsLegacy.java (SSL request timeout).
  * Enable jtreg tests for bionic and focal.

 -- Vladimir Petko <email address hidden> Fri, 25 Aug 2023 10:55:19 +1200

Changed in openjdk-17 (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-lts - 11.0.20.1+1-0ubuntu1~23.04

---------------
openjdk-lts (11.0.20.1+1-0ubuntu1~23.04) lunar-security; urgency=medium

  * Upload to Ubuntu 23.04.

openjdk-lts (11.0.20.1+1-0ubuntu1) mantic; urgency=medium

  * OpenJDK 11.0.20.1 release, build 1.
    - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data
      field size) (LP: #2032865).
  * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE
    to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass.

 -- Vladimir Petko <email address hidden> Fri, 25 Aug 2023 10:33:45 +1200

Changed in openjdk-lts (Ubuntu Lunar):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-lts - 11.0.20.1+1-0ubuntu1~20.04

---------------
openjdk-lts (11.0.20.1+1-0ubuntu1~20.04) focal-security; urgency=medium

  * Upload to Ubuntu 20.04.

openjdk-lts (11.0.20.1+1-0ubuntu1) mantic; urgency=medium

  * OpenJDK 11.0.20.1 release, build 1.
    - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data
      field size) (LP: #2032865).
  * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE
    to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass.

 -- Vladimir Petko <email address hidden> Fri, 25 Aug 2023 10:32:31 +1200

Changed in openjdk-lts (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-17 - 17.0.8.1+1~us1-0ubuntu1~23.04

---------------
openjdk-17 (17.0.8.1+1~us1-0ubuntu1~23.04) lunar-security; urgency=high

  * Upload to Ubuntu 23.04.

openjdk-17 (17.0.8.1+1~us1-0ubuntu1) mantic; urgency=high

  * OpenJDK 17.0.8.1 release, build 1.
    - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data
      field size) (LP: #2032865).
  * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE
    to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass.
  * d/p/exclude-broken-tests.patch: disable pkcs11 tests failing with
    NSS 3.91.
  * d/t/problems-armhf.txt: disable armf tests -
    java/util/Random/RandomTestBsi1999.java (deadlock in CI),
    java/net/httpclient/ManyRequestsLegacy.java (SSL request timeout).
  * Enable jtreg tests for bionic and focal.

 -- Vladimir Petko <email address hidden> Fri, 25 Aug 2023 10:57:19 +1200

Changed in openjdk-17 (Ubuntu Lunar):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-17 - 17.0.8.1+1~us1-0ubuntu1~22.04

---------------
openjdk-17 (17.0.8.1+1~us1-0ubuntu1~22.04) jammy-security; urgency=high

  * Upload to Ubuntu 22.04.

openjdk-17 (17.0.8.1+1~us1-0ubuntu1) mantic; urgency=high

  * OpenJDK 17.0.8.1 release, build 1.
    - REGRESSION UPDATE: 8313765: Invalid CEN header (invalid zip64 extra data
      field size) (LP: #2032865).
  * d/t/jtreg-autopkgtest.{sh,in}: JDK-8232153 - set NSS_DEFAULT_DB_TYPE
    to let sun/security/pkcs11/Secmod/AddTrustedCert.java pass.
  * d/p/exclude-broken-tests.patch: disable pkcs11 tests failing with
    NSS 3.91.
  * d/t/problems-armhf.txt: disable armf tests -
    java/util/Random/RandomTestBsi1999.java (deadlock in CI),
    java/net/httpclient/ManyRequestsLegacy.java (SSL request timeout).
  * Enable jtreg tests for bionic and focal.

 -- Vladimir Petko <email address hidden> Fri, 25 Aug 2023 10:57:54 +1200

Changed in openjdk-17 (Ubuntu Jammy):
status: New → Fix Released
Vladimir Petko (vpa1977)
Changed in openjdk-lts (Ubuntu Mantic):
status: New → Fix Released
Changed in openjdk-lts (Ubuntu):
status: New → Fix Released
Changed in openjdk-17 (Ubuntu):
status: New → Fix Released
Changed in openjdk-17 (Ubuntu Mantic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.