[Bug 2032865] [NEW] Please update openjdk-lts to 11.0.20.1+1 and openjdk-17 to 17.0.8.1+1 to fix JDK-8313765

Vladimir Petko 2032865 at bugs.launchpad.net
Thu Aug 24 01:56:56 UTC 2023 

Public bug reported:

[Background]

JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1. 
--------------
The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic:

      Invalid CEN header (invalid zip64 extra data field size)


The ZipException may occur due to:

 1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required
   - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023).
 2. Extra field includes padding not included in the Extra data field headers
 3. The BND tool added problematic data to the extra field
    - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3


The issue can demonstrated via the following ant script :

?xml version="1.0"?>
<project name="zip 64 jar test" basedir="." default="jar">
    <property name="jarFile" value="test.jar"/>
    <property name="builddir" value="classes"/>

    <target name="jar">
        <jar destfile="${jarFile}"
             zip64mode="always"
             basedir="${builddir}"/>
    </target>
</project>
---------------- 
[1]

[Impact]

This means that zip64 jar files made by older versions of commons-
compress and more importantly Ant are not readable by the July security
update JDKs (11.0.20 and 17.0.8). The user is unable to run existing
software. The latest version of ant in the archive is 1.10.13[2] which
means that all relevant Ubuntu versions (bionic, focal, jammy, lunar,
mantic) are affected.

The behaviour can be worked around with
jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the user
to CVE-2023-22036 - JDK crash when unpacking malicious zip file which
can be problematic for the server-side workloads.


[Suggested Fix]

Release upstream versions 11.0.20.1+1  and 17.0.8.1+1 to affected
versions - bionic, focal, jammy, lunar, mantic.

[Test Plan]

Ensure that the test jar file can be run using the fixed version.

[Where the problems can occur]

- validate that the zip file can run when Security manager is enabled
and a permission to read 'jdk.util.zip.disableZip64ExtraFieldValidation'
is not granted


[1] https://bugs.openjdk.org/browse/JDK-8313765
[2] https://launchpad.net/ubuntu/+source/ant

** Affects: openjdk-17 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: openjdk-lts (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: openjdk-17 (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: openjdk-lts (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: openjdk-17 (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: openjdk-lts (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: openjdk-17 (Ubuntu Lunar)
     Importance: Undecided
         Status: New

** Affects: openjdk-lts (Ubuntu Lunar)
     Importance: Undecided
         Status: New

** Affects: openjdk-17 (Ubuntu Mantic)
     Importance: Undecided
         Status: New

** Affects: openjdk-lts (Ubuntu Mantic)
     Importance: Undecided
         Status: New

** Also affects: openjdk-lts (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: openjdk-lts (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: openjdk-17 (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: openjdk-lts (Ubuntu Mantic)
   Importance: Undecided
       Status: New

** Also affects: openjdk-17 (Ubuntu Mantic)
   Importance: Undecided
       Status: New

** Also affects: openjdk-lts (Ubuntu Lunar)
   Importance: Undecided
       Status: New

** Also affects: openjdk-17 (Ubuntu Lunar)
   Importance: Undecided
       Status: New

** Also affects: openjdk-lts (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: openjdk-17 (Ubuntu Focal)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openjdk-lts in Ubuntu.
https://bugs.launchpad.net/bugs/2032865

Title:
  Please update openjdk-lts to 11.0.20.1+1 and openjdk-17 to 17.0.8.1+1
  to fix  JDK-8313765

Status in openjdk-17 package in Ubuntu:
  New
Status in openjdk-lts package in Ubuntu:
  New
Status in openjdk-17 source package in Focal:
  New
Status in openjdk-lts source package in Focal:
  New
Status in openjdk-17 source package in Jammy:
  New
Status in openjdk-lts source package in Jammy:
  New
Status in openjdk-17 source package in Lunar:
  New
Status in openjdk-lts source package in Lunar:
  New
Status in openjdk-17 source package in Mantic:
  New
Status in openjdk-lts source package in Mantic:
  New

Bug description:
  [Background]

  JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) was fixed in openjdk 11.0.20.1+1 and openjdk 17.0.8.1+1. 
  --------------
  The following ZipException may be thrown when the data contained in the CEN Extra fields are problematic:

        Invalid CEN header (invalid zip64 extra data field size)

  
  The ZipException may occur due to:

   1. Some releases of Ant and commons-compress create CEN Zip64 extra headers with a size of 0 when Zip64 mode is required
     - fixed in Commons-compress 1.11 (2016) and Ant 1.10.14 (2023).
   2. Extra field includes padding not included in the Extra data field headers
   3. The BND tool added problematic data to the extra field
      - fixed in BND 5.3 (2021) and maven-bundle-plugin 5.1.5 which includes BND 5.3


  The issue can demonstrated via the following ant script :

  ?xml version="1.0"?>
  <project name="zip 64 jar test" basedir="." default="jar">
      <property name="jarFile" value="test.jar"/>
      <property name="builddir" value="classes"/>

      <target name="jar">
          <jar destfile="${jarFile}"
               zip64mode="always"
               basedir="${builddir}"/>
      </target>
  </project>
  ---------------- 
  [1]

  [Impact]

  This means that zip64 jar files made by older versions of commons-
  compress and more importantly Ant are not readable by the July
  security update JDKs (11.0.20 and 17.0.8). The user is unable to run
  existing software. The latest version of ant in the archive is
  1.10.13[2] which means that all relevant Ubuntu versions (bionic,
  focal, jammy, lunar, mantic) are affected.

  The behaviour can be worked around with
  jdk.util.zip.disableZip64ExtraFieldValidation but this exposes the
  user to CVE-2023-22036 - JDK crash when unpacking malicious zip file
  which can be problematic for the server-side workloads.

  
  [Suggested Fix]

  Release upstream versions 11.0.20.1+1  and 17.0.8.1+1 to affected
  versions - bionic, focal, jammy, lunar, mantic.

  [Test Plan]

  Ensure that the test jar file can be run using the fixed version.

  [Where the problems can occur]

  - validate that the zip file can run when Security manager is enabled
  and a permission to read
  'jdk.util.zip.disableZip64ExtraFieldValidation' is not granted



  [1] https://bugs.openjdk.org/browse/JDK-8313765
  [2] https://launchpad.net/ubuntu/+source/ant

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-17/+bug/2032865/+subscriptions

More information about the foundations-bugs mailing list