Moderate severityNVD Advisory· Published Aug 28, 2013· Updated Apr 29, 2026
CVE-2013-2035
CVE-2013-2035
Description
Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.fusesource.hawtjni:hawtjni-runtimeMaven | < 1.8 | 1.8 |
Affected products
8cpe:2.3:a:redhat:hawtjni:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:redhat:hawtjni:*:*:*:*:*:*:*:*range: <=1.7
- cpe:2.3:a:redhat:hawtjni:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hawtjni:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hawtjni:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hawtjni:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hawtjni:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hawtjni:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hawtjni:1.6:*:*:*:*:*:*:*
Patches
192c266170ce9Simplify shared lib extraction.
1 file changed · +29 −50
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java+29 −50 modified@@ -9,13 +9,11 @@ *******************************************************************************/ package org.fusesource.hawtjni.runtime; -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.InputStream; +import java.io.*; import java.net.MalformedURLException; import java.net.URL; import java.util.ArrayList; +import java.util.Random; import java.util.regex.Pattern; /** @@ -206,16 +204,19 @@ final public String getLibraryFileName() { private boolean exractAndLoad(ArrayList<String> errors, String version, String customPath, String resourcePath) { URL resource = classLoader.getResource(resourcePath); if( resource !=null ) { - + String libName = name + "-" + getBitModel(); if( version !=null) { libName += "-" + version; } - + String []libNameParts = map(libName).split("\\."); + String prefix = libNameParts[0]+"-"; + String suffix = "."+libNameParts[1]; + if( customPath!=null ) { // Try to extract it to the custom path... - File target = file(customPath, map(libName)); - if( extract(errors, resource, target) ) { + File target = extract(errors, resource, prefix, suffix, file(customPath)); + if( target!=null ) { if( load(errors, target) ) { return true; } @@ -224,8 +225,8 @@ private boolean exractAndLoad(ArrayList<String> errors, String version, String c // Fall back to extracting to the tmp dir customPath = System.getProperty("java.io.tmpdir"); - File target = file(customPath, map(libName)); - if( extract(errors, resource, target) ) { + File target = extract(errors, resource, prefix, suffix, file(customPath)); + if( target!=null ) { if( load(errors, target) ) { return true; } @@ -259,67 +260,45 @@ private String map(String libName) { return libName; } - private boolean extract(ArrayList<String> errors, URL source, File target) { - FileOutputStream os = null; - InputStream is = null; - boolean extracting = false; + private File extract(ArrayList<String> errors, URL source, String prefix, String suffix, File directory) { + File target = null; try { - if (!target.exists() || isStale(source, target) ) { + FileOutputStream os = null; + InputStream is = null; + try { + target = File.createTempFile(prefix, suffix, directory); is = source.openStream(); if (is != null) { byte[] buffer = new byte[4096]; os = new FileOutputStream(target); - extracting = true; int read; while ((read = is.read(buffer)) != -1) { os.write(buffer, 0, read); } - os.close(); - is.close(); chmod("755", target); } + target.deleteOnExit(); + return target; + } finally { + close(os); + close(is); } } catch (Throwable e) { - try { - if (os != null) - os.close(); - } catch (IOException e1) { - } - try { - if (is != null) - is.close(); - } catch (IOException e1) { - } - if (extracting && target.exists()) + if( target!=null ) { target.delete(); + } errors.add(e.getMessage()); - return false; } - return true; + return null; } - private boolean isStale(URL source, File target) { - - if( source.getProtocol().equals("jar") ) { - // unwrap the jar protocol... + static private void close(Closeable file) { + if(file!=null) { try { - String parts[] = source.getFile().split(Pattern.quote("!")); - source = new URL(parts[0]); - } catch (MalformedURLException e) { - return false; - } - } - - File sourceFile=null; - if( source.getProtocol().equals("file") ) { - sourceFile = new File(source.getFile()); - } - if( sourceFile!=null && sourceFile.exists() ) { - if( sourceFile.lastModified() > target.lastModified() ) { - return true; + file.close(); + } catch (Exception ignore) { } } - return false; } private void chmod(String permision, File path) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5nvdExploitPatchWEB
- github.com/advisories/GHSA-49j7-qghp-5wj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-2035ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2013-1029.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1784.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1785.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1786.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0029.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0245.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0254.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0400.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-0034.htmlnvdWEB
- www.osvdb.org/93411nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/jline/jline2/issues/85nvdWEB
- github.com/jruby/jruby/issues/732nvdWEB
- secunia.com/advisories/53415nvd
- secunia.com/advisories/54108nvd
- secunia.com/advisories/57915nvd
- www.securitytracker.com/id/1029431nvd
News mentions
0No linked articles in our index yet.