Lucene - Core
  1. Lucene - Core
  2. LUCENE-5072

Fix frame injection bug in javadocs generated with Java 6 (and Java 7 prior u25)

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.3.1
    • Fix Version/s: 4.4, Trunk
    • Component/s: general/build
    • Labels:
      None
    • Lucene Fields:
      New

      Description

      The Apache Infra / Security team posted to all committers:

      Hi All,

      Oracle has announced [1], [2] a frame injection vulnerability in Javadoc generated by Java 5, Java 6 and Java 7 before update 22.

      [...]

      Please take the necessary steps to fix any currently published Javadoc and to ensure that any future Javadoc published by your project does not contain the vulnerability. The announcement by Oracle includes a link to a tool that can be used to fix Javadoc without regeneration.

      The infrastructure team is investigating options for preventing the publication of vulnerable Javadoc.

      The issue is public and may be discussed freely on your project's dev list.

      Thanks,

      Mark (ASF Infra)

      I fixed all published Javadocs on http://lucene.apache.org (for all historic releases where we have public available Javadocs on the web page).

      The mail also notes that we should not publish javadocs with this javadocs problem in the future. Unfortunately the release manager has to use the latest Java 7u25 version (released 2 days) ago. This would be fine for Lucene trunk (which is Java 7 only).

      But when we generate Javadocs JARs for Lucene 3 and 4, we cannot use Java 7 (to build the official release) because the javadocs would contain e.g. AutoCloaseable interface unless we use a JDK 6 or 5 bootclasspath (like we do for web pages).

      We also want the lucene/solr-*-javadoc.jar files to be correct, but those are built with Java 5 (3.x) or Java 6 (4.x).

      Unfortunately Oracle does not relaese a newer JDK 5 or JDK 6, so its impossible to do a release.

      But Oracle publishes the binary and source code of a "fix tool", that can be run on top of a tree of HTML files, patching all broken files (and only those). You can run it theoretically on the root folder of your harddisk - I did this on the whole lucene.apache.org web site.

      Robert Muir and I were looking for a IVY-compatible solution (the original Oracle tool cannot be automatically downloaded by IVY, as Oracle's website sets cookies and requests license confirmations). We found the following GITHUB project by olamy/karianna:

      https://github.com/AdoptOpenJDK/JavadocUpdaterTool

      As soon as they release the JAR file officially on Maven, we can download it with IVY and use it. This is a Maven Plugin, but it still contains the original source code of Oracle's tool, so we can execute it as ANT task after loading the JAR with IVY's coordinates: <java fork="false" class="..."/>

      In the GITHUB project description they note that you need JDK7 to use the tool, but this is no longer true, the -source/-target is Java 5 now, so we can run it easily.

      I will add the required tasks in common-build.xml's javadoc macro so it post-processes all javadocs and patches vulnerable files. If you build javadocs with a recent JDK, it would do nothing.

      1. LUCENE-5072.patch
        2 kB
        Uwe Schindler
      2. LUCENE-5072.patch
        2 kB
        Uwe Schindler
      3. LUCENE-5072.patch
        3 kB
        Uwe Schindler
      4. LUCENE-5072.patch
        3 kB
        Uwe Schindler

        Issue Links

          Activity

            People

            • Assignee:
              Uwe Schindler
              Reporter:
              Uwe Schindler
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development