Date: Tue, 13 Jun 2017 17:23:13 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: OpenJDK: java(1): untrusted search path Running "java -help" can load code from a subdirectory of cwd: $ javac launcher_en.java $ mkdir -p sun/launcher/resources/ $ mv launcher_en.class sun/launcher/resources/ $ java -help _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || This happens because: * By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar was specified), java sets "." as the user class path: https://docs.oracle.com/javase/8/docs/technotes/tools/findingclasses.html#userclass * The help message is apparently supposed to be internationalized. * The Java's localization machinery loads classes: https://docs.oracle.com/javase/8/docs/api/java/util/ResourceBundle.html On Debian systems, jarwrapper (a binfmt-misc thing for running executable jar files) is affected. It contains the following code: if java -d32 2>&1 | grep "does not support" > /dev/null; then ... On 32-bit systems, this causes java to print the help message. -- Jakub Wilk View attachment "launcher_en.java" of type "text/x-java" (413 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ