Date: Tue, 13 Jun 2017 17:23:13 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: OpenJDK: java(1): untrusted search path Running "java -help" can load code from a subdirectory of cwd: $ javac launcher_en.java $ mkdir -p sun/launcher/resources/ $ mv launcher_en.class sun/launcher/resources/ $ java -help _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || This happens because: * By default (i.e. when CLASSPATH env var was unset and neither -cp nor -jar was specified), java sets "." as the user class path: https://docs.oracle.com/javase/8/docs/technotes/tools/findingclasses.html#userclass * The help message is apparently supposed to be internationalized. * The Java's localization machinery loads classes: https://docs.oracle.com/javase/8/docs/api/java/util/ResourceBundle.html On Debian systems, jarwrapper (a binfmt-misc thing for running executable jar files) is affected. It contains the following code: if java -d32 2>&1 | grep "does not support" > /dev/null; then ... On 32-bit systems, this causes java to print the help message. -- Jakub Wilk View attachment "launcher_en.java" of type "text/x-java" (413 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.