Package: procyon-decompiler Version: 0.6.0-1 Tags: security Severity: grave
In the default configuration, procyon prepends current working directory to the java classpath. This is done in the shell script /usr/bin/procyon, which sets, apparently by mistake, CLASSPATH=$CLASSPATH:..., where $CLASSPATH is a usually empty environment variable - and empty string in this context is interpreted as a current working directory by java. This is potentially dangerous, especially with a decompiler, which is supposed to deal with untrusted code. In a possible bad scenario, a user (without CLASSPATH environment variable, which is the debian default) might try to decompile an untrusted malicious jar: wget ".../bad.jar" jar xf bad.jar procyon ... Regardless of what command line arguments are given to procyon, if the extracted jar contained e.g. the jcommander class, then it will get executed.