Your message dated Sat, 06 Apr 2024 09:21:26 +0000 with message-id <e1rt2eo-001ytg...@fasolo.debian.org> and subject line Bug#1068463: fixed in procyon 0.6.0-2 has caused the Debian Bug report #1068463, regarding procyon: Untrusted code execution via cwd in classpath to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068463 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: procyon-decompiler Version: 0.6.0-1 Tags: security Severity: grave In the default configuration, procyon prepends current working directory to the java classpath. This is done in the shell script /usr/bin/procyon, which sets, apparently by mistake, CLASSPATH=$CLASSPATH:..., where $CLASSPATH is a usually empty environment variable - and empty string in this context is interpreted as a current working directory by java. This is potentially dangerous, especially with a decompiler, which is supposed to deal with untrusted code. In a possible bad scenario, a user (without CLASSPATH environment variable, which is the debian default) might try to decompile an untrusted malicious jar: wget ".../bad.jar" jar xf bad.jar procyon ... Regardless of what command line arguments are given to procyon, if the extracted jar contained e.g. the jcommander class, then it will get executed.
--- End Message ---
--- Begin Message ---Source: procyon Source-Version: 0.6.0-2 Done: Emmanuel Bourg <ebo...@apache.org> We believe that the bug you reported is fixed in the latest version of procyon, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated procyon package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 06 Apr 2024 10:46:00 +0200 Source: procyon Architecture: source Version: 0.6.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Closes: 1068463 Changes: procyon (0.6.0-2) unstable; urgency=medium . * Prevent untrusted code execution from the command line (Closes: #1068463) Checksums-Sha1: a81914368787af40ac2ca79a0c10433f263ae7cf 2126 procyon_0.6.0-2.dsc 2356ad74e4f3d3120d4fb6567274d139c938db80 8352 procyon_0.6.0-2.debian.tar.xz 494205d5b18a9550ef3168058ba99de961859d0c 16872 procyon_0.6.0-2_source.buildinfo Checksums-Sha256: 110e78a5f31f17fa10793498be633bd6e5713264584b4cfdf35bdf3cdb3ba691 2126 procyon_0.6.0-2.dsc 1a0fdea456430d40370f3ab8a1bfc8036427cd8c9eeb0b3c41b1be290637d30d 8352 procyon_0.6.0-2.debian.tar.xz f361ec278567bb4f95f40efa87804af890e928277126dca59fca9872cc92d8a1 16872 procyon_0.6.0-2_source.buildinfo Files: 88699c5c3e942ae1ffbb4bfe9cb07f13 2126 java optional procyon_0.6.0-2.dsc 8eaaab4134da64ba14feec086274367b 8352 java optional procyon_0.6.0-2.debian.tar.xz 3c28b430258f0e6a55d70e803043e5b1 16872 java optional procyon_0.6.0-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmYRC+kSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsK+gP/1h4cdjx6L8cy6+vGqEtdajM+usbc8Lg uFc2cC9Q7P2kuL7uDZZvhUCMFa/zVsc5rfF/6NQNRGq1GgkxbGy7G/bkXZiVsdbu agbKukEpDGE3CEJWmfM+umVua6gJX5ZTOUf/Waq+Me9uYtAJAfT6USx0LhvC2LLE sWqi4b0fItaaftMOVfSEWf6OjK4gb3VISRi28VoZzqaWllU9IqqaIFqei80BMig6 pNVHJilfm1oGphABM/mFUWU1D363f+uAO4A7uAD05trGJ6XQLbDEZiSy6ridcCV0 Oyfn/Gh/7ScqG342t24AdJPtNPPEKyIyxcHnCB4OkwDhV2AY04jD6JHgx8dP5XL6 Dt20VOXJyIuABTjBPuHZV0NX2do6262VwprgUL6X35Qt7fbYN0NpgQx23NLFTDZJ WGhLsDPNoJbGlFWsxFn82ivOo3CjzL4Td210GfduW46Fe7m+hF9s1/BYI7m0gUwP iWmwh3lKtCWVVYPC6+gb+PQb9sW6d17jPDXdura2cWVpRS22JEoQCem9KvkbEuke fkNp24u/8vTjkCs+wwlqDZr2WxQGu4J1646EpjLtH94+JM4QTOyKYhkv5b4jo20N jwSKf+E+06PkOj+eU/lSKWmNQlxIASiQiCdBX8MoJFKBs24gpWPP0qqPPXn9639b 2LaHNWndI2xa =LXjA -----END PGP SIGNATURE-----pgpFYdBKlAvcI.pgp
Description: PGP signature
--- End Message ---