Your message dated Sat, 06 Apr 2024 09:21:26 +0000
with message-id <e1rt2eo-001ytg...@fasolo.debian.org>
and subject line Bug#1068463: fixed in procyon 0.6.0-2
has caused the Debian Bug report #1068463,
regarding procyon: Untrusted code execution via cwd in classpath
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068463
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: procyon-decompiler
Version: 0.6.0-1
Tags: security
Severity: grave
In the default configuration, procyon prepends current working directory
to the java classpath.
This is done in the shell script /usr/bin/procyon, which sets, apparently
by mistake, CLASSPATH=$CLASSPATH:..., where $CLASSPATH is a usually
empty environment variable - and empty string in this context is
interpreted as a current working directory by java.
This is potentially dangerous, especially with a decompiler, which is
supposed to deal with untrusted code. In a possible bad scenario, a user
(without CLASSPATH environment variable, which is the debian default)
might try to decompile an untrusted malicious jar:
wget ".../bad.jar"
jar xf bad.jar
procyon ...
Regardless of what command line arguments are given to procyon,
if the extracted jar contained e.g. the jcommander class, then
it will get executed.
--- End Message ---
--- Begin Message ---
Source: procyon
Source-Version: 0.6.0-2
Done: Emmanuel Bourg <ebo...@apache.org>
We believe that the bug you reported is fixed in the latest version of
procyon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated procyon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Apr 2024 10:46:00 +0200
Source: procyon
Architecture: source
Version: 0.6.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Closes: 1068463
Changes:
procyon (0.6.0-2) unstable; urgency=medium
.
* Prevent untrusted code execution from the command line (Closes: #1068463)
Checksums-Sha1:
a81914368787af40ac2ca79a0c10433f263ae7cf 2126 procyon_0.6.0-2.dsc
2356ad74e4f3d3120d4fb6567274d139c938db80 8352 procyon_0.6.0-2.debian.tar.xz
494205d5b18a9550ef3168058ba99de961859d0c 16872 procyon_0.6.0-2_source.buildinfo
Checksums-Sha256:
110e78a5f31f17fa10793498be633bd6e5713264584b4cfdf35bdf3cdb3ba691 2126
procyon_0.6.0-2.dsc
1a0fdea456430d40370f3ab8a1bfc8036427cd8c9eeb0b3c41b1be290637d30d 8352
procyon_0.6.0-2.debian.tar.xz
f361ec278567bb4f95f40efa87804af890e928277126dca59fca9872cc92d8a1 16872
procyon_0.6.0-2_source.buildinfo
Files:
88699c5c3e942ae1ffbb4bfe9cb07f13 2126 java optional procyon_0.6.0-2.dsc
8eaaab4134da64ba14feec086274367b 8352 java optional
procyon_0.6.0-2.debian.tar.xz
3c28b430258f0e6a55d70e803043e5b1 16872 java optional
procyon_0.6.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmYRC+kSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsK+gP/1h4cdjx6L8cy6+vGqEtdajM+usbc8Lg
uFc2cC9Q7P2kuL7uDZZvhUCMFa/zVsc5rfF/6NQNRGq1GgkxbGy7G/bkXZiVsdbu
agbKukEpDGE3CEJWmfM+umVua6gJX5ZTOUf/Waq+Me9uYtAJAfT6USx0LhvC2LLE
sWqi4b0fItaaftMOVfSEWf6OjK4gb3VISRi28VoZzqaWllU9IqqaIFqei80BMig6
pNVHJilfm1oGphABM/mFUWU1D363f+uAO4A7uAD05trGJ6XQLbDEZiSy6ridcCV0
Oyfn/Gh/7ScqG342t24AdJPtNPPEKyIyxcHnCB4OkwDhV2AY04jD6JHgx8dP5XL6
Dt20VOXJyIuABTjBPuHZV0NX2do6262VwprgUL6X35Qt7fbYN0NpgQx23NLFTDZJ
WGhLsDPNoJbGlFWsxFn82ivOo3CjzL4Td210GfduW46Fe7m+hF9s1/BYI7m0gUwP
iWmwh3lKtCWVVYPC6+gb+PQb9sW6d17jPDXdura2cWVpRS22JEoQCem9KvkbEuke
fkNp24u/8vTjkCs+wwlqDZr2WxQGu4J1646EpjLtH94+JM4QTOyKYhkv5b4jo20N
jwSKf+E+06PkOj+eU/lSKWmNQlxIASiQiCdBX8MoJFKBs24gpWPP0qqPPXn9639b
2LaHNWndI2xa
=LXjA
-----END PGP SIGNATURE-----
pgpFYdBKlAvcI.pgp
Description: PGP signature
--- End Message ---
