← Back to team overview

openjdk team mailing list archive

  1. openjdk team
  2. Mailing list archive
  3. Message #10302

Bug#754278: openjdk-7-jdk: relative directories in RPATH

  Thread PreviousDate PreviousThread Next 
Package: openjdk-7-jdk
Version: 7u60-2.5.0-1
Severity: important
Tags: security
Binaries in /usr/lib/jvm/java-7-openjdk-i386/bin/ have their RPATH set to relative directories: 
bootstrap/jre/lib/i386
bootstrap/jre/lib/i386/jli
bootstrap/lib/i386
This means that the aforementioned tools cannot be securely used if cwd is world-writable (e.g. /tmp). If local malicious user planted a trojaned library there, the tools would happily load it. 


-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openjdk-7-jdk depends on:
ii  libc6          2.19-5
ii  libx11-6       2:1.6.2-2
ii  openjdk-7-jre  7u60-2.5.0-1

Versions of packages openjdk-7-jdk recommends:
ii  libxt-dev  1:1.1.4-1

--
Jakub Wilk

Follow ups

  Thread PreviousDate PreviousThread Next