openjdk team mailing list archive

[Jakub Wilk <jwilk@xxxxxxxxxx>]

* Matthias Klose <doko@xxxxxxxxxx>, 2014-07-17, 23:39:
> > Binaries in /usr/lib/jvm/java-7-openjdk-i386/bin/ have their RPATH set 
> > to relative directories:
> > bootstrap/jre/lib/i386
> > bootstrap/jre/lib/i386/jli
> > bootstrap/lib/i386
> >
> > This means that the aforementioned tools cannot be securely used if 
> > cwd is world-writable (e.g. /tmp). If local malicious user planted a 
> > trojaned library there, the tools would happily load it.
>
> how did you do this analysis,

There's not much to analyse here.

> and how can I reproduce this?

Run one of the affected executables under strace, and notice the 
attempts of loading shlibs from a subdirectory of the current working 
directory:

$ strace -e open -o '| grep bootstrap' /usr/lib/jvm/java-7-openjdk-i386/bin/jinfo
open("bootstrap/jre/lib/i386/jli/tls/i686/sse2/cmov/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/i686/sse2/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/i686/cmov/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/i686/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/sse2/cmov/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
...

--
Jakub Wilk