* Matthias Klose <d...@ubuntu.com>, 2014-07-17, 23:39:
Binaries in /usr/lib/jvm/java-7-openjdk-i386/bin/ have their RPATH set
to relative directories:
bootstrap/jre/lib/i386
bootstrap/jre/lib/i386/jli
bootstrap/lib/i386
This means that the aforementioned tools cannot be securely used if
cwd is world-writable (e.g. /tmp). If local malicious user planted a
trojaned library there, the tools would happily load it.
how did you do this analysis,
There's not much to analyse here.
and how can I reproduce this?
Run one of the affected executables under strace, and notice the
attempts of loading shlibs from a subdirectory of the current working
directory:
$ strace -e open -o '| grep bootstrap'
/usr/lib/jvm/java-7-openjdk-i386/bin/jinfo
open("bootstrap/jre/lib/i386/jli/tls/i686/sse2/cmov/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/i686/sse2/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/i686/cmov/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/i686/libpthread.so.0", O_RDONLY|O_CLOEXEC)
= -1 ENOENT (No such file or directory)
open("bootstrap/jre/lib/i386/jli/tls/sse2/cmov/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
...
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
