[Libreoffice-bugs] [Bug 134248] New: JURT and JUH JARs contain bad class path declaration

Tue Jun 23 07:41:46 UTC 2020

https://bugs.documentfoundation.org/show_bug.cgi?id=134248

            Bug ID: 134248
           Summary: JURT and JUH JARs contain bad class path declaration
           Product: LibreOffice
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: sdk
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: alexander.veit at unitedplanet.com

This is actually two bugs. The most serious is

1.) The Class-Path declaration in the respective META-INF/MANIFEST.MF files
contains ../ as an entry. This does not make sense and has the potential to
screw up IDEs and runtime deployments by adding completely unrelated parts of
the file system to the class path[1]. It may also qualify as a security issue.

2.) Class-Path also contains entries like "ridl.jar unoloader.jar". This does
not make sense either. These JARs normally do not extist since they are usually
distributed[2] with a version suffix in the file name, e.g. ridl-6.4.3.jar.

The best solution to solve this issue is probably to remove the Class-Path
entry from the MANIFEST.MF files altogether.

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=563819
[2] https://repo1.maven.org/maven2/org/libreoffice/juh/6.4.3/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200623/06c6f8bd/attachment.htm>