
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <br>

    <br>

    <div class="moz-cite-prefix">On 18/01/2021 21:29, Bernd wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CABOR3+wdCK-Pm+iLCBjbyi3gfUm5V-ZEVp_AdwWNozg9gES6VA@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div dir="ltr">

          <div dir="ltr">

            <div dir="ltr">Hello,

              <div><br>

              </div>

              <div>bad news everyone. The second Windows Filesystem

                related security bug reported by <span

                  style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px">Jonas Lykkegaard

                  which allows crashing Windows with a unpriveledged

                  read access also affects JVM and it is not filtered by

                  Path.of. Which means bot new File(bad).exists() and

                  Files.readAllLines(Path.of(bad)) will crash Windows

                  immediatelly.</span></div>

              <div><span

                  style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px"><br>

                </span></div>

              <div><span

                  style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px">I verified this on

                  the latest Windows Server 2019 January Security

                  Update.</span></div>

              <div><span

                  style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px"><br>

                </span></div>

              <div><span

                  style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px">var bad = "\\</span><span

style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px">\\.\\globalroot\\device\\condrv\\kernelconnect</span><span

style="color:rgb(51,51,51);font-family:Georgia,"Bitstream

                  Charter",serif;font-size:16px">"</span></div>

              <br>

            </div>

          </div>

        </div>

      </div>

    </blockquote>

    BSOD issues should be reported to Microsoft. If there is any

    suggestion of a JDK bug here then it should be reported to

    <a class="moz-txt-link-abbreviated" href="mailto:vuln-report@openjdk.java.net">vuln-report@openjdk.java.net</a>. We (at least Oracle engineers) cannot

    engage in any discussion of vulnerability issues here.<br>

    <br>

    -Alan<br>

  </body>

</html>