In the default configuration, procyon prepends current working directory
to the java classpath.
This is done in the shell script /usr/bin/procyon, which sets, apparently
by mistake, CLASSPATH=$CLASSPATH:..., where $CLASSPATH is a usually
empty environment variable - and empty string in this context is
interpreted as a current working directory by java.

This is potentially dangerous, especially with a decompiler, which is
supposed to deal with untrusted code. In a possible bad scenario, a user
(without CLASSPATH environment variable, which is the debian default)
might try to decompile an untrusted malicious jar:

wget ".../bad.jar"
jar xf bad.jar
procyon ...

Regardless of what command line arguments are given to procyon,
if the extracted jar contained e.g. the jcommander class, then
it will get executed.

Hello,

Bug #1068463 in procyon reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/procyon/-/commit/5d917ba977596412dd3b207a9195c78390cadc7b

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1068463

We believe that the bug you reported is fixed in the latest version of
procyon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1068463@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated procyon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 06 Apr 2024 10:46:00 +0200
Source: procyon
Architecture: source
Version: 0.6.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Closes: 1068463
Changes:
 procyon (0.6.0-2) unstable; urgency=medium
 .
   * Prevent untrusted code execution from the command line (Closes: #1068463)
Checksums-Sha1:
 a81914368787af40ac2ca79a0c10433f263ae7cf 2126 procyon_0.6.0-2.dsc
 2356ad74e4f3d3120d4fb6567274d139c938db80 8352 procyon_0.6.0-2.debian.tar.xz
 494205d5b18a9550ef3168058ba99de961859d0c 16872 procyon_0.6.0-2_source.buildinfo
Checksums-Sha256:
 110e78a5f31f17fa10793498be633bd6e5713264584b4cfdf35bdf3cdb3ba691 2126 procyon_0.6.0-2.dsc
 1a0fdea456430d40370f3ab8a1bfc8036427cd8c9eeb0b3c41b1be290637d30d 8352 procyon_0.6.0-2.debian.tar.xz
 f361ec278567bb4f95f40efa87804af890e928277126dca59fca9872cc92d8a1 16872 procyon_0.6.0-2_source.buildinfo
Files:
 88699c5c3e942ae1ffbb4bfe9cb07f13 2126 java optional procyon_0.6.0-2.dsc
 8eaaab4134da64ba14feec086274367b 8352 java optional procyon_0.6.0-2.debian.tar.xz
 3c28b430258f0e6a55d70e803043e5b1 16872 java optional procyon_0.6.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmYRC+kSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsK+gP/1h4cdjx6L8cy6+vGqEtdajM+usbc8Lg
uFc2cC9Q7P2kuL7uDZZvhUCMFa/zVsc5rfF/6NQNRGq1GgkxbGy7G/bkXZiVsdbu
agbKukEpDGE3CEJWmfM+umVua6gJX5ZTOUf/Waq+Me9uYtAJAfT6USx0LhvC2LLE
sWqi4b0fItaaftMOVfSEWf6OjK4gb3VISRi28VoZzqaWllU9IqqaIFqei80BMig6
pNVHJilfm1oGphABM/mFUWU1D363f+uAO4A7uAD05trGJ6XQLbDEZiSy6ridcCV0
Oyfn/Gh/7ScqG342t24AdJPtNPPEKyIyxcHnCB4OkwDhV2AY04jD6JHgx8dP5XL6
Dt20VOXJyIuABTjBPuHZV0NX2do6262VwprgUL6X35Qt7fbYN0NpgQx23NLFTDZJ
WGhLsDPNoJbGlFWsxFn82ivOo3CjzL4Td210GfduW46Fe7m+hF9s1/BYI7m0gUwP
iWmwh3lKtCWVVYPC6+gb+PQb9sW6d17jPDXdura2cWVpRS22JEoQCem9KvkbEuke
fkNp24u/8vTjkCs+wwlqDZr2WxQGu4J1646EpjLtH94+JM4QTOyKYhkv5b4jo20N
jwSKf+E+06PkOj+eU/lSKWmNQlxIASiQiCdBX8MoJFKBs24gpWPP0qqPPXn9639b
2LaHNWndI2xa
=LXjA
-----END PGP SIGNATURE-----