needs to block non-executable files from executing

Bug #506702 reported by Kees Cook on 2010-01-12
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mime-support (Ubuntu)
High
Kees Cook
nautilus (Ubuntu)
High
Kees Cook
openjdk-6 (Ubuntu)
High
Kees Cook
sun-java6 (Ubuntu)
High
Kees Cook
wine (Ubuntu)
High
Kees Cook
wine1.2 (Ubuntu)
High
Kees Cook

Bug Description

Binary package hint: nautilus

Following the ratification of the "Execute-Permission Bit Required" security policy, several packages need to have their mime handlers updated to reject opening of various file types that are actually executables when they lack the execute bit.
https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required

Kees Cook (kees) wrote :

The major thing to look for is .desktop files that trigger off of MimeTypes, yet actually run the target file. For example /usr/share/applications/openjdk-6-java.desktop:

...
Exec=/usr/lib/jvm/java-6-openjdk/bin/java -jar
...
MimeType=application/x-java-archive;application/java-archive;application/x-jar;

This leads to executing the JAR file, even when it lacks the execute bit.

Changed in nautilus (Ubuntu):
status: New → Confirmed
Changed in wine (Ubuntu):
status: New → Confirmed
Changed in sun-java6 (Ubuntu):
importance: Undecided → High
Changed in openjdk-6 (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in nautilus (Ubuntu):
importance: Undecided → High
Changed in wine (Ubuntu):
importance: Undecided → High
Changed in sun-java6 (Ubuntu):
status: New → Confirmed
Scott Ritchie (scottritchie) wrote :

I have a near implementation of the executable-handler that we discussed at UDS-Karmic. Java, Wine, et all shouldn't be opening these without execute bit "permission", however having executable-handler open them would be an acceptable default as it doesn't actually run them. Right now the current design is to scan them for viruses and inform the user what happened.

Kees Cook (kees) wrote :

My first-pass at Wine is here: http://people.canonical.com/~kees/wine_1.0.1-0ubuntu10.debdiff I intend to move wine-desktop-launcher into a generic script that will live in mime-support so that the other packages can call it too.

Kees Cook (kees) on 2010-01-14
Changed in nautilus (Ubuntu):
status: Confirmed → In Progress
Changed in sun-java6 (Ubuntu):
status: Confirmed → In Progress
Changed in openjdk-6 (Ubuntu):
status: Confirmed → In Progress
Changed in wine (Ubuntu):
status: Confirmed → In Progress
Changed in mime-support (Ubuntu):
status: New → In Progress
importance: Undecided → High
Kees Cook (kees) on 2010-01-15
Changed in mime-support (Ubuntu):
assignee: nobody → Kees Cook (kees)
Changed in nautilus (Ubuntu):
assignee: nobody → Kees Cook (kees)
Changed in openjdk-6 (Ubuntu):
assignee: nobody → Kees Cook (kees)
Changed in sun-java6 (Ubuntu):
assignee: nobody → Kees Cook (kees)
Changed in wine (Ubuntu):
assignee: nobody → Kees Cook (kees)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mime-support - 3.48-1ubuntu1

---------------
mime-support (3.48-1ubuntu1) lucid; urgency=low

  * Add "cautious-launcher" for handling execution of files that are
    outside /usr and /opt (LP: #506702).
 -- Kees Cook <email address hidden> Wed, 13 Jan 2010 22:31:40 -0800

Changed in mime-support (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wine - 1.0.1-0ubuntu10

---------------
wine (1.0.1-0ubuntu10) lucid; urgency=low

  * debian/{control,*.lpia}: removed lpia arch since it is not supported.
  * implement an execute bit checker for the Ubuntu Non-Exec Policy
    (LP: #506702):
    - debian/wine.mime: update mime handlers to use new launcher.
    - debian/patches/nonexec-launcher.diff: use new launcher for desktop file.
 -- Kees Cook <email address hidden> Tue, 12 Jan 2010 11:41:38 -0800

Changed in wine (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b17-0ubuntu2

---------------
openjdk-6 (6b17-0ubuntu2) lucid; urgency=low

  * implement an execute bit checker for the Ubuntu Non-Exec Policy
    (LP: #506702):
    - debian/JB-java.desktop.in: update mime handler to use new launcher.
 -- Kees Cook <email address hidden> Fri, 15 Jan 2010 17:01:46 -0800

Changed in openjdk-6 (Ubuntu):
status: In Progress → Fix Released
Johan Kiviniemi (ion) wrote :

Malicious software in Windows has been known to try getting past simple file type checks by spreading a zip file containing the actual executable.

In our case, a user could get a tarball containing an executable with the +x bit set from a malicious user.

Perhaps make file-roller ask the user before unpacking archives that have the executable bit set.

Kees Cook (kees) wrote :

On 19.01.2010 16:46, Kees Cook wrote:
>
> ** Attachment added: "sun-java6_6-16-1ubuntu1.debdiff"
> http://launchpadlibrarian.net/38089345/sun-java6_6-16-1ubuntu1.debdiff

having the patch in this form is a major pain for uploads to older releases.
please conditionalize this not to apply for anything else than lucid and newer.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wine1.2 - 1.1.36-0ubuntu2

---------------
wine1.2 (1.1.36-0ubuntu2) lucid; urgency=low

  * Port to Lucid
  * Port Kees' changes from wine package:
    * debian/{control,*.lpia}: removed lpia arch since it is not supported.
    * debian/rules: support "parallel=N" in DEB_BUILD_OPTIONS.
    * implement an execute bit checker for the Ubuntu Non-Exec Policy
    (LP: #506702):
      - debian/wine1.2.mime: update mime handlers to use new launcher.
        - fix a typo in kees patch that removed x-winexe mimetype.
      - debian/patches/nonexec-launcher.diff: use new launcher for desktop file.
    * debian/wine1.2.{postinst,preinst,postrm}: clean up old static sysctl
      files (LP: #352119).
    * debian/control, debian/wine1.2.{templates,config,postinst,postrm}: add
      debconf question for selecting a sensible mmap_min_addr system setting
      (LP: #475540).
  * debian/wine1.2.{postinst,postrm}:
    - use "start procps || true" instead of invoke-rc.d (LP: #447197)
  * debian/control: update text in wine, wine-dev, and wine-gecko to say that
    its for easing wine upgrades and not just for PPA users now.
 -- Scott Ritchie <email address hidden> Sat, 16 Jan 2010 17:12:15 -0800

Changed in wine1.2 (Ubuntu):
status: New → Fix Released
Kees Cook (kees) on 2010-01-26
Changed in wine1.2 (Ubuntu):
importance: Undecided → High
assignee: nobody → Kees Cook (kees)
Kees Cook (kees) on 2010-01-31
Changed in sun-java6 (Ubuntu):
status: In Progress → Fix Committed
Kees Cook (kees) on 2010-02-09
Changed in nautilus (Ubuntu):
status: In Progress → Fix Released
Matthias Klose (doko) wrote :

Fixed sun-java6 in lucid

Changed in sun-java6 (Ubuntu):
status: Fix Committed → Fix Released
Savvas Radevic (medigeek) wrote :

I think that this fix has just caused a bug on sun java6:
https://bugs.launchpad.net/bugs/568707

Savvas Radevic (medigeek) wrote :

er.. sorry, not entirely related :)

Fred (eldmannen+launchpad) wrote :

Should this apply to interpreted script files too?

Such as Python, Ruby, and Perl scripts?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers