code from privileged sources executed with restricted permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openjdk-6 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
When executing a Java applet or calling Java directly from Firefox chrome:// code (e.g., Firefox extensions), the code should be granted AllPermissions. Given that chrome:// code has shell execution privileges, this is not a security hole. Permissions are handled properly by the Sun NPRuntime Java plug-in, and were handled mostly properly by the old OJI/LiveConnect plug-in.
Running the following from a Firefox overlay:
new java.net.
produces the following error in icedtea6-
java.lang.
at sun.reflect.
at sun.reflect.
at sun.reflect.
at java.lang.
at sun.applet.
at java.security.
at sun.applet.
at sun.applet.
at sun.applet.
at sun.applet.
Caused by: java.security.
at java.security.
at java.security.
at java.lang.
at net.sourceforge
at java.lang.
at java.lang.
at java.lang.
at java.security.
at java.net.
... 10 more
Error on Java side: LiveConnectPerm
This same code executes without a hitch in the sun-java6-
Changed in openjdk-6 (Ubuntu): | |
status: | New → Confirmed |
This bug was reported more than six months ago, and I ran into it myself yesterday when doing a fresh ubuntu reinstall. Any chance someone can comment?