Ubuntu
sun-java6 package

Bug #313439
Comment #11

Comment 11 for bug 313439

Revision history for this message

Jan Minář (rdancer) wrote on 2009-01-28: Re: [Bug 313439] Re: Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit

#11

I installed the gvfs-bin package, and tried:

gvfs-open /path/to/foo.jar

and it indeed executes the JAR contents.

What do you mean by ``desktop file installed by java''?

On Wed, Jan 28, 2009 at 13:58, Pedro Villavicencio <email address hidden> wrote:
> comment from upstream:
> "does it also happen if you do "gvfs-open /path/to/file.jar"?
> I suspect it's just that you have a desktop file installed by java that
> associates the mime type to this action.
> "
>
> ** Changed in: nautilus (Ubuntu)
> Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs)
> Status: Confirmed => Incomplete
>
> ** Changed in: nautilus
> Bugwatch: GNOME Bug Tracker #569130 => GNOME Bug Tracker #569129
> Status: Invalid => Unknown
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Nautilus: Unknown
> Status in "nautilus" source package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: nautilus
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
>
> Description: Ubuntu 8.04.1
> Release: 8.04
>
> 2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
>
> N/A
>
> 3) What you expected to happen
>
> Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). The archive has the execute permission bits cleared (chmod 640). When the archive icon is double-clicked, the archive contents should be displayed in the Archive Manager. Under no circumstances code contained in the archive should be executed. Opening files should be safe, regardless of their contents.
>
>
> 4) What happened instead
>
> The archive is nevertheless executed (presumably, java -jar <archive name> is called).
>
>
> 5) Security implication
>
> User can be tricked into executing arbitrary code by opening an innocuously-looking file. This is similar to the MS-Word macro virus attacks, or a Vim modeline attacks.
>
> 6) Example scenario
>
> Firefox downloads to Desktop by default. User can specify some file types to be downloaded automatically. It is reasonable to expect such files would be later opened by double-clicking on their Desktop icons. The file type does not (necessarily) correspond to the extension; the file name, including the extension, is fully under the control of the attacker. Firefox will save the file with the file name specified. When user double-clicks the archive they just downloaded, they expect the contents to be displayed. Instead, the code supplied by the attacker will be executed.
>
> 7) Workaround
>
> It is possible to change this default behaviour by changing the file association: right click > Open With > select Archive Manager as the default app to open with. However, this is not based on permissions, so one has to right click > Open With > java when one wants to indeed execute the application then.
>
> ProblemType: Bug
> Architecture: amd64
> Date: Sat Jan 3 10:12:45 2009
> DistroRelease: Ubuntu 8.04
> Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1
> PackageArchitecture: amd64
> ProcEnviron:
> PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> LANG=en_GB.UTF-8
> SHELL=/bin/bash
> SourcePackage: firefox-3.0
> Uname: Linux 2.6.24-22-generic x86_64
>

I installed the gvfs-bin package, and tried:

gvfs-open /path/to/foo.jar

and it indeed executes the JAR contents.

What do you mean by ``desktop file installed by java''?

On Wed, Jan 28, 2009 at 13:58, Pedro Villavicencio <pedro@ubuntu.com> wrote:
> comment from upstream:
> "does it also happen if you do "gvfs-open /path/to/file.jar"?
> I suspect it's just that you have a desktop file installed by java that
> associates the mime type to this action.
> "
>
> ** Changed in: nautilus (Ubuntu)
>     Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs)
>       Status: Confirmed => Incomplete
>
> ** Changed in: nautilus
>     Bugwatch: GNOME Bug Tracker #569130 => GNOME Bug Tracker #569129
>       Status: Invalid => Unknown
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Nautilus: Unknown
> Status in "nautilus" source package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: nautilus
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
>
> Description:    Ubuntu 8.04.1
> Release:        8.04
>
> 2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
>
> N/A
>
> 3) What you expected to happen
>
> Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).  The archive has the execute permission bits cleared (chmod 640).  When the archive icon is double-clicked, the archive contents should be displayed in the Archive Manager.  Under no circumstances code contained in the archive should be executed.  Opening files should be safe, regardless of their contents.
>
>
> 4) What happened instead
>
> The archive is nevertheless executed (presumably, java -jar <archive name> is called).
>
>
> 5) Security implication
>
> User can be tricked into executing arbitrary code by opening an innocuously-looking file.  This is similar to the MS-Word macro virus attacks, or a Vim modeline attacks.
>
> 6) Example scenario
>
> Firefox downloads to Desktop by default.  User can specify some file types to be downloaded automatically.  It is reasonable to expect such files would be later opened by double-clicking on their Desktop icons.  The file type does not (necessarily) correspond to the extension; the file name, including the extension, is fully under the control of the attacker.   Firefox will save the file with the file name specified.  When user double-clicks the archive they just downloaded, they expect the contents to be displayed.  Instead, the code supplied by the attacker will be executed.
>
> 7) Workaround
>
> It is possible to change this default behaviour by changing the file association: right click >  Open With > select Archive Manager as the default app to open with.  However, this is not based on permissions, so one has to right click > Open With > java when one wants to indeed execute the application then.
>
> ProblemType: Bug
> Architecture: amd64
> Date: Sat Jan  3 10:12:45 2009
> DistroRelease: Ubuntu 8.04
> Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1
> PackageArchitecture: amd64
> ProcEnviron:
>  PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
>  LANG=en_GB.UTF-8
>  SHELL=/bin/bash
> SourcePackage: firefox-3.0
> Uname: Linux 2.6.24-22-generic x86_64
>

Ubuntusun-java6 package

Comment 11 for bug 313439

Ubuntu
sun-java6 package