Ubuntu
sun-java6 package

Bug #313439
Comment #24

Comment 24 for bug 313439

Revision history for this message

Jan Minář (rdancer) wrote on 2010-06-18: Re: [Bug 313439] Re: Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit

#24

It doesn't really matter how much you write to the contrary, or how
personal you get, the fact of the matter remains that opening a file
downloaded from the Internet results in arbitrary code execution.

Your opinion is that this is OK.

My opinion is that this is not OK.

(1) The users don't expect this

Regardless of whether the users will agree with your explanation of
why this works the way it does, they will open files downloaded from
the Internet thinking that nothing can happen. Ubuntu has been
reinforcing this attitude, for example by Firefox warning against
opening *executable* files with a scary warning, while opening
non-executable data types seamlessly.

(2) It lowers the barrier for malicious code execution too low

If Ubuntu ever gets a sizable market share, this will get targeted by
malicious code writers, and it will get fixed. No harm in keeping
this bug open for at least that long, is there?

(3) Fix is easy to implement, albeit with some level of hackery

There is always some level of hackery involved when trying to fit a
model to the real world.

(4) We have had this debate before

We have all laughed at people opening e-mail attachments in Outlook or
simply opening documents in Word and getting viruses and what not.
This is not different.

For all these reasons, the bug should be fixed.

On Fri, Jun 18, 2010 at 20:40, Robert O'Connor <email address hidden> wrote:
> I hate to say it but Kiri is right in this case. This sounds more like
> somebody who doesn't understand what a jar file actually is. There is no
> attitude, just simply a case of somebody who doesn't get what a jar file is
> and how it gets executed. I don't get why this bug is even still open...
>
> Just my $0.02.
>
> -Rob
>
>
> On Fri, Jun 18, 2010 at 3:22 PM, Jan Minář <email address hidden> wrote:
>
>> @Kiri Your attitude is not helping.
>>
>> On Fri, Jun 18, 2010 at 20:13, Kiri <email address hidden> wrote:
>> > I regard this as not a bug. There may be an issue, but the issue is not
>> > a bug.
>> >
>> > --
>> > Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> > https://bugs.launchpad.net/bugs/313439
>> > You received this bug notification because you are a direct subscriber
>> > of the bug.
>> >
>>
>> --
>> Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> https://bugs.launchpad.net/bugs/313439
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Your opinion is that this is OK.

My opinion is that this is not OK.

(1) The users don't expect this

Regardless of whether the users will agree with your explanation of
why this works the way it does, they will open files downloaded from
the Internet thinking that nothing can happen.  Ubuntu has been
reinforcing this attitude, for example by Firefox warning against
opening *executable* files with a scary warning, while opening
non-executable data types seamlessly.

(2) It lowers the barrier for malicious code execution too low

If Ubuntu ever gets a sizable market share, this will get targeted by
malicious code writers, and it will get fixed.  No harm in keeping
this bug open for at least that long, is there?

(3) Fix is easy to implement, albeit with some level of hackery

There is always some level of hackery involved when trying to fit a
model to the real world.

(4) We have had this debate before

We have all laughed at people opening e-mail attachments in Outlook or
simply opening documents in Word and getting viruses and what not.
This is not different.

For all these reasons, the bug should be fixed.

On Fri, Jun 18, 2010 at 20:40, Robert O'Connor <robby.oconnor@gmail.com> wrote:
> I hate to say it but Kiri is right in this case. This sounds more like
> somebody who doesn't understand what a jar file actually is. There is no
> attitude, just simply a case of somebody who doesn't get what a jar file is
> and how it gets executed. I don't get why this bug is even still open...
>
> Just my $0.02.
>
> -Rob
>
>
> On Fri, Jun 18, 2010 at 3:22 PM, Jan Minář <rdancer@rdancer.org> wrote:
>
>> @Kiri Your attitude is not helping.
>>
>> On Fri, Jun 18, 2010 at 20:13, Kiri <jyqvklioo@googlemail.com> wrote:
>> > I regard this as not a bug.  There may be an issue, but the issue is not
>> > a bug.
>> >
>> > --
>> > Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> > https://bugs.launchpad.net/bugs/313439
>> > You received this bug notification because you are a direct subscriber
>> > of the bug.
>> >
>>
>> --
>> Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> https://bugs.launchpad.net/bugs/313439
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Ubuntusun-java6 package

Comment 24 for bug 313439

Ubuntu
sun-java6 package