Ubuntu
sun-java6 package

Bug #313439
Comment #8

Comment 8 for bug 313439

Revision history for this message

Richard Seguin (sectech) wrote on 2009-01-26: Re: [Bug 313439] Re: Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit

Hey Jan,

Yeah sorry my programming skills are not the best in the world so I do get a
bit confused. So what your saying is that even if the executable bit is
not set nautilus will execute it regardless right? I have already forwarded
the bug up stream so I will update the ticket clarifying later in the day.

On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <email address hidden> wrote:

> Richard,
>
> You're confusing things. You can not execute .java files, that's
> source code. It must be compiled into byte code (.class files).
> Executable .jar archive will contain one or more .class files. For
> the purpose of this bug, the byte code can be thought of as machine
> code.
>
> There is no difference between a Python script or Perl script, or any
> other script file that can execute arbitrary commands, java byte code,
> or a binary executable: If the execute permission is not set, neither
> one of them is permitted to execute.
>
> Jan.
>
> On Sun, Jan 25, 2009 at 22:03, Richard Seguin
> <email address hidden> wrote:
> > What exactly executes? If a .java file is marked as executable and I
> > type in the name at a CLI prompt it will not execute, neither will a
> > .jar file. I understand that nautilus executes the file when it's
> > clicked on, but what's the difference between a python script being ran
> > when clicked on, or even a wine launcher. I am going to mark this as low
> > priority and will check with the bug-control team on this one.
> >
> >
> > ** Changed in: nautilus (Ubuntu)
> > Importance: Medium => Low
> >
> > --
> > Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> > https://bugs.launchpad.net/bugs/313439
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
> > Status in "nautilus" source package in Ubuntu: Confirmed
> >
> > Bug description:
> > Binary package hint: nautilus
> >
> > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
> -> About Ubuntu.
> >
> > Description: Ubuntu 8.04.1
> > Release: 8.04
> >
> > 2) The version of the package you are using, via 'apt-cache policy
> packagename' or by checking in Synaptic.
> >
> > N/A
> >
> > 3) What you expected to happen
> >
> > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).
> The archive has the execute permission bits cleared (chmod 640). When the
> archive icon is double-clicked, the archive contents should be displayed in
> the Archive Manager. Under no circumstances code contained in the archive
> should be executed. Opening files should be safe, regardless of their
> contents.
> >
> >
> > 4) What happened instead
> >
> > The archive is nevertheless executed (presumably, java -jar <archive
> name> is called).
> >
> >
> > 5) Security implication
> >
> > User can be tricked into executing arbitrary code by opening an
> innocuously-looking file. This is similar to the MS-Word macro virus
> attacks, or a Vim modeline attacks.
> >
> > 6) Example scenario
> >
> > Firefox downloads to Desktop by default. User can specify some file
> types to be downloaded automatically. It is reasonable to expect such files
> would be later opened by double-clicking on their Desktop icons. The file
> type does not (necessarily) correspond to the extension; the file name,
> including the extension, is fully under the control of the attacker.
> Firefox will save the file with the file name specified. When user
> double-clicks the archive they just downloaded, they expect the contents to
> be displayed. Instead, the code supplied by the attacker will be executed.
> >
> > 7) Workaround
> >
> > It is possible to change this default behaviour by changing the file
> association: right click > Open With > select Archive Manager as the
> default app to open with. However, this is not based on permissions, so one
> has to right click > Open With > java when one wants to indeed execute the
> application then.
> >
> > ProblemType: Bug
> > Architecture: amd64
> > Date: Sat Jan 3 10:12:45 2009
> > DistroRelease: Ubuntu 8.04
> > Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1
> > PackageArchitecture: amd64
> > ProcEnviron:
> >
> PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> > LANG=en_GB.UTF-8
> > SHELL=/bin/bash
> > SourcePackage: firefox-3.0
> > Uname: Linux 2.6.24-22-generic x86_64
> >
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Hey Jan,

Yeah sorry my programming skills are not the best in the world so I do get a
bit confused.   So what your saying is that even if the executable bit is
not set nautilus will execute it regardless right? I have already forwarded
the bug up stream so I will update the ticket clarifying later in the day.

On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <rdancer@rdancer.org> wrote:

> Richard,
>
> You're confusing things.  You can not execute .java files, that's
> source code.  It must be compiled into byte code (.class files).
> Executable .jar archive will contain one or more .class files.  For
> the purpose of this bug, the byte code can be thought of as machine
> code.
>
> There is no difference between a Python script or Perl script, or any
> other script file that can execute arbitrary commands, java byte code,
> or a binary executable: If the execute permission is not set, neither
> one of them is permitted to execute.
>
> Jan.
>
> On Sun, Jan 25, 2009 at 22:03, Richard Seguin
> <ubuntu-bugs@transubuntu.ca> wrote:
> > What exactly executes? If a .java file is marked as executable and I
> > type in the name at a CLI prompt it will not execute, neither will a
> > .jar file.  I understand that nautilus executes the file when it's
> > clicked on, but what's the difference between a python script being ran
> > when clicked on, or even a wine launcher. I am going to mark this as low
> > priority and will check with the bug-control team on this one.
> >
> >
> > ** Changed in: nautilus (Ubuntu)
> >   Importance: Medium => Low
> >
> > --
> > Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> > https://bugs.launchpad.net/bugs/313439
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
> > Status in "nautilus" source package in Ubuntu: Confirmed
> >
> > Bug description:
> > Binary package hint: nautilus
> >
> > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
> -> About Ubuntu.
> >
> > Description:    Ubuntu 8.04.1
> > Release:        8.04
> >
> > 2) The version of the package you are using, via 'apt-cache policy
> packagename' or by checking in Synaptic.
> >
> > N/A
> >
> > 3) What you expected to happen
> >
> > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).
>  The archive has the execute permission bits cleared (chmod 640).  When the
> archive icon is double-clicked, the archive contents should be displayed in
> the Archive Manager.  Under no circumstances code contained in the archive
> should be executed.  Opening files should be safe, regardless of their
> contents.
> >
> >
> > 4) What happened instead
> >
> > The archive is nevertheless executed (presumably, java -jar <archive
> name> is called).
> >
> >
> > 5) Security implication
> >
> > User can be tricked into executing arbitrary code by opening an
> innocuously-looking file.  This is similar to the MS-Word macro virus
> attacks, or a Vim modeline attacks.
> >
> > 6) Example scenario
> >
> > Firefox downloads to Desktop by default.  User can specify some file
> types to be downloaded automatically.  It is reasonable to expect such files
> would be later opened by double-clicking on their Desktop icons.  The file
> type does not (necessarily) correspond to the extension; the file name,
> including the extension, is fully under the control of the attacker.
> Firefox will save the file with the file name specified.  When user
> double-clicks the archive they just downloaded, they expect the contents to
> be displayed.  Instead, the code supplied by the attacker will be executed.
> >
> > 7) Workaround
> >
> > It is possible to change this default behaviour by changing the file
> association: right click >  Open With > select Archive Manager as the
> default app to open with.  However, this is not based on permissions, so one
> has to right click > Open With > java when one wants to indeed execute the
> application then.
> >
> > ProblemType: Bug
> > Architecture: amd64
> > Date: Sat Jan  3 10:12:45 2009
> > DistroRelease: Ubuntu 8.04
> > Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1
> > PackageArchitecture: amd64
> > ProcEnviron:
> >
>  PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> >  LANG=en_GB.UTF-8
> >  SHELL=/bin/bash
> > SourcePackage: firefox-3.0
> > Uname: Linux 2.6.24-22-generic x86_64
> >
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Ubuntusun-java6 package

Comment 8 for bug 313439

Ubuntu
sun-java6 package