Comment 9 for bug 313439
Revision history for this message
| Jan Minář (rdancer) wrote Re: [Bug 313439] Re: Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Yes, the code is executed regardless of the executable bit.
Thanks for reporting this upstream; I have read the upstream bug
report, and I think the it is fine.
On Mon, Jan 26, 2009 at 12:17, Richard Seguin
<email address hidden> wrote:
> Hey Jan,
>
> Yeah sorry my programming skills are not the best in the world so I do get a
> bit confused. So what your saying is that even if the executable bit is
> not set nautilus will execute it regardless right? I have already forwarded
> the bug up stream so I will update the ticket clarifying later in the day.
>
> On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <email address hidden> wrote:
>
>> Richard,
>>
>> You're confusing things. You can not execute .java files, that's
>> source code. It must be compiled into byte code (.class files).
>> Executable .jar archive will contain one or more .class files. For
>> the purpose of this bug, the byte code can be thought of as machine
>> code.
>>
>> There is no difference between a Python script or Perl script, or any
>> other script file that can execute arbitrary commands, java byte code,
>> or a binary executable: If the execute permission is not set, neither
>> one of them is permitted to execute.
>>
>> Jan.
>>
>> On Sun, Jan 25, 2009 at 22:03, Richard Seguin
>> <email address hidden> wrote:
>> > What exactly executes? If a .java file is marked as executable and I
>> > type in the name at a CLI prompt it will not execute, neither will a
>> > .jar file. I understand that nautilus executes the file when it's
>> > clicked on, but what's the difference between a python script being ran
>> > when clicked on, or even a wine launcher. I am going to mark this as low
>> > priority and will check with the bug-control team on this one.
>> >
>> >
>> > ** Changed in: nautilus (Ubuntu)
>> > Importance: Medium => Low
>> >
>> > --
>> > Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> > https:/
>> > You received this bug notification because you are a direct subscriber
>> > of the bug.
>> >
>> > Status in "nautilus" source package in Ubuntu: Confirmed
>> >
>> > Bug description:
>> > Binary package hint: nautilus
>> >
>> > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
>> -> About Ubuntu.
>> >
>> > Description: Ubuntu 8.04.1
>> > Release: 8.04
>> >
>> > 2) The version of the package you are using, via 'apt-cache policy
>> packagename' or by checking in Synaptic.
>> >
>> > N/A
>> >
>> > 3) What you expected to happen
>> >
>> > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).
>> The archive has the execute permission bits cleared (chmod 640). When the
>> archive icon is double-clicked, the archive contents should be displayed in
>> the Archive Manager. Under no circumstances code contained in the archive
>> should be executed. Opening files should be safe, regardless of their
>> contents.
>> >
>> >
>> > 4) What happened instead
>> >
>> > The archive is nevertheless executed (presumably, java -jar <archive
>> name> is called).
>> >
>> >
>> > 5) Security implication
>> >
>> > User can be tricked into executing arbitrary code by opening an
>> innocuously-looking file. This is similar to the MS-Word macro virus
>> attacks, or a Vim modeline attacks.
>> >
>> > 6) Example scenario
>> >
>> > Firefox downloads to Desktop by default. User can specify some file
>> types to be downloaded automatically. It is reasonable to expect such files
>> would be later opened by double-clicking on their Desktop icons. The file
>> type does not (necessarily) correspond to the extension; the file name,
>> including the extension, is fully under the control of the attacker.
>> Firefox will save the file with the file name specified. When user
>> double-clicks the archive they just downloaded, they expect the contents to
>> be displayed. Instead, the code supplied by the attacker will be executed.
>> >
>> > 7) Workaround
>> >
>> > It is possible to change this default behaviour by changing the file
>> association: right click > Open With > select Archive Manager as the
>> default app to open with. However, this is not based on permissions, so one
>> has to right click > Open With > java when one wants to indeed execute the
>> application then.
>> >
>> > ProblemType: Bug
>> > Architecture: amd64
>> > Date: Sat Jan 3 10:12:45 2009
>> > DistroRelease: Ubuntu 8.04
>> > Package: firefox-3.0 3.0.5+nobinonly
>> > PackageArchitec
>> > ProcEnviron:
>> >
>> PATH=/home/
>> > LANG=en_GB.UTF-8
>> > SHELL=/bin/bash
>> > SourcePackage: firefox-3.0
>> > Uname: Linux 2.6.24-22-generic x86_64
>> >
>>
>> --
>> Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> https:/
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https:/
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Nautilus: Unknown
> Status in "nautilus" source package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: nautilus
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
>
> Description: Ubuntu 8.04.1
> Release: 8.04
>
> 2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
>
> N/A
>
> 3) What you expected to happen
>
> Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). The archive has the execute permission bits cleared (chmod 640). When the archive icon is double-clicked, the archive contents should be displayed in the Archive Manager. Under no circumstances code contained in the archive should be executed. Opening files should be safe, regardless of their contents.
>
>
> 4) What happened instead
>
> The archive is nevertheless executed (presumably, java -jar <archive name> is called).
>
>
> 5) Security implication
>
> User can be tricked into executing arbitrary code by opening an innocuously-looking file. This is similar to the MS-Word macro virus attacks, or a Vim modeline attacks.
>
> 6) Example scenario
>
> Firefox downloads to Desktop by default. User can specify some file types to be downloaded automatically. It is reasonable to expect such files would be later opened by double-clicking on their Desktop icons. The file type does not (necessarily) correspond to the extension; the file name, including the extension, is fully under the control of the attacker. Firefox will save the file with the file name specified. When user double-clicks the archive they just downloaded, they expect the contents to be displayed. Instead, the code supplied by the attacker will be executed.
>
> 7) Workaround
>
> It is possible to change this default behaviour by changing the file association: right click > Open With > select Archive Manager as the default app to open with. However, this is not based on permissions, so one has to right click > Open With > java when one wants to indeed execute the application then.
>
> ProblemType: Bug
> Architecture: amd64
> Date: Sat Jan 3 10:12:45 2009
> DistroRelease: Ubuntu 8.04
> Package: firefox-3.0 3.0.5+nobinonly
> PackageArchitec
> ProcEnviron:
> PATH=/home/
> LANG=en_GB.UTF-8
> SHELL=/bin/bash
> SourcePackage: firefox-3.0
> Uname: Linux 2.6.24-22-generic x86_64
>