The major thing to look for is .desktop files that trigger off of
MimeTypes, yet actually run the target file. For example
/usr/share/applications/openjdk-6-java.desktop:
...
Exec=/usr/lib/jvm/java-6-openjdk/bin/java -jar
...
MimeType=application/x-java-archive;application/java-archive;application/x-jar;
This leads to executing the JAR file, even when it lacks the execute
bit.
** Changed in: nautilus (Ubuntu)
Status: New => Confirmed
** Changed in: wine (Ubuntu)
Status: New => Confirmed
** Changed in: sun-java6 (Ubuntu)
Importance: Undecided => High
** Changed in: openjdk-6 (Ubuntu)
Status: New => Confirmed
** Changed in: openjdk-6 (Ubuntu)
Importance: Undecided => High
** Changed in: nautilus (Ubuntu)
Importance: Undecided => High
** Changed in: wine (Ubuntu)
Importance: Undecided => High
** Changed in: sun-java6 (Ubuntu)
Status: New => Confirmed
--
needs to block non-executable files from executing
https://bugs.launchpad.net/bugs/506702
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.
Status in “nautilus” package in Ubuntu: Confirmed
Status in “openjdk-6” package in Ubuntu: Confirmed
Status in “sun-java6” package in Ubuntu: Confirmed
Status in “wine” package in Ubuntu: Confirmed
Bug description:
Binary package hint: nautilus
Following the ratification of the "Execute-Permission Bit Required" security
policy, several packages need to have their mime handlers updated to reject
opening of various file types that are actually executables when they lack the
execute bit.
https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required
_______________________________________________
Mailing list: https://launchpad.net/~openjdk
Post to : [email protected]
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
