Hey Jan, Yeah sorry my programming skills are not the best in the world so I do get a bit confused. So what your saying is that even if the executable bit is not set nautilus will execute it regardless right? I have already forwarded the bug up stream so I will update the ticket clarifying later in the day.
On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <[email protected]> wrote: > Richard, > > You're confusing things. You can not execute .java files, that's > source code. It must be compiled into byte code (.class files). > Executable .jar archive will contain one or more .class files. For > the purpose of this bug, the byte code can be thought of as machine > code. > > There is no difference between a Python script or Perl script, or any > other script file that can execute arbitrary commands, java byte code, > or a binary executable: If the execute permission is not set, neither > one of them is permitted to execute. > > Jan. > > On Sun, Jan 25, 2009 at 22:03, Richard Seguin > <[email protected]> wrote: > > What exactly executes? If a .java file is marked as executable and I > > type in the name at a CLI prompt it will not execute, neither will a > > .jar file. I understand that nautilus executes the file when it's > > clicked on, but what's the difference between a python script being ran > > when clicked on, or even a wine launcher. I am going to mark this as low > > priority and will check with the bug-control team on this one. > > > > > > ** Changed in: nautilus (Ubuntu) > > Importance: Medium => Low > > > > -- > > Opening a Java Archive (.JAR) file executes it regardless of the > "executable" permission bit > > https://bugs.launchpad.net/bugs/313439 > > You received this bug notification because you are a direct subscriber > > of the bug. > > > > Status in "nautilus" source package in Ubuntu: Confirmed > > > > Bug description: > > Binary package hint: nautilus > > > > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System > -> About Ubuntu. > > > > Description: Ubuntu 8.04.1 > > Release: 8.04 > > > > 2) The version of the package you are using, via 'apt-cache policy > packagename' or by checking in Synaptic. > > > > N/A > > > > 3) What you expected to happen > > > > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). > The archive has the execute permission bits cleared (chmod 640). When the > archive icon is double-clicked, the archive contents should be displayed in > the Archive Manager. Under no circumstances code contained in the archive > should be executed. Opening files should be safe, regardless of their > contents. > > > > > > 4) What happened instead > > > > The archive is nevertheless executed (presumably, java -jar <archive > name> is called). > > > > > > 5) Security implication > > > > User can be tricked into executing arbitrary code by opening an > innocuously-looking file. This is similar to the MS-Word macro virus > attacks, or a Vim modeline attacks. > > > > 6) Example scenario > > > > Firefox downloads to Desktop by default. User can specify some file > types to be downloaded automatically. It is reasonable to expect such files > would be later opened by double-clicking on their Desktop icons. The file > type does not (necessarily) correspond to the extension; the file name, > including the extension, is fully under the control of the attacker. > Firefox will save the file with the file name specified. When user > double-clicks the archive they just downloaded, they expect the contents to > be displayed. Instead, the code supplied by the attacker will be executed. > > > > 7) Workaround > > > > It is possible to change this default behaviour by changing the file > association: right click > Open With > select Archive Manager as the > default app to open with. However, this is not based on permissions, so one > has to right click > Open With > java when one wants to indeed execute the > application then. > > > > ProblemType: Bug > > Architecture: amd64 > > Date: Sat Jan 3 10:12:45 2009 > > DistroRelease: Ubuntu 8.04 > > Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1 > > PackageArchitecture: amd64 > > ProcEnviron: > > > > PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games > > LANG=en_GB.UTF-8 > > SHELL=/bin/bash > > SourcePackage: firefox-3.0 > > Uname: Linux 2.6.24-22-generic x86_64 > > > > -- > Opening a Java Archive (.JAR) file executes it regardless of the > "executable" permission bit > https://bugs.launchpad.net/bugs/313439 > You received this bug notification because you are a direct subscriber > of the bug. > -- Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit https://bugs.launchpad.net/bugs/313439 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
