Yes, the code is executed regardless of the executable bit. Thanks for reporting this upstream; I have read the upstream bug report, and I think the it is fine.
On Mon, Jan 26, 2009 at 12:17, Richard Seguin <ubuntu-b...@transubuntu.ca> wrote: > Hey Jan, > > Yeah sorry my programming skills are not the best in the world so I do get a > bit confused. So what your saying is that even if the executable bit is > not set nautilus will execute it regardless right? I have already forwarded > the bug up stream so I will update the ticket clarifying later in the day. > > On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <rdan...@rdancer.org> wrote: > >> Richard, >> >> You're confusing things. You can not execute .java files, that's >> source code. It must be compiled into byte code (.class files). >> Executable .jar archive will contain one or more .class files. For >> the purpose of this bug, the byte code can be thought of as machine >> code. >> >> There is no difference between a Python script or Perl script, or any >> other script file that can execute arbitrary commands, java byte code, >> or a binary executable: If the execute permission is not set, neither >> one of them is permitted to execute. >> >> Jan. >> >> On Sun, Jan 25, 2009 at 22:03, Richard Seguin >> <ubuntu-b...@transubuntu.ca> wrote: >> > What exactly executes? If a .java file is marked as executable and I >> > type in the name at a CLI prompt it will not execute, neither will a >> > .jar file. I understand that nautilus executes the file when it's >> > clicked on, but what's the difference between a python script being ran >> > when clicked on, or even a wine launcher. I am going to mark this as low >> > priority and will check with the bug-control team on this one. >> > >> > >> > ** Changed in: nautilus (Ubuntu) >> > Importance: Medium => Low >> > >> > -- >> > Opening a Java Archive (.JAR) file executes it regardless of the >> "executable" permission bit >> > https://bugs.launchpad.net/bugs/313439 >> > You received this bug notification because you are a direct subscriber >> > of the bug. >> > >> > Status in "nautilus" source package in Ubuntu: Confirmed >> > >> > Bug description: >> > Binary package hint: nautilus >> > >> > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System >> -> About Ubuntu. >> > >> > Description: Ubuntu 8.04.1 >> > Release: 8.04 >> > >> > 2) The version of the package you are using, via 'apt-cache policy >> packagename' or by checking in Synaptic. >> > >> > N/A >> > >> > 3) What you expected to happen >> > >> > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). >> The archive has the execute permission bits cleared (chmod 640). When the >> archive icon is double-clicked, the archive contents should be displayed in >> the Archive Manager. Under no circumstances code contained in the archive >> should be executed. Opening files should be safe, regardless of their >> contents. >> > >> > >> > 4) What happened instead >> > >> > The archive is nevertheless executed (presumably, java -jar <archive >> name> is called). >> > >> > >> > 5) Security implication >> > >> > User can be tricked into executing arbitrary code by opening an >> innocuously-looking file. This is similar to the MS-Word macro virus >> attacks, or a Vim modeline attacks. >> > >> > 6) Example scenario >> > >> > Firefox downloads to Desktop by default. User can specify some file >> types to be downloaded automatically. It is reasonable to expect such files >> would be later opened by double-clicking on their Desktop icons. The file >> type does not (necessarily) correspond to the extension; the file name, >> including the extension, is fully under the control of the attacker. >> Firefox will save the file with the file name specified. When user >> double-clicks the archive they just downloaded, they expect the contents to >> be displayed. Instead, the code supplied by the attacker will be executed. >> > >> > 7) Workaround >> > >> > It is possible to change this default behaviour by changing the file >> association: right click > Open With > select Archive Manager as the >> default app to open with. However, this is not based on permissions, so one >> has to right click > Open With > java when one wants to indeed execute the >> application then. >> > >> > ProblemType: Bug >> > Architecture: amd64 >> > Date: Sat Jan 3 10:12:45 2009 >> > DistroRelease: Ubuntu 8.04 >> > Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1 >> > PackageArchitecture: amd64 >> > ProcEnviron: >> > >> >> PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games >> > LANG=en_GB.UTF-8 >> > SHELL=/bin/bash >> > SourcePackage: firefox-3.0 >> > Uname: Linux 2.6.24-22-generic x86_64 >> > >> >> -- >> Opening a Java Archive (.JAR) file executes it regardless of the >> "executable" permission bit >> https://bugs.launchpad.net/bugs/313439 >> You received this bug notification because you are a direct subscriber >> of the bug. >> > > -- > Opening a Java Archive (.JAR) file executes it regardless of the "executable" > permission bit > https://bugs.launchpad.net/bugs/313439 > You received this bug notification because you are a direct subscriber > of the bug. > > Status in Nautilus: Unknown > Status in "nautilus" source package in Ubuntu: Confirmed > > Bug description: > Binary package hint: nautilus > > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> > About Ubuntu. > > Description: Ubuntu 8.04.1 > Release: 8.04 > > 2) The version of the package you are using, via 'apt-cache policy > packagename' or by checking in Synaptic. > > N/A > > 3) What you expected to happen > > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). > The archive has the execute permission bits cleared (chmod 640). When the > archive icon is double-clicked, the archive contents should be displayed in > the Archive Manager. Under no circumstances code contained in the archive > should be executed. Opening files should be safe, regardless of their > contents. > > > 4) What happened instead > > The archive is nevertheless executed (presumably, java -jar <archive name> is > called). > > > 5) Security implication > > User can be tricked into executing arbitrary code by opening an > innocuously-looking file. This is similar to the MS-Word macro virus > attacks, or a Vim modeline attacks. > > 6) Example scenario > > Firefox downloads to Desktop by default. User can specify some file types to > be downloaded automatically. It is reasonable to expect such files would be > later opened by double-clicking on their Desktop icons. The file type does > not (necessarily) correspond to the extension; the file name, including the > extension, is fully under the control of the attacker. Firefox will save > the file with the file name specified. When user double-clicks the archive > they just downloaded, they expect the contents to be displayed. Instead, the > code supplied by the attacker will be executed. > > 7) Workaround > > It is possible to change this default behaviour by changing the file > association: right click > Open With > select Archive Manager as the default > app to open with. However, this is not based on permissions, so one has to > right click > Open With > java when one wants to indeed execute the > application then. > > ProblemType: Bug > Architecture: amd64 > Date: Sat Jan 3 10:12:45 2009 > DistroRelease: Ubuntu 8.04 > Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1 > PackageArchitecture: amd64 > ProcEnviron: > > PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games > LANG=en_GB.UTF-8 > SHELL=/bin/bash > SourcePackage: firefox-3.0 > Uname: Linux 2.6.24-22-generic x86_64 > -- Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit https://bugs.launchpad.net/bugs/313439 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to nautilus in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
