I installed the gvfs-bin package, and tried:
gvfs-open /path/to/foo.jar
and it indeed executes the JAR contents.
What do you mean by ``desktop file installed by java''?
On Wed, Jan 28, 2009 at 13:58, Pedro Villavicencio <pe...@ubuntu.com> wrote:
> comment from upstream:
> "does it also happen if you do "gvfs-open /path/to/file.jar"?
> I suspect it's just that you have a desktop file installed by java that
> associates the mime type to this action.
> "
>
> ** Changed in: nautilus (Ubuntu)
> Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs)
> Status: Confirmed => Incomplete
>
> ** Changed in: nautilus
> Bugwatch: GNOME Bug Tracker #569130 => GNOME Bug Tracker #569129
> Status: Invalid => Unknown
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable"
> permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Nautilus: Unknown
> Status in "nautilus" source package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: nautilus
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System ->
> About Ubuntu.
>
> Description: Ubuntu 8.04.1
> Release: 8.04
>
> 2) The version of the package you are using, via 'apt-cache policy
> packagename' or by checking in Synaptic.
>
> N/A
>
> 3) What you expected to happen
>
> Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).
> The archive has the execute permission bits cleared (chmod 640). When the
> archive icon is double-clicked, the archive contents should be displayed in
> the Archive Manager. Under no circumstances code contained in the archive
> should be executed. Opening files should be safe, regardless of their
> contents.
>
>
> 4) What happened instead
>
> The archive is nevertheless executed (presumably, java -jar <archive name> is
> called).
>
>
> 5) Security implication
>
> User can be tricked into executing arbitrary code by opening an
> innocuously-looking file. This is similar to the MS-Word macro virus
> attacks, or a Vim modeline attacks.
>
> 6) Example scenario
>
> Firefox downloads to Desktop by default. User can specify some file types to
> be downloaded automatically. It is reasonable to expect such files would be
> later opened by double-clicking on their Desktop icons. The file type does
> not (necessarily) correspond to the extension; the file name, including the
> extension, is fully under the control of the attacker. Firefox will save
> the file with the file name specified. When user double-clicks the archive
> they just downloaded, they expect the contents to be displayed. Instead, the
> code supplied by the attacker will be executed.
>
> 7) Workaround
>
> It is possible to change this default behaviour by changing the file
> association: right click > Open With > select Archive Manager as the default
> app to open with. However, this is not based on permissions, so one has to
> right click > Open With > java when one wants to indeed execute the
> application then.
>
> ProblemType: Bug
> Architecture: amd64
> Date: Sat Jan 3 10:12:45 2009
> DistroRelease: Ubuntu 8.04
> Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1
> PackageArchitecture: amd64
> ProcEnviron:
>
> PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> LANG=en_GB.UTF-8
> SHELL=/bin/bash
> SourcePackage: firefox-3.0
> Uname: Linux 2.6.24-22-generic x86_64
>
--
Opening a Java Archive (.JAR) file executes it regardless of the "executable"
permission bit
https://bugs.launchpad.net/bugs/313439
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
