openjdk team mailing list archive

[Kees Cook <kees@xxxxxxxxxx>]

The major thing to look for is .desktop files that trigger off of
MimeTypes, yet actually run the target file.  For example
/usr/share/applications/openjdk-6-java.desktop:

...
Exec=/usr/lib/jvm/java-6-openjdk/bin/java -jar
...
MimeType=application/x-java-archive;application/java-archive;application/x-jar;

This leads to executing the JAR file, even when it lacks the execute
bit.

** Changed in: nautilus (Ubuntu)
       Status: New => Confirmed

** Changed in: wine (Ubuntu)
       Status: New => Confirmed

** Changed in: sun-java6 (Ubuntu)
   Importance: Undecided => High

** Changed in: openjdk-6 (Ubuntu)
       Status: New => Confirmed

** Changed in: openjdk-6 (Ubuntu)
   Importance: Undecided => High

** Changed in: nautilus (Ubuntu)
   Importance: Undecided => High

** Changed in: wine (Ubuntu)
   Importance: Undecided => High

** Changed in: sun-java6 (Ubuntu)
       Status: New => Confirmed

-- 
needs to block non-executable files from executing
https://bugs.launchpad.net/bugs/506702
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in “nautilus” package in Ubuntu: Confirmed
Status in “openjdk-6” package in Ubuntu: Confirmed
Status in “sun-java6” package in Ubuntu: Confirmed
Status in “wine” package in Ubuntu: Confirmed

Bug description:
Binary package hint: nautilus

Following the ratification of the "Execute-Permission Bit Required" security policy, several packages need to have their mime handlers updated to reject opening of various file types that are actually executables when they lack the execute bit.
https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required