openjdk team mailing list archive

Thread
Date

[Bug 506702] Re: needs to block non-executable files from executing

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Johan Kiviniemi <launchpad.net@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 16 Jan 2010 12:20:47 -0000
Reply-to: Bug 506702 <506702@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Malicious software in Windows has been known to try getting past simple
file type checks by spreading a zip file containing the actual
executable.

In our case, a user could get a tarball containing an executable with
the +x bit set from a malicious user.

Perhaps make file-roller ask the user before unpacking archives that
have the executable bit set.

-- 
needs to block non-executable files from executing
https://bugs.launchpad.net/bugs/506702
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in “mime-support” package in Ubuntu: Fix Released
Status in “nautilus” package in Ubuntu: In Progress
Status in “openjdk-6” package in Ubuntu: Fix Released
Status in “sun-java6” package in Ubuntu: In Progress
Status in “wine” package in Ubuntu: Fix Released
Status in “wine1.2” package in Ubuntu: New

Bug description:
Binary package hint: nautilus

Following the ratification of the "Execute-Permission Bit Required" security policy, several packages need to have their mime handlers updated to reject opening of various file types that are actually executables when they lack the execute bit.
https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required

References

[Bug 506702] [NEW] needs to block non-executable files from executing
From: Kees Cook, 2010-01-13