Closed
Bug 662309
(CVE-2011-3666)
Opened 13 years ago
Closed 13 years ago
.jar should be marked executable
Categories
(Core Graveyard :: File Handling, defect)
Tracking
(firefox5+ fixed, firefox6+ fixed, firefox7+ fixed, status2.0 wanted, blocking1.9.2 .18+, status1.9.2 .18-fixed)
People
(Reporter: dveditz, Assigned: dveditz)
References
Details
(Keywords: verified-beta, verified1.9.2, Whiteboard: [sg:critical][blocks-fx5b5][qa!])
Attachments
(1 file)
1.40 KB,
patch
|
benjamin
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
christian
:
approval2.0+
christian
:
approval1.9.2.18+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #657462 +++
If Java is installed "opening" a .jar file will launch a Java Application, which is definitely not 'web safe'. Since a .jar application can launch executables (among other things) we should mark that as an executable type so that users are forced to download and manually open rather than allow then to open from the download prompt (or worse, set it to auto-open).
We should check to see if Java registers any other extensions while we're at it.
Updated•13 years ago
|
Whiteboard: [blocks-fx5b5]
Dan, we'll need a reviewed patch for this by 2:00 pm PDT tomorrow...
Assignee | ||
Comment 2•13 years ago
|
||
Require Java and Air bundles to be downloaded and manually run like other executable types.
Attachment #537789 -
Flags: review?(benjamin)
Updated•13 years ago
|
Attachment #537789 -
Flags: review?(benjamin) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #537789 -
Flags: approval-mozilla-beta?
Attachment #537789 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 3•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Attachment #537789 -
Flags: approval2.0?
Attachment #537789 -
Flags: approval1.9.2.18?
Attachment #537789 -
Flags: approval2.0?
Attachment #537789 -
Flags: approval2.0+
Attachment #537789 -
Flags: approval1.9.2.18?
Attachment #537789 -
Flags: approval1.9.2.18+
Attachment #537789 -
Flags: approval-mozilla-beta?
Attachment #537789 -
Flags: approval-mozilla-beta+
Attachment #537789 -
Flags: approval-mozilla-aurora?
Attachment #537789 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 4•13 years ago
|
||
Comment 5•13 years ago
|
||
Pushed to beta:
http://hg.mozilla.org/releases/mozilla-beta/rev/80d99dbc8e9e
Comment 6•13 years ago
|
||
Can someone be super explicit on the testing scenario / STR for QA here? :-)
Whiteboard: [blocks-fx5b5] → [blocks-fx5b5] [qa-examined-192] [qa-needs-STR]
Comment 7•13 years ago
|
||
The testcase in bug 657462 is one way to test (that specific example should be mitigated by this fix).
Comment 8•13 years ago
|
||
Another more general way to test is to ensure that the Download Manager warns you with the scary prompt before allowing you to double-click-open downloaded .jar/.air files.
Comment 9•13 years ago
|
||
Gavin, the testcase in bug 657462 still exhibits its bug with last night's 1.9.2 build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110607 Namoroka/3.6.18pre (.NET CLR 3.5.30729)) so this fix doesn't address that.
Comment 10•13 years ago
|
||
I downloaded a .jar file from https://github.com/nzakas/cssembed/downloads/ with last night's 1.9.2.18pre build on XP (same one as comment 9) and double-clicking in the download manager briefly shows an hourglass, which then dismisses. Nothing else happens and no additional program opens or prompts.
Comment 11•13 years ago
|
||
Didn't this land earlier today? Last night's 1.9.2 build wouldn't have the fix.
Comment 12•13 years ago
|
||
I see the warning now in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110609 Namoroka/3.6.18pre (.NET CLR 3.5.30729).
Verified for 1.9.2.
Keywords: verified1.9.2
Whiteboard: [blocks-fx5b5] [qa-examined-192] [qa-needs-STR] → [blocks-fx5b5]
Assignee | ||
Updated•13 years ago
|
Whiteboard: [blocks-fx5b5] → [sg:critical][blocks-fx5b5]
Updated•13 years ago
|
Alias: CVE-2011-2372
Comment 13•13 years ago
|
||
Assignee | ||
Comment 14•13 years ago
|
||
The June m-c landing means this is fixed in Firefox 7, too
Target Milestone: --- → mozilla7
Comment 15•13 years ago
|
||
qa+ for QA fix verification on Firefox 7.
Whiteboard: [sg:critical][blocks-fx5b5] → [sg:critical][blocks-fx5b5][qa+]
Comment 16•13 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0 ID:20110922153450
1) https://github.com/downloads/nzakas/cssembed/cssembed-0.4.0.jar
2) http://cloudfront.ambiance.urbanapps.com/airinstaller/Ambiance.1.0.2.air
Both files ask me to save the file first. Once downloaded, when I double click them in the Download Manager they open in their respective apps without warning:
* .jar opens in WinZip
* .air opens in Adobe Air Installer
Is this the expected result?
Comment 17•13 years ago
|
||
As I recall, once it is downloaded, it is treated as any other downloaded file. The fix is to make sure that your only option is to save the file when you are prompted to download it.
From your description, Anthony, this sounds fixed.
Comment 18•13 years ago
|
||
Thanks for the clarification, Al. Marking verified fixed.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [sg:critical][blocks-fx5b5][qa+] → [sg:critical][blocks-fx5b5][qa!]
Assignee | ||
Updated•13 years ago
|
Group: core-security
Assignee | ||
Comment 19•13 years ago
|
||
The description of CVE-2011-2372 matches bug 657462 as announced in MFSA 2011-40 so we should stick to that. This one is now CVE-2011-3666
Alias: CVE-2011-2372 → CVE-2011-3666
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•