Closed Bug 662309 (CVE-2011-3666) Opened 8 years ago Closed 8 years ago

.jar should be marked executable

Categories

(Core Graveyard :: File Handling, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

(firefox5+ fixed, firefox6+ fixed, firefox7+ fixed, status2.0 wanted, blocking1.9.2 .18+, status1.9.2 .18-fixed)

VERIFIED FIXED
mozilla7
Tracking Status
firefox5 + fixed
firefox6 + fixed
firefox7 + fixed
status2.0 --- wanted
blocking1.9.2 --- .18+
status1.9.2 --- .18-fixed

People

(Reporter: dveditz, Assigned: dveditz)

References

Details

(Keywords: verified-beta, verified1.9.2, Whiteboard: [sg:critical][blocks-fx5b5][qa!])

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #657462 +++

If Java is installed "opening" a .jar file will launch a Java Application, which is definitely not 'web safe'. Since a .jar application can launch executables (among other things) we should mark that as an executable type so that users are forced to download and manually open rather than allow then to open from the download prompt (or worse, set it to auto-open).

We should check to see if Java registers any other extensions while we're at it.
Whiteboard: [blocks-fx5b5]
Dan, we'll need a reviewed patch for this by 2:00 pm PDT tomorrow...
Require Java and Air bundles to be downloaded and manually run like other executable types.
Attachment #537789 - Flags: review?(benjamin)
Attachment #537789 - Flags: review?(benjamin) → review+
Attachment #537789 - Flags: approval-mozilla-beta?
Attachment #537789 - Flags: approval-mozilla-aurora?
http://hg.mozilla.org/mozilla-central/rev/827d5938a23e
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Attachment #537789 - Flags: approval2.0?
Attachment #537789 - Flags: approval1.9.2.18?
Attachment #537789 - Flags: approval2.0?
Attachment #537789 - Flags: approval2.0+
Attachment #537789 - Flags: approval1.9.2.18?
Attachment #537789 - Flags: approval1.9.2.18+
Attachment #537789 - Flags: approval-mozilla-beta?
Attachment #537789 - Flags: approval-mozilla-beta+
Attachment #537789 - Flags: approval-mozilla-aurora?
Attachment #537789 - Flags: approval-mozilla-aurora+
Can someone be super explicit on the testing scenario / STR for QA here? :-)
Whiteboard: [blocks-fx5b5] → [blocks-fx5b5] [qa-examined-192] [qa-needs-STR]
The testcase in bug 657462 is one way to test (that specific example should be mitigated by this fix).
Another more general way to test is to ensure that the Download Manager warns you with the scary prompt before allowing you to double-click-open downloaded .jar/.air files.
Gavin, the testcase in bug 657462 still exhibits its bug with last night's 1.9.2 build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110607 Namoroka/3.6.18pre (.NET CLR 3.5.30729)) so this fix doesn't address that.
I downloaded a .jar file from https://github.com/nzakas/cssembed/downloads/ with last night's 1.9.2.18pre build on XP (same one as comment 9) and double-clicking in the download manager briefly shows an hourglass, which then dismisses. Nothing else happens and no additional program opens or prompts.
Didn't this land earlier today? Last night's 1.9.2 build wouldn't have the fix.
I see the warning now in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110609 Namoroka/3.6.18pre (.NET CLR 3.5.30729).

Verified for 1.9.2.
Keywords: verified1.9.2
Whiteboard: [blocks-fx5b5] [qa-examined-192] [qa-needs-STR] → [blocks-fx5b5]
Whiteboard: [blocks-fx5b5] → [sg:critical][blocks-fx5b5]
Alias: CVE-2011-2372
The June m-c landing means this is fixed in Firefox 7, too
Target Milestone: --- → mozilla7
qa+ for QA fix verification on Firefox 7.
Whiteboard: [sg:critical][blocks-fx5b5] → [sg:critical][blocks-fx5b5][qa+]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0 ID:20110922153450

1) https://github.com/downloads/nzakas/cssembed/cssembed-0.4.0.jar
2) http://cloudfront.ambiance.urbanapps.com/airinstaller/Ambiance.1.0.2.air

Both files ask me to save the file first. Once downloaded, when I double click them in the Download Manager they open in their respective apps without warning:

* .jar opens in WinZip
* .air opens in Adobe Air Installer

Is this the expected result?
As I recall, once it is downloaded, it is treated as any other downloaded file. The fix is to make sure that your only option is to save the file when you are prompted to download it.

From your description, Anthony, this sounds fixed.
Thanks for the clarification, Al. Marking verified fixed.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [sg:critical][blocks-fx5b5][qa+] → [sg:critical][blocks-fx5b5][qa!]
Group: core-security
The description of CVE-2011-2372 matches bug 657462 as announced in MFSA 2011-40 so we should stick to that. This one is now CVE-2011-3666
Alias: CVE-2011-2372 → CVE-2011-3666
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.