Bug 662309 (CVE-2011-3666)

.jar should be marked executable

VERIFIED FIXED in Firefox 5

Status

--
critical
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: dveditz, Assigned: dveditz)

Tracking

({verified-beta, verified1.9.2})

unspecified
mozilla7
x86
Windows 7
verified-beta, verified1.9.2

Firefox Tracking Flags

(firefox5+ fixed, firefox6+ fixed, firefox7+ fixed, status2.0 wanted, blocking1.9.2 .18+, status1.9.2 .18-fixed)

Details

(Whiteboard: [sg:critical][blocks-fx5b5][qa!])

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
+++ This bug was initially created as a clone of Bug #657462 +++

If Java is installed "opening" a .jar file will launch a Java Application, which is definitely not 'web safe'. Since a .jar application can launch executables (among other things) we should mark that as an executable type so that users are forced to download and manually open rather than allow then to open from the download prompt (or worse, set it to auto-open).

We should check to see if Java registers any other extensions while we're at it.

Updated

8 years ago
Whiteboard: [blocks-fx5b5]

Comment 1

8 years ago
Dan, we'll need a reviewed patch for this by 2:00 pm PDT tomorrow...
(Assignee)

Comment 2

8 years ago
Created attachment 537789 [details] [diff] [review]
Add .jar and .air to Windows executable list

Require Java and Air bundles to be downloaded and manually run like other executable types.
Attachment #537789 - Flags: review?(benjamin)

Updated

8 years ago
Attachment #537789 - Flags: review?(benjamin) → review+
(Assignee)

Updated

8 years ago
Attachment #537789 - Flags: approval-mozilla-beta?
Attachment #537789 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 3

8 years ago
http://hg.mozilla.org/mozilla-central/rev/827d5938a23e
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Attachment #537789 - Flags: approval2.0?
Attachment #537789 - Flags: approval1.9.2.18?

Updated

8 years ago
Attachment #537789 - Flags: approval2.0?
Attachment #537789 - Flags: approval2.0+
Attachment #537789 - Flags: approval1.9.2.18?
Attachment #537789 - Flags: approval1.9.2.18+
Attachment #537789 - Flags: approval-mozilla-beta?
Attachment #537789 - Flags: approval-mozilla-beta+
Attachment #537789 - Flags: approval-mozilla-aurora?
Attachment #537789 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 4

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/3fcfddba021b
status1.9.2: wanted → .18-fixed
status2.0: --- → wanted
Pushed to beta:

http://hg.mozilla.org/releases/mozilla-beta/rev/80d99dbc8e9e
status-firefox5: affected → fixed
Can someone be super explicit on the testing scenario / STR for QA here? :-)
Whiteboard: [blocks-fx5b5] → [blocks-fx5b5] [qa-examined-192] [qa-needs-STR]
The testcase in bug 657462 is one way to test (that specific example should be mitigated by this fix).
Another more general way to test is to ensure that the Download Manager warns you with the scary prompt before allowing you to double-click-open downloaded .jar/.air files.
Gavin, the testcase in bug 657462 still exhibits its bug with last night's 1.9.2 build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110607 Namoroka/3.6.18pre (.NET CLR 3.5.30729)) so this fix doesn't address that.
I downloaded a .jar file from https://github.com/nzakas/cssembed/downloads/ with last night's 1.9.2.18pre build on XP (same one as comment 9) and double-clicking in the download manager briefly shows an hourglass, which then dismisses. Nothing else happens and no additional program opens or prompts.
Didn't this land earlier today? Last night's 1.9.2 build wouldn't have the fix.
I see the warning now in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110609 Namoroka/3.6.18pre (.NET CLR 3.5.30729).

Verified for 1.9.2.
Keywords: verified1.9.2
Whiteboard: [blocks-fx5b5] [qa-examined-192] [qa-needs-STR] → [blocks-fx5b5]
(Assignee)

Updated

8 years ago
Whiteboard: [blocks-fx5b5] → [sg:critical][blocks-fx5b5]
Alias: CVE-2011-2372

Comment 13

8 years ago
http://hg.mozilla.org/releases/mozilla-beta/rev/4bde5f7cea8f
status-firefox6: affected → fixed
(Assignee)

Comment 14

8 years ago
The June m-c landing means this is fixed in Firefox 7, too
status-firefox7: affected → fixed
Target Milestone: --- → mozilla7
qa+ for QA fix verification on Firefox 7.
Whiteboard: [sg:critical][blocks-fx5b5] → [sg:critical][blocks-fx5b5][qa+]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0 ID:20110922153450

1) https://github.com/downloads/nzakas/cssembed/cssembed-0.4.0.jar
2) http://cloudfront.ambiance.urbanapps.com/airinstaller/Ambiance.1.0.2.air

Both files ask me to save the file first. Once downloaded, when I double click them in the Download Manager they open in their respective apps without warning:

* .jar opens in WinZip
* .air opens in Adobe Air Installer

Is this the expected result?
As I recall, once it is downloaded, it is treated as any other downloaded file. The fix is to make sure that your only option is to save the file when you are prompted to download it.

From your description, Anthony, this sounds fixed.
Thanks for the clarification, Al. Marking verified fixed.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [sg:critical][blocks-fx5b5][qa+] → [sg:critical][blocks-fx5b5][qa!]
(Assignee)

Updated

7 years ago
Group: core-security
(Assignee)

Comment 19

7 years ago
The description of CVE-2011-2372 matches bug 657462 as announced in MFSA 2011-40 so we should stick to that. This one is now CVE-2011-3666
Alias: CVE-2011-2372 → CVE-2011-3666
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.