Last Comment Bug 704622 - [1.9.2] .jar should not be openable on Mac or Linux, download only (CVE-2011-3666)
: [1.9.2] .jar should not be openable on Mac or Linux, download only (CVE-2011-...
Status: VERIFIED FIXED
[sg:critical][qa!]
: qawanted, verified-aurora, verified-beta, verified1.9.2
Product: Core Graveyard
Classification: Graveyard
Component: File Handling (show other bugs)
: 1.9.2 Branch
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Rafael Ávila de Espíndola (:espindola) (not reading bugmail)
:
Mentors:
https://bugzilla.mozilla.org/attachme...
Depends on: 663899 689195
Blocks: CVE-2011-2372
  Show dependency treegraph
 
Reported: 2011-11-22 13:57 PST by Daniel Veditz [:dveditz]
Modified: 2016-06-22 12:16 PDT (History)
22 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---
+
fixed
+
fixed
+
fixed
.25+
.25-fixed


Attachments
Copy and paste the logic from nsLocalFileUnix.cpp to nsLocalFileOSX.mm (1.97 KB, patch)
2011-12-05 14:00 PST, Rafael Ávila de Espíndola (:espindola) (not reading bugmail)
smichaud: review+
akeybl: approval1.9.2.25+
Details | Diff | Review

Description Daniel Veditz [:dveditz] 2011-11-22 13:57:46 PST
+++ This bug was initially created as a clone of Bug #663899 +++

+++ This bug was initially created as a clone of Bug #662309 +++

A patch was landed for this in 1.9.23, but it did not fix the problem on the 1.9.2 branch. See bug 663899 comment 85
Comment 1 Rafael Ávila de Espíndola (:espindola) (not reading bugmail) 2011-11-22 14:19:39 PST
The patch that landed just used the same code that windows was using before.
Is the issues fixed on windows on 1.9.2?
Comment 2 Daniel Veditz [:dveditz] 2011-12-01 13:16:24 PST
According to bug 662309 comment 12 this was verified in 1.9.2 on Windows
Comment 3 Rafael Ávila de Espíndola (:espindola) (not reading bugmail) 2011-12-05 11:18:19 PST
what mozconfig have you used? I just started a build with

ac_add_options --enable-application=browser
ac_add_options --enable-update-channel=release
ac_add_options --enable-update-packaging
ac_add_options --enable-tests
ac_add_options --enable-official-branding

export MOZILLA_OFFICIAL=1

export MOZ_TELEMETRY_REPORTING=1
Comment 4 Steven Michaud [:smichaud] (Retired) 2011-12-05 11:21:57 PST
> what mozconfig have you used?

Who are you asking? :-)

The mozconfigs used in "official" distros (nightlies and releases) can be found in their build logs.
Comment 5 Rafael Ávila de Espíndola (:espindola) (not reading bugmail) 2011-12-05 11:56:03 PST
I could not find a build log for this one. I think 1.9.2 is build so infrequently that the last one is not available anymore.

I just found out that it fails to build in 64 bits, so what I am trying now is


export CC="/usr/bin/gcc-4.2 -arch i386"
export CXX="/usr/bin/g++-4.2 -arch i386"

ac_add_options --enable-application=browser
ac_add_options --enable-update-channel=release
ac_add_options --enable-update-packaging
ac_add_options --enable-tests
ac_add_options --enable-official-branding

export MOZILLA_OFFICIAL=1

export MOZ_TELEMETRY_REPORTING=1

mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-test
mk_add_options MOZ_MAKE_FLAGS="-j4"
Comment 6 Steven Michaud [:smichaud] (Retired) 2011-12-05 12:36:43 PST
> I just found out that it fails to build in 64 bits

1.9.2 is 32-bit only (on OS X).

Here's the mozconfig I normally use to do 32-bit 1.9.2-branch builds on SnowLeopard.  On 64-bit SnowLeopard (presumably what you're running) it needs to be a cross-compile.

export CFLAGS="-g -gfull"
export CXXFLAGS="-g -gfull"
. $topsrcdir/browser/config/mozconfig
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-firefox
mk_add_options MOZ_MAKE_FLAGS=-j4
mk_add_options AUTOCONF=autoconf213
ac_add_options --disable-optimize
ac_add_options --enable-tests
ac_add_options --enable-cpp-rtti
ac_add_options --enable-logrefcnt
ac_add_options --disable-strip
ac_add_options --disable-install-strip
ac_add_options --with-macos-sdk=/Developer/SDKs/MacOSX10.5.sdk

CC="gcc-4.2 -arch i386"
CXX="g++-4.2 -arch i386"
ac_add_options --target=i386-apple-darwin8.0.0
ac_add_options --enable-macos-target=10.5
# bug 491774. crashreporter won't build in cross compile
ac_add_options --disable-crashreporter

HOST_CC="gcc-4.2"
HOST_CXX="g++-4.2"
RANLIB=ranlib
AR=ar
AS=$CC
LD=ld
STRIP="strip -x -S"
CROSS_COMPILE=1
Comment 7 Steven Michaud [:smichaud] (Retired) 2011-12-05 12:40:32 PST
> I think 1.9.2 is build so infrequently that the last one is not available anymore.

I just confirmed this :-(
Comment 8 Rafael Ávila de Espíndola (:espindola) (not reading bugmail) 2011-12-05 13:02:50 PST
NP, I was able to reproduce the bug. Trying to figure out what is going on in 1.9.2
Comment 9 Rafael Ávila de Espíndola (:espindola) (not reading bugmail) 2011-12-05 14:00:27 PST
Created attachment 579157 [details] [diff] [review]
Copy and paste the logic from nsLocalFileUnix.cpp to nsLocalFileOSX.mm

The problem was that in 1.9.2 nsLocalFileOSX.mm was not yet merged into nsLocalFileUnix.cpp .
Comment 10 Steven Michaud [:smichaud] (Retired) 2011-12-06 10:12:09 PST
Comment on attachment 579157 [details] [diff] [review]
Copy and paste the logic from nsLocalFileUnix.cpp to nsLocalFileOSX.mm

> Copy and paste the logic from nsLocalFileUnix.cpp to
> nsLocalFileOSX.mm

You copied code from nsLocalFileUnix.cpp *on the trunk* to
nsLocalFileOSX.mm *on the 1.9.2 branch*.  But shouldn't you also copy
this code to nsLocalFile::IsExecutable() in nsLocalFileUnix.cpp	*on
the 1.9.2 branch*?
Comment 11 Steven Michaud [:smichaud] (Retired) 2011-12-06 10:21:10 PST
Comment on attachment 579157 [details] [diff] [review]
Copy and paste the logic from nsLocalFileUnix.cpp to nsLocalFileOSX.mm

This patch fixes this bug on OS X (testing on OS X 10.6.8 with my "simple runnable jar file" from bug 663899 - attachment 541078 [details]).

I'll see if I can manage to test a recent 1.9.2-branch nightly on Linux.
Comment 12 Steven Michaud [:smichaud] (Retired) 2011-12-06 12:49:27 PST
> I'll see if I can manage to test a recent 1.9.2-branch nightly on Linux.

I haven't been able to test on a Linux installation that has a default app for jar files (as Jar Launcher is on OS X).
Comment 13 Daniel Veditz [:dveditz] 2011-12-07 14:47:08 PST
Code-freeze for 1.9.2.25 is Friday, please make sure this is done in time to get approval to land (e.g. before we leave for the day). Time is tight, ping us in IRC for approval.
Comment 14 Steven Michaud [:smichaud] (Retired) 2011-12-08 08:47:16 PST
(Following up comment #10)

Oops, I was looking at the wrong copy of nsLocalFile::IsExecutable() in nsLocalFileUnix.cpp -- the one for Beos and Solaris.  The one for everything else *does* already have the extension checking code.

Sorry for the confusion :-(
Comment 15 Alex Keybl [:akeybl] 2011-12-08 12:19:10 PST
Comment on attachment 579157 [details] [diff] [review]
Copy and paste the logic from nsLocalFileUnix.cpp to nsLocalFileOSX.mm

[Triage Comment]
Approving for 1.9.2.25.

Al - can you make sure to test this with Win/Mac and Linux? smichaud hasn't had access to a Linux setup to test. Thanks!
Comment 16 Daniel Veditz [:dveditz] 2011-12-08 12:24:45 PST
Comment on attachment 579157 [details] [diff] [review]
Copy and paste the logic from nsLocalFileUnix.cpp to nsLocalFileOSX.mm

Approved for 1.9.2.25, a=dveditz
Comment 17 Rafael Ávila de Espíndola (:espindola) (not reading bugmail) 2011-12-08 12:32:07 PST
https://tbpl.mozilla.org/?tree=Firefox3.6&rev=eefedeec832e
Comment 18 Daniel Veditz [:dveditz] 2011-12-09 14:41:45 PST
Since this is a branch-only bug it can be marked FIXED now, right?
Comment 19 Steven Michaud [:smichaud] (Retired) 2011-12-09 15:02:38 PST
> Since this is a branch-only bug it can be marked FIXED now, right?

I think so.
Comment 20 Al Billings [:abillings] 2011-12-12 13:29:12 PST
Verified with https://bugzilla.mozilla.org/attachment.cgi?id=541078 with latest 1.9.2.25pre build.

On OS X 10.7, option to open jar file is grayed out.

On Ubuntu 11.10, option to open a jar file is grayed out.

On Win XP, it just prompts you to save with no option to open.

This is all with the 12/9/2011 1.9.2 build (the latest nightly).

Verified for 1.9.2.
Comment 21 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-12-13 14:22:15 PST
Can this be marked verified? I noticed all verified* keywords were already set...
Comment 22 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-12-14 15:34:27 PST
Based on conversation with Dan on IRC we need not retest this on Firefox 9, 10, or 11.

Marking this bug VERIFIED. If this is in error and there is something left for QA to test, please let us know.
Comment 23 Al Billings [:abillings] 2011-12-14 15:45:50 PST
Checked using https://bugzilla.mozilla.org/attachment.cgi?id=541078 on OS X 10.7 with Firefox 9, Beta 6 build. The open option is grayed as expected.

Note You need to log in before you can comment on or make changes to this bug.