[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gcj and etch freeze

On Sat, Aug 19, 2006 at 01:16:54PM +0200, Jeroen van Wolffelaar wrote:
> #267040: remote code execution hole due to lack of Java security manager
> This is 'fixed' by:
> - Shows warning before loading an applet (Closes: #267040, #301134)

Not a big deal, #383704 brought my browser down before it was exposed to a
security risk, so I didn't even see the warning =)

> Which, IMHO, doesn't make this usable except in fully trusted
> environments where the browser is exclusively used to browse a fully
> trusted intranet where nobody can change web content that doens't
> already have root on your machine.
> Which is, basicly nowhere (IMHO, and barring myself misunderstanding
> something).
> The warning is talked about here:
> http://langel.wordpress.com/2006/06/05/gcjwebplugin-is-actually-worth-using/
> (thanks Michael Koch for the link)
> I personally do not think we should offer this option to users, because
> users tend to trust sites easily (and they are too often asked about
> 'trusting' too, w.r.t. https websites, for example), even though the
> wording used is strong, and the consequence is arbitrary remote code
> execution.
> Anyway, I will followup to the bug in question for discussion about this
> issue.

Completely agreed.  I even have doubts it's suitable for experimental.  Without
minimal privilege separation not even the roughest bleeding-edge users will dare
to try it, so it's basicaly of no use there.

Anyway, it's good to know there's ongoing work on this area..

Robert Millan

My spam trap is honeypot@aybabtu.com.  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.

Reply to: