Re: gcj and etch freeze
On Sat, Aug 19, 2006 at 02:59:28AM -0700, Steve Langasek wrote:
> On Sat, Aug 19, 2006 at 11:42:03AM +0200, Robert Millan wrote:
> > > Last I knew, it still had
> > > serious security problems.
>
> > Which ones? I can't see anything in the BTS.
>
> I wouldn't know them by bug number; previously though, the problem was that
> gcjwebplugin didn't have appropriate sandboxing.
#267040: remote code execution hole due to lack of Java security manager
This is 'fixed' by:
- Shows warning before loading an applet (Closes: #267040, #301134)
Which, IMHO, doesn't make this usable except in fully trusted
environments where the browser is exclusively used to browse a fully
trusted intranet where nobody can change web content that doens't
already have root on your machine.
Which is, basicly nowhere (IMHO, and barring myself misunderstanding
something).
The warning is talked about here:
http://langel.wordpress.com/2006/06/05/gcjwebplugin-is-actually-worth-using/
(thanks Michael Koch for the link)
I personally do not think we should offer this option to users, because
users tend to trust sites easily (and they are too often asked about
'trusting' too, w.r.t. https websites, for example), even though the
wording used is strong, and the consequence is arbitrary remote code
execution.
Anyway, I will followup to the bug in question for discussion about this
issue.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply to: