Bug#327389: java-package: traversal permissions leading to libjavaplugin_oji.so are too restrictive - fix details included

Scott Edwards cvgscote at hotmail.com
Fri Sep 9 19:16:08 UTC 2005 

Package: java-package
Version: 0.25
Severity: important

factiods gleaned from the dpkg bot on freenode regarding this topic:
http://supaplex.aros.net/freenode-dpkg-2005-09-09.txt
The system wide approach didn't seem to work.  I tried that after I got
my local copy working.  I yanked the symlink, restarted FF and tested,
and no java plugin.

supaplex at brattboy:~$ cd .mozilla/
supaplex at brattboy:~/.mozilla$ ls
appreg  firefox
supaplex at brattboy:~/.mozilla$ mkdir plugins
supaplex at brattboy:~/.mozilla$ cd plugins/
supaplex at brattboy:~/.mozilla/plugins$ ln -s
/usr/lib/mozilla-firefox/plugins/libjavaplugin_oji.so
supaplex at brattboy:~/.mozilla/plugins$ ls -l
total 0
lrwxrwxrwx  1 supaplex supaplex 53 Sep  9 12:18 libjavaplugin_oji.so ->
/usr/lib/mozilla-firefox/plugins/libjavaplugin_oji.so

new symlink reports it's bad somehow (in red)

supaplex at brattboy:~/.mozilla/plugins$ rm libjavaplugin_oji.so
supaplex at brattboy:~/.mozilla/plugins$ ls -la /usr/lib/mozilla-firefox/plugins/libjavaplugin_oji.so
lrwxrwxrwx  1 root root 60 Aug 11  2004 /usr/lib/mozilla-firefox/plugins/libjavaplugin_oji.so -> /usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so
supaplex at brattboy:~/.mozilla/plugins$ ls -la /usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so
ls: /usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so: Permission denied
supaplex at brattboy:~/.mozilla/plugins$ sudo ls -la /usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so
-rw-r--r--  1 brattboy brattboy 213660 Dec 16  2003 /usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so
supaplex at brattboy:~/.mozilla/plugins$ stat /usr/java/j2re1.4.2/plugin/i386/mozilla/
stat: cannot stat `/usr/java/j2re1.4.2/plugin/i386/mozilla/': Permission denied
supaplex at brattboy:~/.mozilla/plugins$ stat /usr/java/j2re1.4.2/plugin/i386/
stat: cannot stat `/usr/java/j2re1.4.2/plugin/i386/': Permission denied
supaplex at brattboy:~/.mozilla/plugins$ stat /usr/java/j2re1.4.2/plugin/
stat: cannot stat `/usr/java/j2re1.4.2/plugin/': Permission denied
supaplex at brattboy:~/.mozilla/plugins$ stat /usr/java/j2re1.4.2/
  File: `/usr/java/j2re1.4.2/'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 301h/769d       Inode: 4538562     Links: 7
Access: (0750/drwxr-x---)  Uid: ( 1000/brattboy)   Gid: ( 1000/brattboy)
Access: 2004-08-11 07:37:16.000000000 -0600
Modify: 2003-12-16 23:12:44.000000000 -0700
Change: 2004-08-11 07:36:36.000000000 -0600
supaplex at brattboy:~/.mozilla/plugins$ sudo chmod 755
/usr/java/j2re1.4.2/ /usr/java/j2re1.4.2/plugin/
/usr/java/j2re1.4.2/plugin/i386/
/usr/java/j2re1.4.2/plugin/i386/mozilla/
supaplex at brattboy:~/.mozilla/plugins$ ls -la
/usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so
-rw-r--r--  1 brattboy brattboy 213660 Dec 16  2003
/usr/java/j2re1.4.2/plugin/i386/mozilla/libjavaplugin_oji.so
supaplex at brattboy:~/.mozilla/plugins$ ls -la
total 8
drwxr-xr-x  2 supaplex supaplex 4096 Sep  9 12:18 .
drwxr-xr-x  4 supaplex supaplex 4096 Sep  9 12:18 ..
supaplex at brattboy:~/.mozilla/plugins$ ln -s /usr/lib/mozilla-firefox/plugins/libjavaplugin_oji.so
supaplex at brattboy:~/.mozilla/plugins$ ls -l
total 8
lrwxrwxrwx  1 supaplex supaplex   53 Sep  9 12:19 libjavaplugin_oji.so -> /usr/lib/mozilla-firefox/plugins/libjavaplugin_oji.so

Restarting FireFox here, and testing a java game works as expected.

-rw-r--r--   1 supaplex supaplex 14411078 Sep  9 11:43 j2re-1_4_2_09-linux-i586.bin
-rw-r--r--   1 supaplex supaplex 20963512 Sep  9 11:48 sun-j2re1.4_1.4.2+09_i386.deb
supaplex at brattboy:~$ md5sum j2re-1_4_2_09-linux-i586.bin
f82a38b54315bf87dcfd2efcb5091984  j2re-1_4_2_09-linux-i586.bin

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.26-1-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages java-package depends on:
ii  coreutils                     5.2.1-2    The GNU core utilities
ii  debhelper                     4.9.5      helper programs for debian/rules
ii  fakeroot                      1.4.3      Gives a fake root environment

java-package recommends no packages.

-- no debconf information

More information about the pkg-java-maintainers mailing list