Bug#267040: gcjwebplugin runs untrusted code without sandbox
Robert Millan
rmh at aybabtu.com
Mon Sep 8 18:15:33 UTC 2008
[ sorry for the duplicate, my first reply didn't get to -release ]
On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote:
> gcjwebplugin is a Java plugin for web browsers. It does not include the
> security manager which is a crucial part of the "sandboxing" of Java
> applets. The maintainers have "fixed" this bug (#267040) merely by
> adding a warning prompt before running applets, which is well known to
> be an insufficient means of protecting users from malware. Please do
> not include it in lenny. (Unfortunately it is built from the classpath
> source package, so that will have to be modified to remove it.)
How is this different from the multitude of interfaces in the system in
which data is assumed to be trusted?
If you want a similar example, Iceweasel will process certain websites after
warning the user that special privileges were requested, and asking for
confirmation.
There's a huge amount of users who don't care about security, but do care
a lot about certain websites working.
--
Robert Millan
The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
how) you may access your data; but nobody's threatening your freedom: we
still allow you to remove your data and not access it at all."
More information about the pkg-java-maintainers
mailing list