Bug#267040: gcjwebplugin runs untrusted code without sandbox
Robert Millan
rmh at aybabtu.com
Wed Sep 10 15:31:40 UTC 2008
On Tue, Sep 09, 2008 at 11:11:45PM +0100, Ben Hutchings wrote:
> It's not arbitrary. As it stands, this package is a security hole
> just waiting to be exploited if it gets released.
I take it "gdebi" (or whatever it's called) is also a security hole then? It
installs untrusted data when the user has approved it!
You can even visit a website, click on a .deb file, and upon your confirmation
untrusted code is executed with root perms. Clearly we should do something
to prevent that.
Also, lots of websites strongly encourage you to install Adobe Flash. They
point you to a website, giving you an unsigned binary, and upon your approval
your system ends up executing it. Clearly we should do something to prevent
that.
Fix your double standards.
--
Robert Millan
The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
how) you may access your data; but nobody's threatening your freedom: we
still allow you to remove your data and not access it at all."
More information about the pkg-java-maintainers
mailing list