Bug#267040: gcjwebplugin runs untrusted code without sandbox

Moritz Muehlenhoff jmm at inutil.org
Mon Sep 29 15:09:43 UTC 2008


On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote:
> gcjwebplugin is a Java plugin for web browsers.  It does not include the
> security manager which is a crucial part of the "sandboxing" of Java
> applets.  The maintainers have "fixed" this bug (#267040) merely by
> adding a warning prompt before running applets, which is well known to
> be an insufficient means of protecting users from malware.  Please do
> not include it in lenny.  (Unfortunately it is built from the classpath
> source package, so that will have to be modified to remove it.)

I had discussed this with Michael Koch some time ago; the version
in Lenny implements a security manager, but it's not yet clear whether
it's fully appropriate. We didn't reach a final conclusion, but I guess
the warning is sufficient for Lenny.

Cheers,
        Moritz





More information about the pkg-java-maintainers mailing list