Bug#267040: gcjwebplugin runs untrusted code without sandbox

Wed Sep 10 15:57:58 UTC 2008

Hi,

On Tue, Sep 09, 2008 at 11:11:45PM +0100, Ben Hutchings wrote:
> On Tue, Sep 09, 2008 at 03:12:54PM +0200, Robert Millan wrote:
...
> When a user navigates to a web page, they want to see that page.  Any
> prompts on the way tend to be interpreted as "do you want to see this
> web page or not?", to which the answer is "yes of course".  If the
> question is really "do you want to trust this web site with full control
> over your account?" then it's leading the user into a trap.  This is why
> the major browsers now use an information bar to notify the user that
> some potentially insecure feature is not active and can be manually
> activated, rather than forcing the user to make a decision before the
> page will appear.
> 
> If the plugin was changed to use the information bar and provide a
> whitelisting mechanism for trusted sites, I think that would satisfy
> the requirement for an explicit choice by the user.  But it still
> wouldn't be nearly as good as a proper sandbox.
> 
> > > They can use the Sun Java plugin.
> > 
> > I can't believe you're actually arguing that the solution against blindly
> > trusting a website is blindly trusting a binary blob.
> 
> I would rather use a secure free plugin than a secure non-free plugin,
> but apparently that doesn't exist.  Since the choice is between a secure
> non-free plugin and an insecure free plugin, them I'm afraid I'd go for
> the former because I trust Sun much more than I trust many of the web
> sites I visit.  I'd be very surprised if you can honestly say the
> opposite.

That is your choice.

> > Here's my advice: If you don't like gcjwebplugin, don't use it.  If you like
> > binary blobs, go use them.  If you don't care about Java, don't use either.
> 
> As it happens, I have no need for Java applets; Flash seems to have
> taken their place.  (And yes I know there's a similar problem there,
> though AFAIK the free implementations are sufficiently sandboxed.)
> 
> > Just don't impose your view on everyone else by requesting arbitrary removal
> > of a package.
>  
> It's not arbitrary.  As it stands, this package is a security hole
> just waiting to be exploited if it gets released.
> 
> Ben.

I only hear criticism to others' action but no concrete alternative
proposal (like goos patch) from Ben.

You can easily criticise shortcomings and prdonopose to kick those
package out but unless your proposal improves situation, I see no gain
for Debian and no one will agree.

I have successfully removed one of old FREE-flash package from our
archive for lenny but that was because there were these better FREE
softwares (not Adobe one as reason for removal).

Please use balanced view on these.

Osamu