LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

icedtea-web: multiple vulnerabilities

Package(s):icedtea-web CVE #(s):CVE-2011-2513 CVE-2011-2514
Created:July 25, 2011 Updated:August 2, 2011
Description: From the Red Hat bugzilla: [1, 2]

Omair Majid discovered an information disclosure flaw in the JNLP (Java Network Launching Protocol) implementation used in IcedTea and IcedTea-web. An unsigned Java Web Start application or Java Applet could use this flaw to determine a path to the cache directory (/home/<username>/.netx/cache/) used to store downloaded jars for Web Start application or Applet by querying class's ClassLoader properties. This discloses full path to user's home directory on the local system and user's login name.

Omair Majid discovered a flaw in the JNLP (Java Network Launching Protocol) implementation used in IcedTea-web. An unsigned Java Web Start application could use this flaw to manipulate content of the Security Warning dialog to show different file name than the one access to which was requested by the applications. This could confuse user to grant unintended access to local files.

Alerts:
Fedora FEDORA-2011-9523 2011-07-22
Scientific Linux SL-iced-20110727 2011-07-27
Ubuntu USN-1178-1 2011-07-27
Red Hat RHSA-2011:1100-01 2011-07-27
openSUSE openSUSE-SU-2011:0829-1 2011-07-25
Fedora FEDORA-2011-9541 2011-07-22
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds