IcedTea-Web insecure temporary directory use

2014.02.08
Credit: Tomas Hoger
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi! IcedTea-Web version 1.4.2 released earlier this week fixes an issue related to handling of the directory that is used to store sockets for communication between in browser plugin, and JVM running applets. The directory was usually created in /tmp, using predictable name, and its ownership and permissions were not checked. This issue was reported by Michael Scherer of Red Hat and was assigned CVE-2013-6493. References: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663 https://bugzilla.redhat.com/show_bug.cgi?id=1010958 -- Tomas Hoger / Red Hat Security Response Team

References:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a
http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663
https://bugzilla.redhat.com/show_bug.cgi?id=1010958


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top