Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
Moritz Muehlenhoff
jmm at inutil.org
Wed May 26 16:46:26 UTC 2010
severity 582146 important
thanks
On Tue, May 18, 2010 at 07:06:31PM +0200, Thiemo Nagel wrote:
> Package: sun-java6-bin
> Version: 6.20-dlj-1
> Severity: grave
> File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so
> Tags: security
> Justification: user security hole
>
> Reporting of system fonts by browser plugins may lead to total loss of
> anonymity, especially when an uncommon combination of fonts has been
> installed, as demonstrated by the EFF: http://panopticlick.eff.org/
> See also: http://browserspy.dk/fonts-java.php
>
> I've set severity "grave" because information leaks are considered security
> issues if I'm not mistaken, and also because it's not only a theoretical
> vulnerability, as demonstrations for exploits do exist.
While this is a privacy issue, it doesn't qualify as a RC security bug.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list