Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

Thiemo Nagel thiemo.nagel at googlemail.com
Tue May 18 17:06:31 UTC 2010 

Package: sun-java6-bin
Version: 6.20-dlj-1
Severity: grave
File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so
Tags: security
Justification: user security hole

Reporting of system fonts by browser plugins may lead to total loss of
anonymity, especially when an uncommon combination of fonts has been
installed, as demonstrated by the EFF: http://panopticlick.eff.org/
See also: http://browserspy.dk/fonts-java.php

I've set severity "grave" because information leaks are considered security
issues if I'm not mistaken, and also because it's not only a theoretical
vulnerability, as demonstrations for exploits do exist.

Cheers!

Thiemo Nagel

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'proposed-updates'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (500, 'stable'), (300, 'unstable'), (150, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sun-java6-bin depends on:
ii  debconf [debconf-2.0]         1.5.32     Debian configuration management sy
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
ii  sun-java6-jre                 6.20-dlj-1 Sun Java(TM) Runtime Environment (
ii  unixodbc                      2.2.11-21  ODBC tools libraries

Versions of packages sun-java6-bin recommends:
ii  libasound2                    1.0.22-2   shared library for ALSA applicatio
ii  libnss-mdns                   0.10-3.1   NSS module for Multicast DNS name 
ii  libx11-6                      2:1.3.3-3  X11 client-side library
ii  libxext6                      2:1.1.1-3  X11 miscellaneous extension librar
ii  libxi6                        2:1.3-4    X11 Input extension library
ii  libxtst6                      2:1.1.0-2  X11 Testing -- Resource extension 

Versions of packages sun-java6-bin suggests:
ii  binfmt-support                1.2.18     Support for extra binary formats

-- debconf information:
* shared/accepted-sun-dlj-v1-1: true
  shared/error-sun-dlj-v1-1:
* shared/present-sun-dlj-v1-1:

More information about the pkg-java-maintainers mailing list