oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

IcedTea-Web insecure temporary directory use - CVE-2013-6493

From: Tomas Hoger <thoger () redhat com>
Date: Fri, 7 Feb 2014 20:45:59 +0100
Hi!

IcedTea-Web version 1.4.2 released earlier this week fixes an issue
related to handling of the directory that is used to store sockets for
communication between in browser plugin, and JVM running applets.  The
directory was usually created in /tmp, using predictable name, and its
ownership and permissions were not checked.  This issue was reported by
Michael Scherer of Red Hat and was assigned CVE-2013-6493.

References:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a
http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663
https://bugzilla.redhat.com/show_bug.cgi?id=1010958

-- 
Tomas Hoger / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: