Package: icedtea-netx
Version: 1.3.1-1
Severity: important
Hi there.
First of all, I am not sure if this is indeed a bug with icedtea-netx or
with the application that is being run remotely trying to create a log (I
know next to nothing about Java).
I was trying to access my bank and it was not being able to run a Java
Applet, spitting out a bunch of stack traces, but the important part having:
icedtea-netx: Unable to create locks directory (/tmp/rbrito/netx/locks) in
it.
While I know next to nothng about Java, what I do know is that:
1. Indeed, I do have a *file* that I myself created in /tmp/ called rbrito
(after moving some e-mails there), which is the totally probable reason
for not creating any directory tree rooted at /tmp/rbrito.
2. A program that tries to use a static, well-known, non-randomized,
*public* directory for temporary files (like locks) is very prone
to Denial-of-Service attacks.
Worst of all, it may not even the the user that created something in a
public directory and they would be at the mercy of other users/programs
being run in a multi-user machine.
So, if this is not a problem with the applet that the bank is trying to run,
this bug is indeed a deeper thing and its severity should be raised to being
RC (e.g., grave or critical, according to the description of the bug
levels).
This was reproducible when trying to run the detection applet at:
https://www.java.com/pt_BR/download/installed.jsp?detect=jre
which is what made me file the bug here first. Then, once deleting
/tmp/rbrito, I fired up the browser (iceweasel) and the page above was
launched and I had:
,[ ls -l /tmp/rbrito/netx/locks/ ]
| total 0
| -rw--- 1 rbrito rbrito 0 Dec 28 20:30 netx_running
`
Please, advise as to how I should proceed.
Thanks,
Rogério Brito.
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=pt_BR.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages icedtea-netx depends on:
ii icedtea-netx-common 1.3.1-1
ii openjdk-6-jre6b24-1.11.5-1
icedtea-netx recommends no packages.
icedtea-netx suggests no packages.
-- no debconf information
--
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFC
http://rb.doesntexist.org/blog : Projects : https://github.com/rbrito/
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
