Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-08-13 Thread Thiemo Nagel
On 07/28/2010 03:26 PM, Torsten Werner wrote: Yes, I agree that this bug should be fixed. May you report the bug to the upstream bug tracking system, please, because you know the details better than me? I've submitted a bug to bugs.sun.com, but it's not (yet) visible:

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-07-28 Thread Torsten Werner
tags 582146 + help thanks On Thu, May 27, 2010 at 10:56 AM, Thiemo Nagel thiemo.na...@googlemail.com wrote: Sure, you're right.  I can think of two malicious uses:  Either the font list can be used as a kind of cookie, aggregating information about the user across different web sites.  Or a

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-05-27 Thread Thiemo Nagel
On 05/26/2010 09:35 PM, Torsten Werner wrote: A total loss of anonymity from just a font list? Really? Isn't that a bit too far-fetched? It's not automatic. You should be relatively safe with the default install. However if you start adding fonts manually, it seems that a few uncommon

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-05-27 Thread Torsten Werner
Thiemo Nagel schrieb: On 05/26/2010 09:35 PM, Torsten Werner wrote: A total loss of anonymity from just a font list? Really? Isn't that a bit too far-fetched? It's not automatic. You should be relatively safe with the default install. However if you start adding fonts manually, it seems

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-05-27 Thread Thiemo Nagel
Torsten Werner wrote: But a unique user can still be an anonymous user. Did I miss anything? Can you read my name, address, sex, birthday, ... from a font list in a magic way? Sure, you're right. I can think of two malicious uses: Either the font list can be used as a kind of cookie,

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-05-26 Thread Moritz Muehlenhoff
severity 582146 important thanks On Tue, May 18, 2010 at 07:06:31PM +0200, Thiemo Nagel wrote: Package: sun-java6-bin Version: 6.20-dlj-1 Severity: grave File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so Tags: security Justification: user security hole Reporting of system

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-05-26 Thread Torsten Werner
On Tue, May 18, 2010 at 7:06 PM, Thiemo Nagel thiemo.na...@googlemail.com wrote: Reporting of system fonts by browser plugins may lead to total loss of anonymity A total loss of anonymity from just a font list? Really? Isn't that a bit too far-fetched? Did you already some research in

Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak

2010-05-18 Thread Thiemo Nagel
Package: sun-java6-bin Version: 6.20-dlj-1 Severity: grave File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so Tags: security Justification: user security hole Reporting of system fonts by browser plugins may lead to total loss of anonymity, especially when an uncommon combination of