Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
On 07/28/2010 03:26 PM, Torsten Werner wrote: Yes, I agree that this bug should be fixed. May you report the bug to the upstream bug tracking system, please, because you know the details better than me? I've submitted a bug to bugs.sun.com, but it's not (yet) visible: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6977029 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
tags 582146 + help thanks On Thu, May 27, 2010 at 10:56 AM, Thiemo Nagel thiemo.na...@googlemail.com wrote: Sure, you're right. I can think of two malicious uses: Either the font list can be used as a kind of cookie, aggregating information about the user across different web sites. Or a user may be tricked into installing a font with a customised name which then may be used to identify that user anywhere. Yes, I agree that this bug should be fixed. May you report the bug to the upstream bug tracking system, please, because you know the details better than me? Thanks, Torsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
On 05/26/2010 09:35 PM, Torsten Werner wrote: A total loss of anonymity from just a font list? Really? Isn't that a bit too far-fetched? It's not automatic. You should be relatively safe with the default install. However if you start adding fonts manually, it seems that a few uncommon fonts already provide enough entropy to make you unique among a million of visitors. (Happened to me when I tested my configuration on panopticlick.) Try for yourself. (Though at the moment panopticlick is under maintenance.) Did you already some research in upstream's bug tracker or did you file a bug report by yourself there? I've done no research upstream and only filed with Debian. Cheers, Thiemo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
Thiemo Nagel schrieb: On 05/26/2010 09:35 PM, Torsten Werner wrote: A total loss of anonymity from just a font list? Really? Isn't that a bit too far-fetched? It's not automatic. You should be relatively safe with the default install. However if you start adding fonts manually, it seems that a few uncommon fonts already provide enough entropy to make you unique among a million of visitors. But a unique user can still be an anonymous user. Did I miss anything? Can you read my name, address, sex, birthday, ... from a font list in a magic way? Torsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
Torsten Werner wrote: But a unique user can still be an anonymous user. Did I miss anything? Can you read my name, address, sex, birthday, ... from a font list in a magic way? Sure, you're right. I can think of two malicious uses: Either the font list can be used as a kind of cookie, aggregating information about the user across different web sites. Or a user may be tricked into installing a font with a customised name which then may be used to identify that user anywhere. Cheers, Thiemo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
severity 582146 important thanks On Tue, May 18, 2010 at 07:06:31PM +0200, Thiemo Nagel wrote: Package: sun-java6-bin Version: 6.20-dlj-1 Severity: grave File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so Tags: security Justification: user security hole Reporting of system fonts by browser plugins may lead to total loss of anonymity, especially when an uncommon combination of fonts has been installed, as demonstrated by the EFF: http://panopticlick.eff.org/ See also: http://browserspy.dk/fonts-java.php I've set severity grave because information leaks are considered security issues if I'm not mistaken, and also because it's not only a theoretical vulnerability, as demonstrations for exploits do exist. While this is a privacy issue, it doesn't qualify as a RC security bug. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
On Tue, May 18, 2010 at 7:06 PM, Thiemo Nagel thiemo.na...@googlemail.com wrote: Reporting of system fonts by browser plugins may lead to total loss of anonymity A total loss of anonymity from just a font list? Really? Isn't that a bit too far-fetched? Did you already some research in upstream's bug tracker or did you file a bug report by yourself there? Please add a reference if so. Thanks, Torsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
Package: sun-java6-bin Version: 6.20-dlj-1 Severity: grave File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so Tags: security Justification: user security hole Reporting of system fonts by browser plugins may lead to total loss of anonymity, especially when an uncommon combination of fonts has been installed, as demonstrated by the EFF: http://panopticlick.eff.org/ See also: http://browserspy.dk/fonts-java.php I've set severity grave because information leaks are considered security issues if I'm not mistaken, and also because it's not only a theoretical vulnerability, as demonstrations for exploits do exist. Cheers! Thiemo Nagel -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'proposed-updates'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (500, 'stable'), (300, 'unstable'), (150, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sun-java6-bin depends on: ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii sun-java6-jre 6.20-dlj-1 Sun Java(TM) Runtime Environment ( ii unixodbc 2.2.11-21 ODBC tools libraries Versions of packages sun-java6-bin recommends: ii libasound21.0.22-2 shared library for ALSA applicatio ii libnss-mdns 0.10-3.1 NSS module for Multicast DNS name ii libx11-6 2:1.3.3-3 X11 client-side library ii libxext6 2:1.1.1-3 X11 miscellaneous extension librar ii libxi62:1.3-4X11 Input extension library ii libxtst6 2:1.1.0-2 X11 Testing -- Resource extension Versions of packages sun-java6-bin suggests: ii binfmt-support1.2.18 Support for extra binary formats -- debconf information: * shared/accepted-sun-dlj-v1-1: true shared/error-sun-dlj-v1-1: * shared/present-sun-dlj-v1-1: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org