Omair Majid discovered an information disclosure flaw in the JNLP (Java Network Launching Protocol) implementation used in IcedTea and IcedTea-web. An unsigned Java Web Start application or Java Applet could use this flaw to determine a path to the cache directory (/home/<username>/.netx/cache/) used to store downloaded jars for Web Start application or Applet by querying class's ClassLoader properties. This discloses full path to user's home directory on the local system and user's login name.
Public now via upstream release: IcedTea-Web 1.0.4 and 1.1.1 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html IcedTea6 1.8.9 and 1.9.9 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html Upstream commits: http://icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b29fdd0f4d04 http://icedtea.classpath.org/hg/release/icedtea-web-1.1/rev/c7ce6c0e6227
Created icedtea-web tracking bugs for this issue Affects: fedora-15 [bug 723556]
Created java-1.6.0-openjdk tracking bugs for this issue Affects: fedora-14 [bug 723557]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1100 https://rhn.redhat.com/errata/RHSA-2011-1100.html