Various classes in the Java Runtime standard library created temporary files with insecure permissions. Depending on the current umask setting, temporary files could have been created with permissions allowing access by other group members or all system users. Local attackers could use this flaw to gain access to possibly sensitive content of the temporary files.
Public now via: http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html Fixed in Oracle Java 7 Update 5 and 6 Update 33.
The fix for this issue is or will be included in the following IcedTea versions: * IcedTea6 1.10.8 * IcedTea6 1.11.3 * IcedTea7 2.1.1 * IcedTea7 2.2.1 IcedTea6 releases announcement: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019076.html http://blog.fuseyism.com/index.php/2012/06/12/security-icedtea6-1-10-8-1-11-3-released/ Patch: http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/6e6d7783aabb/patches/security/20120612/7143606.patch http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/jdk/rev/98a24555076b
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0730 https://rhn.redhat.com/errata/RHSA-2012-0730.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0729 https://rhn.redhat.com/errata/RHSA-2012-0729.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2012:0734 https://rhn.redhat.com/errata/RHSA-2012-0734.html
According to Secunia SA49472, this is the issue for which Andrei Costin is credited in Oracle CPU: http://secunia.com/advisories/49472 14) An error in the printing functionality due to creating temporary spool files with insecure permissions can be exploited to disclose the contents of printed documents owned by other users. ... Provided and/or discovered by 14) Andrei Costin via Secunia.
IcedTea7 releases announcement: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019094.html http://blog.fuseyism.com/index.php/2012/06/13/security-icedtea-2-1-1-2-2-1-released/
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1019 https://rhn.redhat.com/errata/RHSA-2012-1019.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1009 https://rhn.redhat.com/errata/RHSA-2012-1009.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1238 https://rhn.redhat.com/errata/RHSA-2012-1238.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2012:1243 https://rhn.redhat.com/errata/RHSA-2012-1243.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2012:1245 https://rhn.redhat.com/errata/RHSA-2012-1245.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html
This issue has been addressed in following products: RHEL 5 for SAP RHEL 6 for SAP Via RHSA-2012:1332 https://rhn.redhat.com/errata/RHSA-2012-1332.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.5 Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html