openjdk team mailing list archive

Thread
Date

Bug#696890: icedtea-netx: Unable to create locks directory (/tmp/rbrito/netx/locks)

To: submit@xxxxxxxxxxxxxxx
From: Rogério Brito <rbrito@xxxxxxxxxx>
Date: Fri, 28 Dec 2012 20:35:27 -0200
Delivered-to: submit@xxxxxxxxxxxxxxx
Resent-cc: OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Resent-date: Fri, 28 Dec 2012 22:39:02 +0000
Resent-message-id: <handler.696890.B.135673414532460@xxxxxxxxxxxxxxx>
Resent-sender: Debian BTS <debbugs@xxxxxxxxxxxxxxxxxxxx>
Resent-to: debian-bugs-dist@xxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.21 (2010-09-15)

Package: icedtea-netx
Version: 1.3.1-1
Severity: important

Hi there.

First of all, I am not sure if this is indeed a bug with icedtea-netx or
with the application that is being run remotely trying to create a log (I
know next to nothing about Java).

I was trying to access my bank and it was not being able to run a Java
Applet, spitting out a bunch of stack traces, but the important part having:
"icedtea-netx: Unable to create locks directory (/tmp/rbrito/netx/locks)" in
it.

While I know next to nothng about Java, what I do know is that:

1. Indeed, I do have a *file* that I myself created in /tmp/ called rbrito
   (after moving some e-mails there), which is the totally probable reason
   for not creating any directory tree rooted at /tmp/rbrito.

2. A program that tries to use a static, well-known, non-randomized,
   *public* directory for temporary files (like locks) is very prone
   to Denial-of-Service attacks.

   Worst of all, it may not even the the user that created something in a
   public directory and they would be at the mercy of other users/programs
   being run in a multi-user machine.

So, if this is not a problem with the applet that the bank is trying to run,
this bug is indeed a deeper thing and its severity should be raised to being
RC (e.g., grave or critical, according to the description of the bug
levels).

This was reproducible when trying to run the detection applet at:

    https://www.java.com/pt_BR/download/installed.jsp?detect=jre

which is what made me file the bug here first. Then, once deleting
/tmp/rbrito, I fired up the browser (iceweasel) and the page above was
launched and I had:

,----[ ls -l /tmp/rbrito/netx/locks/ ]
| total 0
| -rw------- 1 rbrito rbrito 0 Dec 28 20:30 netx_running
`----

Please, advise as to how I should proceed.


Thanks,

Rogério Brito.

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=pt_BR.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages icedtea-netx depends on:
ii  icedtea-netx-common  1.3.1-1
ii  openjdk-6-jre        6b24-1.11.5-1

icedtea-netx recommends no packages.

icedtea-netx suggests no packages.

-- no debconf information

-- 
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA
http://rb.doesntexist.org/blog : Projects : https://github.com/rbrito/
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br