68976 2004-10-26 06:13 0000 mail-client/thunderbird*, net-www/mozilla-firebird*, net-www/mozilla: insecure temp files 2005-08-15 21:59:38 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED https://bugzilla.mozilla.org/show_bug.cgi?id=251297 A4 [noglsa] koon P2 minor --- 1 vorlon@gentoo.org security@gentoo.org mozilla@gentoo.org vorlon@gentoo.org 2004-10-26 06:13:05 0000 https://bugzilla.mozilla.org/show_bug.cgi?id=251297 _____ http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt as posted on FD: Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local) Martin (broadcast@ptraced.net) ------------------- Program Description ------------------- "Thunderbird, our latest email program, includes intelligent spam filters, spell-checking, security, customization, and newsgroups support." www.mozilla.org ------------------- Problem Description ------------------- When opening an attachment, or a link included in an email, Thunderbird prompts the user with a dialog box, giving the choice to "Save to Disk" or to "Open with" <default program>. For example, we receive a PDF document attached, and on the Attachments section, we choose "Open". broadcast:/tmp$ ls -l *.pdf -rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf While the dialog box is still open, the file permissions are OK, and the filename is random (except for the extension). If we choose to save it to disk, and check /tmp again: broadcast:/tmp$ ls -l *.pdf ls: *.pdf: No such file or directory Great, it's gone. Now let's choose to open it with the default viewer (in my case, xpdf). Again, while the dialog box is open, there are no apparent problems. broadcast:/tmp$ ls -l *.pdf -rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd But after choosing to open it with xpdf: broadcast:/tmp$ ls -l *.pdf -rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf The file becomes world readable, until the user closes xpdf, or whatever application he chose to read the attachment. Also, the filename becomes predictable, but if the filename already exists on /tmp, Thunderbird will choose a similar filename, and won't work on the existing one. This exact issue affects Mozilla Firefox 0.9.3. I haven't tested older/newer versions, and all of this was tested under Debian Unstable. A copy of this advisory and future updates on this issue may be found on: http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt ______________ reply from Dan Veditz on FD: This was fixed Friday (bug 251297) and the fix will be in next versions of Mozilla products. It looks like the bug was introduced last March which would make Mozilla 1.7 and Firefox 0.9 and later vulnerable, Mozilla 1.6 and Firefox 0.8 and earlier OK. Thunderbird has been vulnerable from version 0.6 on. -Dan Veditz vorlon@gentoo.org 2004-10-26 06:19:51 0000 for reference: http://secunia.com/advisories/12956/ http://securitytracker.com/alerts/2004/Oct/1011916.html http://securitytracker.com/alerts/2004/Oct/1011915.html ___ mozilla team, pls update/patch where appropriate koon@gentoo.org 2004-10-26 09:20:25 0000 Given the severity, that probably should wait for upstream next version... Mozilla team, please comment. agriffis@gentoo.org 2004-10-26 15:54:06 0000 I agree with Koon (speaking for the mozilla team unless Brad disagrees). This doesn't warrant a special distro-patched release. We'll wait for upstream koon@gentoo.org 2004-11-10 05:40:45 0000 Looks like it's fixed in Firefox 1.0, Thunderbird 0.9... even if http://www.mozilla.org/projects/security/known-vulnerabilities.html is not up to date. Dunno about a fixed version in Mozilla though. koon@gentoo.org 2004-11-23 07:58:10 0000 Firefox is fixed in version 1.0, according to http://www.squarefree.com/burningedge/releases/1.0.html koon@gentoo.org 2004-12-20 02:52:02 0000 Fixed in Mozilla 1.7.5, according to : http://www.mozilla.org/releases/mozilla1.7.5/changelog.html Waiting for mozilla-bin to reach 1.7.5. mozilla-1.7.5 : "x86 ppc sparc alpha amd64 ia64" mozilla-bin-1.7.5 : not in portage yet mozilla-firefox-1.0 : "x86 ppc sparc alpha amd64 ia64 arm" mozilla-firefox-bin-1.0 : ready >=mozilla-thunderbird-0.9 : "x86 ppc sparc alpha amd64 ia64" >=mozilla-thunderbird-bin-0.9 : "x86" koon@gentoo.org 2004-12-20 06:20:26 0000 mozilla team : please provide a mozilla-bin 1.7.5 arch teams : please start to test mozilla-1.7.5, mozilla-firefox-1.0 and mozilla-thunderbird[-bin]-1.0 and mark stable accordingly. gustavoz@gentoo.org 2004-12-20 07:02:04 0000 mozilla-thunderbird-1.0 sparc stable. mozilla-firefox-1.0 was already sparc stable. now building, then testing mozilla-1.7.5. absinthe@gentoo.org 2004-12-20 07:19:19 0000 amd64 done. gustavoz@gentoo.org 2004-12-20 12:19:07 0000 mozilla-1.7.5 sparc stable, we're done. tester@gentoo.org 2004-12-20 13:11:07 0000 On x86, should I mark mozilla-thunderbird 0.9 or 1.0 ? koon@gentoo.org 2004-12-20 13:19:11 0000 1.0 is mostly a stabilized 0.9 release. As a Thunderbird user, I can only recomment marking the 1.0 version. From a security point of view, these two versions are probably identical (but changelogs are quite obscure on this). In brief, I would say, mark thunderbird-1.0, and if you can't, mark 0.9. tester@gentoo.org 2004-12-21 01:06:11 0000 mozilla-1.7.5 and thunderbird-1.0 are x86... re-add us if mozilla-bin needs to be tested... kloeri@gentoo.org 2004-12-21 03:54:58 0000 Alpha stable. koon@gentoo.org 2004-12-28 12:38:38 0000 mozilla team: please provide a mozilla-bin-1.7.5 ebuild. chriswhite@gentoo.org 2004-12-28 13:41:33 0000 ok, 1.7.5-bin put in cvs. Marked x86 stable already. koon@gentoo.org 2004-12-29 00:35:40 0000 mozilla-1.7.5 : still needs "ppc" and "ia64" mozilla-bin-1.7.5 : ready >=mozilla-firefox-1.0 : still needs "ppc" "ia64" and "arm" mozilla-firefox-bin-1.0 : ready >=mozilla-thunderbird-0.9 : still needs "ppc" and "ia64" >=mozilla-thunderbird-bin-0.9 : ready ppc, ia64, arm : please test and mark stable josejx@gentoo.org 2004-12-29 04:21:56 0000 Tested and marked mozilla-firefox-1.0 and mozilla-thunderbird-1.0 ppc stable. If no one else gets to it, I'll test mozilla-1.7.5 tomorrow. koon@gentoo.org 2005-01-01 10:58:27 0000 Please vote on GLSA need. This is a temporary disclosure of file attachment contents. I vote NO for this one. jaervosz@gentoo.org 2005-01-01 14:35:27 0000 I vote NO as well. koon@gentoo.org 2005-01-02 10:36:39 0000 Closed without GLSA. arm, ia64, remember to mark mozilla 1.7.5 stable koon@gentoo.org 2005-01-05 01:12:33 0000 GLSA 200501-03