Bug 68976 - mail-client/thunderbird*, net-www/mozilla-firebird*, net-www/mozilla: insecure temp files
|
Bug#:
68976
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: vorlon@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
https://bugzilla.mozilla.org/show_bug.cgi?id=251297
|
|
Summary: mail-client/thunderbird*, net-www/mozilla-firebird*, net-www/mozilla: insecure temp files
|
|
Keywords:
|
|
Status Whiteboard: A4 [noglsa] koon
|
|
Opened: 2004-10-26 06:13 0000
|
https://bugzilla.mozilla.org/show_bug.cgi?id=251297
_____
http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt as posted on FD:
Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)
Martin (broadcast@ptraced.net)
-------------------
Program Description
-------------------
"Thunderbird, our latest email program, includes intelligent spam
filters, spell-checking, security, customization, and newsgroups
support."
www.mozilla.org
-------------------
Problem Description
-------------------
When opening an attachment, or a link included in an email, Thunderbird
prompts the user with a dialog box, giving the choice to "Save to Disk"
or to "Open with" <default program>.
For example, we receive a PDF document attached, and on the Attachments
section, we choose "Open".
broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf
While the dialog box is still open, the file permissions are OK, and the
filename is random (except for the extension).
If we choose to save it to disk, and check /tmp again:
broadcast:/tmp$ ls -l *.pdf
ls: *.pdf: No such file or directory
Great, it's gone. Now let's choose to open it with the default viewer
(in my case, xpdf).
Again, while the dialog box is open, there are no apparent problems.
broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd
But after choosing to open it with xpdf:
broadcast:/tmp$ ls -l *.pdf
-rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf
The file becomes world readable, until the user closes xpdf, or whatever
application he chose to read the attachment.
Also, the filename becomes predictable, but if the filename already
exists on /tmp, Thunderbird will choose a similar filename, and won't
work on the existing one.
This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
older/newer versions, and all of this was tested under Debian Unstable.
A copy of this advisory and future updates on this issue may be found on:
http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt
______________
reply from Dan Veditz on FD:
This was fixed Friday (bug 251297) and the fix will be in next versions of
Mozilla products.
It looks like the bug was introduced last March which would make Mozilla 1.7
and Firefox 0.9 and later vulnerable, Mozilla 1.6 and Firefox 0.8 and
earlier OK. Thunderbird has been vulnerable from version 0.6 on.
-Dan Veditz
Given the severity, that probably should wait for upstream next version...
Mozilla team, please comment.
I agree with Koon (speaking for the mozilla team unless Brad disagrees). This
doesn't warrant a special distro-patched release. We'll wait for upstream
Fixed in Mozilla 1.7.5, according to :
http://www.mozilla.org/releases/mozilla1.7.5/changelog.html
Waiting for mozilla-bin to reach 1.7.5.
mozilla-1.7.5 : "x86 ppc sparc alpha amd64 ia64"
mozilla-bin-1.7.5 : not in portage yet
mozilla-firefox-1.0 : "x86 ppc sparc alpha amd64 ia64 arm"
mozilla-firefox-bin-1.0 : ready
>=mozilla-thunderbird-0.9 : "x86 ppc sparc alpha amd64 ia64"
>=mozilla-thunderbird-bin-0.9 : "x86"
mozilla team : please provide a mozilla-bin 1.7.5
arch teams : please start to test mozilla-1.7.5, mozilla-firefox-1.0 and mozilla-thunderbird[-bin]-1.0 and mark stable accordingly.
mozilla-thunderbird-1.0 sparc stable.
mozilla-firefox-1.0 was already sparc stable.
now building, then testing mozilla-1.7.5.
mozilla-1.7.5 sparc stable, we're done.
On x86, should I mark mozilla-thunderbird 0.9 or 1.0 ?
1.0 is mostly a stabilized 0.9 release. As a Thunderbird user, I can only
recomment marking the 1.0 version. From a security point of view, these two
versions are probably identical (but changelogs are quite obscure on this). In
brief, I would say, mark thunderbird-1.0, and if you can't, mark 0.9.
mozilla-1.7.5 and thunderbird-1.0 are x86... re-add us if mozilla-bin needs to
be tested...
mozilla team: please provide a mozilla-bin-1.7.5 ebuild.
ok, 1.7.5-bin put in cvs. Marked x86 stable already.
mozilla-1.7.5 : still needs "ppc" and "ia64"
mozilla-bin-1.7.5 : ready
>=mozilla-firefox-1.0 : still needs "ppc" "ia64" and "arm"
mozilla-firefox-bin-1.0 : ready
>=mozilla-thunderbird-0.9 : still needs "ppc" and "ia64"
>=mozilla-thunderbird-bin-0.9 : ready
ppc, ia64, arm : please test and mark stable
Tested and marked mozilla-firefox-1.0 and mozilla-thunderbird-1.0 ppc stable.
If no one else gets to it, I'll test mozilla-1.7.5 tomorrow.
Please vote on GLSA need. This is a temporary disclosure of file attachment
contents. I vote NO for this one.
Closed without GLSA.
arm, ia64, remember to mark mozilla 1.7.5 stable
