Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68976 - mail-client/thunderbird*, net-www/mozilla-firebird*, net-www/mozilla: insecure temp files
Summary: mail-client/thunderbird*, net-www/mozilla-firebird*, net-www/mozilla: insecur...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: A4 [noglsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-26 06:13 UTC by Matthias Geerdsen (RETIRED)
Modified: 2005-08-15 21:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-26 06:13:05 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=251297
_____
http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt as posted on FD:


Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)

Martin (broadcast@ptraced.net)

-------------------
Program Description
-------------------

"Thunderbird, our latest email program, includes intelligent spam 
filters, spell-checking, security, customization, and newsgroups 
support."

www.mozilla.org

-------------------
Problem Description
-------------------

When opening an attachment, or a link included in an email, Thunderbird 
prompts the user with a dialog box, giving the choice to "Save to Disk" 
or to "Open with" <default program>.

For example, we receive a PDF document attached, and on the Attachments 
section, we choose "Open". 

broadcast:/tmp$ ls -l *.pdf
-rw-------  1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf

While the dialog box is still open, the file permissions are OK, and the 
filename is random (except for the extension). 
If we choose to save it to disk, and check /tmp again:

broadcast:/tmp$ ls -l *.pdf
ls: *.pdf: No such file or directory

Great, it's gone. Now let's choose to open it with the default viewer 
(in my case, xpdf).
Again, while the dialog box is open, there are no apparent problems.

broadcast:/tmp$ ls -l *.pdf
-rw-------  1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd

But after choosing to open it with xpdf:

broadcast:/tmp$ ls -l *.pdf
-rw-r--r--  1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf

The file becomes world readable, until the user closes xpdf, or whatever 
application he chose to read the attachment.
Also, the filename becomes predictable, but if the filename already 
exists on /tmp, Thunderbird will choose a similar filename, and won't 
work on the existing one.

This exact issue affects Mozilla Firefox 0.9.3. I haven't tested 
older/newer versions, and all of this was tested under Debian Unstable.

A copy of this advisory and future updates on this issue may be found on:
http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt

______________
reply from Dan Veditz on FD:

This was fixed Friday (bug 251297) and the fix will be in next versions of
Mozilla products.

It looks like the bug was introduced last March which would make Mozilla 1.7
and Firefox 0.9 and later vulnerable, Mozilla 1.6 and Firefox 0.8 and
earlier OK. Thunderbird has been vulnerable from version 0.6 on.

-Dan Veditz
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-26 06:19:51 UTC
for reference:

http://secunia.com/advisories/12956/
http://securitytracker.com/alerts/2004/Oct/1011916.html
http://securitytracker.com/alerts/2004/Oct/1011915.html

___

mozilla team, pls update/patch where appropriate
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 09:20:25 UTC
Given the severity, that probably should wait for upstream next version...
Mozilla team, please comment.
Comment 3 Aron Griffis (RETIRED) gentoo-dev 2004-10-26 15:54:06 UTC
I agree with Koon (speaking for the mozilla team unless Brad disagrees).  This doesn't warrant a special distro-patched release.  We'll wait for upstream
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-11-10 05:40:45 UTC
Looks like it's fixed in Firefox 1.0, Thunderbird 0.9... even if http://www.mozilla.org/projects/security/known-vulnerabilities.html is not up to date. Dunno about a fixed version in Mozilla though.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-23 07:58:10 UTC
Firefox is fixed in version 1.0, according to http://www.squarefree.com/burningedge/releases/1.0.html
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 02:52:02 UTC
Fixed in Mozilla 1.7.5, according to :
http://www.mozilla.org/releases/mozilla1.7.5/changelog.html

Waiting for mozilla-bin to reach 1.7.5.

mozilla-1.7.5 : "x86 ppc sparc alpha amd64 ia64"
mozilla-bin-1.7.5 : not in portage yet
mozilla-firefox-1.0 : "x86 ppc sparc alpha amd64 ia64 arm"
mozilla-firefox-bin-1.0 : ready
>=mozilla-thunderbird-0.9 : "x86 ppc sparc alpha amd64 ia64"
>=mozilla-thunderbird-bin-0.9 : "x86"
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 06:20:26 UTC
mozilla team : please provide a mozilla-bin 1.7.5

arch teams : please start to test mozilla-1.7.5, mozilla-firefox-1.0 and mozilla-thunderbird[-bin]-1.0 and mark stable accordingly.

Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-20 07:02:04 UTC
mozilla-thunderbird-1.0 sparc stable.
mozilla-firefox-1.0 was already sparc stable.
now building, then testing mozilla-1.7.5.
Comment 9 Dylan Carlson (RETIRED) gentoo-dev 2004-12-20 07:19:19 UTC
amd64 done.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-20 12:19:07 UTC
mozilla-1.7.5 sparc stable, we're done.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2004-12-20 13:11:07 UTC
On x86, should I mark mozilla-thunderbird 0.9 or 1.0 ?
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 13:19:11 UTC
1.0 is mostly a stabilized 0.9 release. As a Thunderbird user, I can only recomment marking the 1.0 version. From a security point of view, these two versions are probably identical (but changelogs are quite obscure on this). In brief, I would say, mark thunderbird-1.0, and if you can't, mark 0.9.
Comment 13 Olivier Crete (RETIRED) gentoo-dev 2004-12-21 01:06:11 UTC
mozilla-1.7.5 and thunderbird-1.0 are x86... re-add us if mozilla-bin needs to be tested... 
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-21 03:54:58 UTC
Alpha stable.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 12:38:38 UTC
mozilla team: please provide a mozilla-bin-1.7.5 ebuild.
Comment 16 Chris White (RETIRED) gentoo-dev 2004-12-28 13:41:33 UTC
ok, 1.7.5-bin put in cvs.  Marked x86 stable already.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-12-29 00:35:40 UTC
mozilla-1.7.5 : still needs "ppc" and "ia64"
mozilla-bin-1.7.5 : ready
>=mozilla-firefox-1.0 : still needs "ppc" "ia64" and "arm"
mozilla-firefox-bin-1.0 : ready
>=mozilla-thunderbird-0.9 : still needs "ppc" and "ia64"
>=mozilla-thunderbird-bin-0.9 : ready

ppc, ia64, arm : please test and mark stable
Comment 18 Joe Jezak (RETIRED) gentoo-dev 2004-12-29 04:21:56 UTC
Tested and marked mozilla-firefox-1.0 and mozilla-thunderbird-1.0 ppc stable.  If no one else gets to it, I'll test mozilla-1.7.5 tomorrow.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-01-01 10:58:27 UTC
Please vote on GLSA need. This is a temporary disclosure of file attachment contents. I vote NO for this one.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-01 14:35:27 UTC
I vote NO as well.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-01-02 10:36:39 UTC
Closed without GLSA.
arm, ia64, remember to mark mozilla 1.7.5 stable
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-01-05 01:12:33 UTC
GLSA 200501-03