https://bugzilla.mozilla.org/show_bug.cgi?id=251297 _____ http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt as posted on FD: Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local) Martin (broadcast@ptraced.net) ------------------- Program Description ------------------- "Thunderbird, our latest email program, includes intelligent spam filters, spell-checking, security, customization, and newsgroups support." www.mozilla.org ------------------- Problem Description ------------------- When opening an attachment, or a link included in an email, Thunderbird prompts the user with a dialog box, giving the choice to "Save to Disk" or to "Open with" <default program>. For example, we receive a PDF document attached, and on the Attachments section, we choose "Open". broadcast:/tmp$ ls -l *.pdf -rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf While the dialog box is still open, the file permissions are OK, and the filename is random (except for the extension). If we choose to save it to disk, and check /tmp again: broadcast:/tmp$ ls -l *.pdf ls: *.pdf: No such file or directory Great, it's gone. Now let's choose to open it with the default viewer (in my case, xpdf). Again, while the dialog box is open, there are no apparent problems. broadcast:/tmp$ ls -l *.pdf -rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd But after choosing to open it with xpdf: broadcast:/tmp$ ls -l *.pdf -rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf The file becomes world readable, until the user closes xpdf, or whatever application he chose to read the attachment. Also, the filename becomes predictable, but if the filename already exists on /tmp, Thunderbird will choose a similar filename, and won't work on the existing one. This exact issue affects Mozilla Firefox 0.9.3. I haven't tested older/newer versions, and all of this was tested under Debian Unstable. A copy of this advisory and future updates on this issue may be found on: http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt ______________ reply from Dan Veditz on FD: This was fixed Friday (bug 251297) and the fix will be in next versions of Mozilla products. It looks like the bug was introduced last March which would make Mozilla 1.7 and Firefox 0.9 and later vulnerable, Mozilla 1.6 and Firefox 0.8 and earlier OK. Thunderbird has been vulnerable from version 0.6 on. -Dan Veditz
for reference: http://secunia.com/advisories/12956/ http://securitytracker.com/alerts/2004/Oct/1011916.html http://securitytracker.com/alerts/2004/Oct/1011915.html ___ mozilla team, pls update/patch where appropriate
Given the severity, that probably should wait for upstream next version... Mozilla team, please comment.
I agree with Koon (speaking for the mozilla team unless Brad disagrees). This doesn't warrant a special distro-patched release. We'll wait for upstream
Looks like it's fixed in Firefox 1.0, Thunderbird 0.9... even if http://www.mozilla.org/projects/security/known-vulnerabilities.html is not up to date. Dunno about a fixed version in Mozilla though.
Firefox is fixed in version 1.0, according to http://www.squarefree.com/burningedge/releases/1.0.html
Fixed in Mozilla 1.7.5, according to : http://www.mozilla.org/releases/mozilla1.7.5/changelog.html Waiting for mozilla-bin to reach 1.7.5. mozilla-1.7.5 : "x86 ppc sparc alpha amd64 ia64" mozilla-bin-1.7.5 : not in portage yet mozilla-firefox-1.0 : "x86 ppc sparc alpha amd64 ia64 arm" mozilla-firefox-bin-1.0 : ready >=mozilla-thunderbird-0.9 : "x86 ppc sparc alpha amd64 ia64" >=mozilla-thunderbird-bin-0.9 : "x86"
mozilla team : please provide a mozilla-bin 1.7.5 arch teams : please start to test mozilla-1.7.5, mozilla-firefox-1.0 and mozilla-thunderbird[-bin]-1.0 and mark stable accordingly.
mozilla-thunderbird-1.0 sparc stable. mozilla-firefox-1.0 was already sparc stable. now building, then testing mozilla-1.7.5.
amd64 done.
mozilla-1.7.5 sparc stable, we're done.
On x86, should I mark mozilla-thunderbird 0.9 or 1.0 ?
1.0 is mostly a stabilized 0.9 release. As a Thunderbird user, I can only recomment marking the 1.0 version. From a security point of view, these two versions are probably identical (but changelogs are quite obscure on this). In brief, I would say, mark thunderbird-1.0, and if you can't, mark 0.9.
mozilla-1.7.5 and thunderbird-1.0 are x86... re-add us if mozilla-bin needs to be tested...
Alpha stable.
mozilla team: please provide a mozilla-bin-1.7.5 ebuild.
ok, 1.7.5-bin put in cvs. Marked x86 stable already.
mozilla-1.7.5 : still needs "ppc" and "ia64" mozilla-bin-1.7.5 : ready >=mozilla-firefox-1.0 : still needs "ppc" "ia64" and "arm" mozilla-firefox-bin-1.0 : ready >=mozilla-thunderbird-0.9 : still needs "ppc" and "ia64" >=mozilla-thunderbird-bin-0.9 : ready ppc, ia64, arm : please test and mark stable
Tested and marked mozilla-firefox-1.0 and mozilla-thunderbird-1.0 ppc stable. If no one else gets to it, I'll test mozilla-1.7.5 tomorrow.
Please vote on GLSA need. This is a temporary disclosure of file attachment contents. I vote NO for this one.
I vote NO as well.
Closed without GLSA. arm, ia64, remember to mark mozilla 1.7.5 stable
GLSA 200501-03