Bug#622353: iceweasel: application/binary files are seen as Bzip archives
Mike Hommey
mh at glandium.org
Tue Apr 12 13:05:21 UTC 2011
On Tue, Apr 12, 2011 at 02:46:15PM +0200, Vincent Lefevre wrote:
> retitle 622353 iceweasel: downloading a file from some web site can introduce incorrect data in mimeTypes.rdf
> tags 622353 security
> severity 622353 grave
> thanks
>
> On 2011-04-12 14:20:30 +0200, Vincent Lefevre wrote:
> > Package: iceweasel
> > Version: 3.5.18-1
> > Severity: normal
> >
> > Files served as "Content-Type: application/binary" are seen as Bzip
> > archives.
>
> The problem seems to come from the mimeTypes.rdf, which contains:
>
> <RDF:Description RDF:about="urn:mimetype:application/binary"
> NC:value="application/binary"
> NC:editable="true"
> NC:description="Bzip archive">
> <NC:handlerProp RDF:resource="urn:mimetype:handler:application/binary"/>
> </RDF:Description>
>
> If I remove any reference to application/binary from mimeTypes.rdf,
> the problem no longer appears after restarting Iceweasel.
>
> However if I download a real bzip archive with application/binary
> content type, e.g.
>
> https://gforge.inria.fr/frs/download.php/28449/mpfr-3.0.1.tar.bz2
>
> the lines reappear in the mimeTypes.rdf file, and the problem
> reappears.
>
> Really, Iceweasel shouldn't corrupt the mimeTypes.rdf file in such
> a way, that could affect other web sites. IMHO, this is a potential
> security problem, as it can fool the user by giving wrong information
> about the contents of a file.
Please file this upstream (reproducible with firefox 4.0), but I don't think
this has much security implication.
Mike
More information about the pkg-mozilla-maintainers
mailing list