Bug#882040: Something in Firefox writes to /tmp/tmpaddon
Josh Triplett
josh at joshtriplett.org
Fri Nov 17 23:07:50 UTC 2017
On Sat, Nov 18, 2017 at 08:03:21AM +0900, Mike Hommey wrote:
> On Fri, Nov 17, 2017 at 02:32:43PM -0800, Josh Triplett wrote:
> > Package: firefox
> > Version: 57.0-1
> > Severity: normal
> >
> > Something in Firefox seems to be writing addons to /tmp/tmpaddon as part
> > of the installation process. (Mentions in bugs like
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seem to confirm
> > this.) This needs confirmation to make sure it isn't an insecure
> > tempfile vulnerability, but even if it isn't, it *should* be using a
> > secure temporary file name to avoid conflict with other users.
>
> toolkit/mozapps/extensions/internal/ProductAddonChecker.jsm does:
> let f = await OS.File.openUnique(OS.Path.join(OS.Constants.Path.tmpDir, "tmpaddon"))
>
> toolkit/mozapps/extensions/internal/XPIProvider.jsm does:
> let path = OS.Path.join(OS.Constants.Path.tmpDir, "tmpaddon");
> let unique = await OS.File.openUnique(path);
>
> Those are the only two references to "tmpaddon", and openUnique creates
> unique file names with the given prefix. So this shouldn't be happening.
~$ file /tmp/tmpaddon
/tmp/tmpaddon: Zip archive data, at least v2.0 to extract
~$ unzip -l /tmp/tmpaddon
Archive: /tmp/tmpaddon
Length Date Time Name
--------- ---------- ----- ----
116 2017-08-21 20:25 gmpopenh264.info
1407459 2017-08-21 20:25 libgmpopenh264.so
--------- -------
1407575 2 files
So that's an additional concern: Firefox *shouldn't* be downloading or
using OpenH264. It shows up as "disabled" under about:plugins and
about:addons.
- Josh Triplett
More information about the pkg-mozilla-maintainers
mailing list