Bug#882040: Something in Firefox writes to /tmp/tmpaddon

Damyan Ivanov dmn at debian.org
Sat Nov 18 08:14:22 UTC 2017


-=| Mike Hommey, 18.11.2017 08:03:21 +0900 |=-
> On Fri, Nov 17, 2017 at 02:32:43PM -0800, Josh Triplett wrote:
> > Something in Firefox seems to be writing addons to /tmp/tmpaddon as part
> > of the installation process. (Mentions in bugs like
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seem to confirm
> > this.) This needs confirmation to make sure it isn't an insecure
> > tempfile vulnerability, but even if it isn't, it *should* be using a
> > secure temporary file name to avoid conflict with other users.
> 
> toolkit/mozapps/extensions/internal/ProductAddonChecker.jsm does:
>   let f = await OS.File.openUnique(OS.Path.join(OS.Constants.Path.tmpDir, "tmpaddon"))
> 
> toolkit/mozapps/extensions/internal/XPIProvider.jsm does:
>   let path = OS.Path.join(OS.Constants.Path.tmpDir, "tmpaddon");
>   let unique = await OS.File.openUnique(path);
> 
> Those are the only two references to "tmpaddon", and openUnique creates
> unique file names with the given prefix. So this shouldn't be 
> happening.

Still, 'install -d -m 0700 /tmp/tmpaddon' would prevent other users 
from installing add-ons, wouldn't it?


-- dam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20171118/fa7ca8a9/attachment.sig>


More information about the pkg-mozilla-maintainers mailing list