[Secure-testing-team] Bug#779872: Iceweasel incorrectly uses /tmp for temporary files

Pierre Schweitzer pierre at reactos.org
Thu Mar 5 19:32:07 UTC 2015 

Package: iceweasel
Version: 31.5.0esr-1~deb7u1
Severity: important
Tags: security

Dear all,

Iceweasel offers the possibility to open a file instead of downloading it. In
such situation, the file is downloaded into /tmp directory and then opened.
The permissions set on the downloaded temporary file are weak allowing anyone
to open it as well. This has the wrong effect of disclosing the file to anyone
who has access to the system, leading to a potential privacy disclose,
depending on the file.

It would be better that iceweasel grants limited permissions to the user only.



-- Package-specific info:

-- Extensions information
Name: Français Language Pack locale
Location: /usr/lib/iceweasel/browser/extensions/langpack-fr at iceweasel.mozilla.org.xpi
Package: iceweasel-l10n-fr
Status: enabled

Name: Thème par défaut theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled

Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled


-- Addons package information
ii  browser-plugin 0.8.11~git20 amd64        GNU Shockwave Flash (SWF) player 
ii  gnome-shell    3.4.2-7+deb7 amd64        graphical shell for the GNOME des
ii  iceweasel      31.5.0esr-1~ amd64        Web browser based on Firefox
ii  iceweasel-l10n 1:31.5.0esr- all          French language package for Icewe
ii  rhythmbox-plug 2.97-2.1     amd64        plugins for rhythmbox music playe

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils               4.3.2
ii  fontconfig                2.9.0-7.1
ii  libasound2                1.0.25-4
ii  libatk1.0-0               2.4.0-2
ii  libc6                     2.13-38+deb7u8
ii  libcairo2                 1.12.2-3
ii  libdbus-1-3               1.6.8-1+deb7u6
ii  libdbus-glib-1-2          0.100.2-1
ii  libevent-2.0-5            2.0.19-stable-3+deb7u1
ii  libffi5                   3.0.10-3
ii  libfontconfig1            2.9.0-7.1
ii  libfreetype6              2.4.9-1.1
ii  libgcc1                   1:4.7.2-5
ii  libgdk-pixbuf2.0-0        2.26.1-1
ii  libglib2.0-0              2.33.12+really2.32.4-5
ii  libgtk2.0-0               2.24.10-2
ii  libhunspell-1.3-0         1.3.2-4
ii  libpango1.0-0             1.30.0-1
ii  libsqlite3-0              3.7.13-1+deb7u1
ii  libstartup-notification0  0.12-1
ii  libstdc++6                4.7.2-5
ii  libx11-6                  2:1.5.0-1+deb7u1
ii  libxext6                  2:1.3.1-2+deb7u1
ii  libxrender1               1:0.9.7-1+deb7u1
ii  libxt6                    1:1.1.3-1+deb7u1
ii  procps                    1:3.3.3-3
ii  zlib1g                    1:1.2.7.dfsg-13

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
ii  fonts-stix [otf-stix]  1.1.0-1
ii  libcanberra0           0.28-6
ii  libgnomeui-0           2.24.5-2
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u3
pn  mozplugger             <none>

-- no debconf information

More information about the Secure-testing-team mailing list