[Secure-testing-team] Bug#779872: Iceweasel incorrectly uses /tmp for temporary files
Pierre Schweitzer
pierre at reactos.org
Thu Mar 5 19:32:07 UTC 2015
Package: iceweasel
Version: 31.5.0esr-1~deb7u1
Severity: important
Tags: security
Dear all,
Iceweasel offers the possibility to open a file instead of downloading it. In
such situation, the file is downloaded into /tmp directory and then opened.
The permissions set on the downloaded temporary file are weak allowing anyone
to open it as well. This has the wrong effect of disclosing the file to anyone
who has access to the system, leading to a potential privacy disclose,
depending on the file.
It would be better that iceweasel grants limited permissions to the user only.
-- Package-specific info:
-- Extensions information
Name: Français Language Pack locale
Location: /usr/lib/iceweasel/browser/extensions/langpack-fr at iceweasel.mozilla.org.xpi
Package: iceweasel-l10n-fr
Status: enabled
Name: Thème par défaut theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled
-- Addons package information
ii browser-plugin 0.8.11~git20 amd64 GNU Shockwave Flash (SWF) player
ii gnome-shell 3.4.2-7+deb7 amd64 graphical shell for the GNOME des
ii iceweasel 31.5.0esr-1~ amd64 Web browser based on Firefox
ii iceweasel-l10n 1:31.5.0esr- all French language package for Icewe
ii rhythmbox-plug 2.97-2.1 amd64 plugins for rhythmbox music playe
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 4.3.2
ii fontconfig 2.9.0-7.1
ii libasound2 1.0.25-4
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38+deb7u8
ii libcairo2 1.12.2-3
ii libdbus-1-3 1.6.8-1+deb7u6
ii libdbus-glib-1-2 0.100.2-1
ii libevent-2.0-5 2.0.19-stable-3+deb7u1
ii libffi5 3.0.10-3
ii libfontconfig1 2.9.0-7.1
ii libfreetype6 2.4.9-1.1
ii libgcc1 1:4.7.2-5
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgtk2.0-0 2.24.10-2
ii libhunspell-1.3-0 1.3.2-4
ii libpango1.0-0 1.30.0-1
ii libsqlite3-0 3.7.13-1+deb7u1
ii libstartup-notification0 0.12-1
ii libstdc++6 4.7.2-5
ii libx11-6 2:1.5.0-1+deb7u1
ii libxext6 2:1.3.1-2+deb7u1
ii libxrender1 1:0.9.7-1+deb7u1
ii libxt6 1:1.1.3-1+deb7u1
ii procps 1:3.3.3-3
ii zlib1g 1:1.2.7.dfsg-13
iceweasel recommends no packages.
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
ii fonts-stix [otf-stix] 1.1.0-1
ii libcanberra0 0.28-6
ii libgnomeui-0 2.24.5-2
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u3
pn mozplugger <none>
-- no debconf information
More information about the Secure-testing-team
mailing list