Using Thunderbird 38.8.0 in Ubuntu 16.04, when I open a pdf I now get a
-r 1 thomas thomas 19K Jun 16 18:28 filename.pdf
So nobody can read the file, which is 95% of the security fix. The
remaining 5% would be to not expose the file name to other users.
That's exactly how it is done
The rights setting in /tmp is 644, not 755.
Anyway, what is so complicated setting them to 600?
And by the way, couldn't these files be deleted at some time?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
Bug continues, all users of thunderbird use /tmp as 755 so everybody can
read attachments that one user has opened. Is there any straight
solution ? It´s a great fail of security.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
** Changed in: thunderbird
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454
Title:
Thunderbird writes attachments to /tmp readable
I was wrong. Not overwrite, just read. Which makes it even less probable
to break things.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454
Title:
Thunderbird writes
As the discussion about this was going on for 8 years in the mozilla
community, I suggest to at least set permissions right in the distros.
For the moment, there is only one path (which is /tmp) and there is only
the original name used. That said, concurrent users could overwrite
their temporary
** Changed in: thunderbird
Status: In Progress = Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454
Title:
Thunderbird writes attachments to /tmp readable to
** Bug watch added: Mozilla Bugzilla #377630
https://bugzilla.mozilla.org/show_bug.cgi?id=377630
** Also affects: thunderbird via
https://bugzilla.mozilla.org/show_bug.cgi?id=377630
Importance: Unknown
Status: Unknown
** Information type changed from Private Security to Public
Launchpad has imported 42 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=377630.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
9 matches
Mail list logo
