desktop-packages team mailing list archive

Thread
Date

[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: VON <aghsistemas@xxxxxxxxx>
Date: Fri, 16 Oct 2015 09:29:36 -0000
Reply-to: Bug 1401454 <1401454@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Bug continues, all users of thunderbird use /tmp as 755 so everybody can
read  attachments that one user has opened. Is there any straight
solution ? It´s a great fail of security.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454

Title:
  Thunderbird writes attachments to /tmp readable to everyone

Status in Mozilla Thunderbird:
  Fix Released
Status in thunderbird package in Ubuntu:
  Confirmed

Bug description:
  When I open an attachment of an email in Thunderbird it gets written
  to disk with permission 644, so it is readable by everyone on the
  system.

  How to repeat: Open an E-Mail, Open an Attachment (e.g. google.png)

  $ cd /tmp; ls -lh
  -rw-r--r-- 1 theuser thegroup 2,4K Dez 11 10:39 google.png

  Instead, Thunderbird should write the file with permissions 600. Plus,
  to avoid conflicts between users, the file should be written into a
  directory per user, e.g. /tmp/theuser/google.png or another user
  specific temp directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions