desktop-packages team mailing list archive

Thread
Date

[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 11 Dec 2014 21:21:41 -0000
Reply-to: Bug 1401454 <1401454@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Bug watch added: Mozilla Bugzilla #377630
   https://bugzilla.mozilla.org/show_bug.cgi?id=377630

** Also affects: thunderbird via
   https://bugzilla.mozilla.org/show_bug.cgi?id=377630
   Importance: Unknown
       Status: Unknown

** Information type changed from Private Security to Public Security

** Changed in: thunderbird (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454

Title:
  Thunderbird writes attachments to /tmp readable to everyone

Status in Mozilla Thunderbird Mail and News:
  Unknown
Status in thunderbird package in Ubuntu:
  Confirmed

Bug description:
  When I open an attachment of an email in Thunderbird it gets written
  to disk with permission 644, so it is readable by everyone on the
  system.

  How to repeat: Open an E-Mail, Open an Attachment (e.g. google.png)

  $ cd /tmp; ls -lh
  -rw-r--r-- 1 theuser thegroup 2,4K Dez 11 10:39 google.png

  Instead, Thunderbird should write the file with permissions 600. Plus,
  to avoid conflicts between users, the file should be written into a
  directory per user, e.g. /tmp/theuser/google.png or another user
  specific temp directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions