desktop-packages team mailing list archive

Thread
Date

[Bug 1401454]

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Plst <1401454@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Feb 2015 17:03:14 -0000
Reply-to: Bug 1401454 <1401454@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This over 7 year old bug is security related and still valid in
Thunderbird 31.3. So why is the patch not approved? On home computers
this is not a big issue but in companies with multi-user setup is really
is, so this needs to be fixed fast.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454

Title:
  Thunderbird writes attachments to /tmp readable to everyone

Status in Mozilla Thunderbird Mail and News:
  In Progress
Status in thunderbird package in Ubuntu:
  Confirmed

Bug description:
  When I open an attachment of an email in Thunderbird it gets written
  to disk with permission 644, so it is readable by everyone on the
  system.

  How to repeat: Open an E-Mail, Open an Attachment (e.g. google.png)

  $ cd /tmp; ls -lh
  -rw-r--r-- 1 theuser thegroup 2,4K Dez 11 10:39 google.png

  Instead, Thunderbird should write the file with permissions 600. Plus,
  to avoid conflicts between users, the file should be written into a
  directory per user, e.g. /tmp/theuser/google.png or another user
  specific temp directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions