desktop-packages team mailing list archive

[Bzbarsky <1401454@xxxxxxxxxxxxxxxxxx>]

I don't think you should pay so much attention to the "assignee" field
or the status.  Both are often bogus.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1401454

Title:
  Thunderbird writes attachments to /tmp readable to everyone

Status in Mozilla Thunderbird Mail and News:
  Confirmed
Status in thunderbird package in Ubuntu:
  Confirmed

Bug description:
  When I open an attachment of an email in Thunderbird it gets written
  to disk with permission 644, so it is readable by everyone on the
  system.

  How to repeat: Open an E-Mail, Open an Attachment (e.g. google.png)

  $ cd /tmp; ls -lh
  -rw-r--r-- 1 theuser thegroup 2,4K Dez 11 10:39 google.png

  Instead, Thunderbird should write the file with permissions 600. Plus,
  to avoid conflicts between users, the file should be written into a
  directory per user, e.g. /tmp/theuser/google.png or another user
  specific temp directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions