Ubuntu
thunderbird package

[upstream] Thunderbird 91.5.0 regression: writes attachments to /tmp readable to everyone

Bug #1959604 reported by Pierre Sauter on 2022-01-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mozilla Thunderbird	Fix Released	Unknown	mozilla-bugs #1753242
	thunderbird (Ubuntu)	Fix Released	High	Unassigned

Bug Description

thunderbird saves opened attachments to /tmp with permissions according to umask setting. This was fixed a long time ago with a protected folder /tmp/mozilla_${USER}0 and was still working correctly as of version 78.14.0+build1-0ubuntu0.20.04.2. The recent update to 1:91.5.0+build1-0ubuntu0.20.04.1 reintroduced the bug.

Ubuntu 20.04.3 LTS
Kernel release: 5.13.0-25-generic
Architecture: x86_64

Tags:

Revision history for this message

Sebastien Bacher (seb128) wrote on 2022-02-02:

Thank you for your bug, that sounds like an upstream issue, maybe you could report it to https://bugzilla.mozilla.org/ ?

Revision history for this message

In Mozilla Bugzilla #1753242, Pierre Sauter (pierre-sauter-z) wrote on 2022-02-02:

Steps to reproduce:

open an attachment (png) with the associated app

Actual results:

the file is saved to /tmp readable to everyone

Expected results:

a protected subdirectory /tmp/mozilla_${user}0 should be created and the file saved there

Revision history for this message

In Mozilla Bugzilla #1753242, Pierre Sauter (pierre-sauter-z) wrote on 2022-02-02:

References:

old bug that led to the mozilla_$user subdirectory:
https://bugzilla.mozilla.org/show_bug.cgi?id=377630

Ubuntu bug report:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1959604

Revision history for this message

Pierre Sauter (pierre-sauter-z) wrote on 2022-02-02:

Done

Bug Watch Updater (bug-watch-updater) on 2022-02-02

Changed in thunderbird:
status:	Unknown → New

Olivier Tilloy (osomon) on 2022-02-02

summary:	- Thunderbird 91.5.0 regression: writes attachments to /tmp readable to - everyone + [upstream] Thunderbird 91.5.0 regression: writes attachments to /tmp + readable to everyone
tags:	added: upstream

Revision history for this message

In Mozilla Bugzilla #1753242, Mkmelin+mozilla (mkmelin+mozilla) wrote on 2022-02-03:

Right, we're not using https://searchfox.org/mozilla-central/rev/8b46752d1e583b2f817c451f93ba515fb865554d/uriloader/exthandler/nsExternalHelperAppService.cpp#387 anymore.

Bug Watch Updater (bug-watch-updater) on 2022-02-03

Changed in thunderbird:
status:	New → Confirmed

Revision history for this message

In Mozilla Bugzilla #1753242, Mkmelin+mozilla (mkmelin+mozilla) wrote on 2022-02-03:

Created attachment 9262175
Bug 1753242 - use a tmp subdir for opening temp files. r=darktrojan

Revision history for this message

Sebastien Bacher (seb128) wrote on 2022-02-04:

Thanks, upstream confirmed the regression and proposed a suggested fix for review now

Changed in thunderbird (Ubuntu):
importance:	Undecided → High
status:	New → Triaged

Bug Watch Updater (bug-watch-updater) on 2022-02-07

Changed in thunderbird:
status:	Confirmed → In Progress

Revision history for this message

In Mozilla Bugzilla #1753242, Pulsebot (pulsebot) wrote on 2022-02-10:

Pushed by <email address hidden>:
https://hg.mozilla.org/comm-central/rev/2f7ca550aed8
use a tmp subdir for opening temp files. r=darktrojan

Revision history for this message

In Mozilla Bugzilla #1753242, Mkmelin+mozilla (mkmelin+mozilla) wrote on 2022-02-11:

Comment on attachment 9262175
Bug 1753242 - use a tmp subdir for opening temp files. r=darktrojan

[Approval Request Comment]
Regression caused by (bug #): bug 1737711
User impact if declined: information leak possible for multi-user systems
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): some risk of unexpected behavior

Bug Watch Updater (bug-watch-updater) on 2022-02-11

Changed in thunderbird:
status:	In Progress → Fix Released

Revision history for this message

In Mozilla Bugzilla #1753242, Vseerror (vseerror) wrote on 2022-02-13:

#10

Comment on attachment 9262175
Bug 1753242 - use a tmp subdir for opening temp files. r=darktrojan

[Triage Comment]
Approved for beta

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-02-14:

#11

Thunderbird 98.0b2:
https://hg.mozilla.org/releases/comm-beta/rev/c173b2661afc

Revision history for this message

In Mozilla Bugzilla #1753242, Wls220spring (wls220spring) wrote on 2022-02-15:

#12

Verified testing the 98.0b2 release candidate on Fedora 35 Workstation.

Revision history for this message

In Mozilla Bugzilla #1753242, Vseerror (vseerror) wrote on 2022-02-28:

#13

Comment on attachment 9262175
Bug 1753242 - use a tmp subdir for opening temp files. r=darktrojan

[Triage Comment]
Approved for esr91

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-01:

#14

The test changes won't merge. The changes to msgHdrView.js apply fine. Uplifting without the tests seems like a bad idea, how do you want to proceed?

Revision history for this message

In Mozilla Bugzilla #1753242, Mkmelin+mozilla (mkmelin+mozilla) wrote on 2022-03-02:

#15

Please grab this one for 91: https://hg.mozilla.org/try-comm-central/rev/cd62aeb78d449ab78f05db634320ae06f33de437

Revision history for this message

In Mozilla Bugzilla #1753242, Mkmelin+mozilla (mkmelin+mozilla) wrote on 2022-03-02:

#16

Sorry, still something to sort out with that.

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-02:

#17

Created attachment 9266065
1753242_esr91.patch

fixed version for esr91 based on comment 11.

Diff to comment 11:
```
➜ hg diff
diff --git a/mail/test/browser/attachment/browser_openAttachment.js b/mail/test/browser/attachment/browser_openAttachment.js
--- a/mail/test/browser/attachment/browser_openAttachment.js
+++ b/mail/test/browser/attachment/browser_openAttachment.js
@@ -39,17 +39,17 @@ add_task(async function setupModule(modu
be_in_folder(folder);

   // @see logic for tmpD in msgHdrView.js
   tmpD = PathUtils.join(
     Services.dirsvc.get("TmpD", Ci.nsIFile).path,
     "pid-" + Services.appinfo.processID
   );

- let savePath = PathUtils.join(tmpD, "saveDestination");
+ savePath = PathUtils.join(tmpD, "saveDestination");
await IOUtils.makeDirectory(savePath);
Services.prefs.setStringPref("browser.download.dir", savePath);

   Services.prefs.setIntPref("browser.download.folderList", 2);
   Services.prefs.setBoolPref("browser.download.useDownloadDir", true);
   Services.prefs.setIntPref("security.dialog_enable_delay", 0);

   let mockedExecutable = FileUtils.getFile("TmpD", ["mockedExecutable"]);
@@ -406,12 +406,8 @@ add_task(async function saveToDiskPrompt
   let file = await checkFileSaved(tmpD);
   file.remove(false);
   Assert.ok(MockFilePicker.shown, "file picker was shown");

MockFilePicker.reset();
Services.prefs.setBoolPref("browser.download.useDownloadDir", true);
});

-registerCleanupFunction(() => {
- // Remove created folders.
- folder.deleteSelf(null);
-});
```

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-02:

#18

Thunderbird 91.7.0:
https://hg.mozilla.org/releases/comm-esr91/rev/10a8a57ef967

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-02:

#19

Comment on attachment 9266065
1753242_esr91.patch

[Triage Comment]
Previously approved by wsmwk; moving flag to esr91 version of patch.

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-04:

#20

Verified the fix works on 91.7.0-build1, Linux64.

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-04:

#21

```
CVE-??:
     title: Opened attachments are saved world-readable
     impact: moderate
     reporter: Pierre Sauter
     description: |
       Thunderbird 91.4.1-91.6.1 saves opened attachment files in the temporary directory with world-readable permissions.
     bugs:
       - url: 1753242
```

Kai - We'd like advisory for this bug.

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-05:

#22

Thunderbird 91.6.2:
https://hg.mozilla.org/releases/comm-esr91/rev/b70db8a4e475ef9e7eea400994594d45f69c61fb

Revision history for this message

In Mozilla Bugzilla #1753242, Rob Lemley (rjl-tbird) wrote on 2022-03-05:

#23

(In reply to Rob Lemley [:rjl] from comment #17)
> Kai - We'd like advisory for this bug.

No advisory. This bug is mentioned in the release notes.

Revision history for this message

Simon Déziel (sdeziel) wrote on 2022-08-03:

#24

Marking as fix released because the upstream bug was closed and the fix was verified to work in comment 20 (version 91.7.0). Ubuntu currently ships version 91.11.0.

Changed in thunderbird (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

mozilla-bugs #1753242
[VERIFIED FIXED] Edit
mozilla-bugs #377630
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuthunderbird package

[upstream] Thunderbird 91.5.0 regression: writes attachments to /tmp readable to everyone

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
thunderbird package