Ubuntu
firefox package

deletion of files possible with file saving

Bug #8750 reported by Debian Bug Importer
8
Affects Status Importance Assigned to Milestone
firefox (Debian)
Fix Released
Unknown
firefox (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #274629 http://bugs.debian.org/274629

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 03 Oct 2004 10:02:54 +0200
From: Laszlo Boszormenyi <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: deletion of files possible with file saving

Package: mozilla-firefox
Version: 0.9.3-5
Severity: grave
Tags: security

If an attacker can convience the user to download a file, the attacker
can delete files from the directory the user saves the downloaded file.
For further information please see:
http://www.mozilla.org/press/mozilla-2004-10-01-02.html

I kindly ask you to package the latest Firefox for two reasons:
- it seems your patching makes my Firefox unreliable, lot of crashes
- other fixes may help; especially when we are talking about future
  security holes+fixes, as it is unlikely that developers will support
  0.9.3 when there was more 'stable' releases between.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1
Locale: LANG=en_US, LC_CTYPE=hu_HU

Versions of packages mozilla-firefox depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii fontconfig 2.2.3-1 generic font configuration library
ii libatk1.0-0 1.8.0-2 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-1 generic font configuration library
ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.1-4sarge1 GCC support library
ii libglib2.0-0 2.4.6-2 The GLib library of C routines
ii libgtk2.0-0 2.4.10-1 The GTK+ graphical user interface
ii libidl0 0.8.3-1 library for parsing CORBA IDL file
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libpango1.0-0 1.6.0-1 Layout and rendering of internatio
ii libpng12-0 1.2.5.0-7 PNG library - runtime
ii libstdc++5 1:3.3.4-6sarge1.2 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-4 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-4 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 4.3.0.dfsg.1-4 X Window System printing extension
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxt6 4.3.0.dfsg.1-4 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 4.3.0.dfsg.1-4 X Window System client libraries m
ii zlib1g 1:1.2.1.1-7 compression library - runtime

-- no debconf information

Revision history for this message
Matt Zimmerman (mdz) wrote :

This bug has been marked as a duplicate of bug 8716.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 12 Oct 2004 01:31:42 -0400
From: Eric Dorland <email address hidden>
To: Jimmy Kaplowitz <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#275786: mozilla-firefox: Firefox in sarge/sid has data loss bug

--NgG1H2o5aFKkgPy/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 274629 serious
merge 274629 275786
thanks

Please do not file duplicate bug reports.

If what you're describing is true, then this bug is much less severe
then I had heard, and I would say it doesn't deserve such a severity
rating, important would seem more appropriate.=20

I will figure out what to do next week, whether to upload 0.10.1 to
unstable or a new 0.9.3.=20

* Jimmy Kaplowitz (<email address hidden>) wrote:
> Package: mozilla-firefox
> Version: 0.9.3-6
> Severity: serious
> Tags: sarge, sid, security, fixed-in-experimental
> Justification: causes non-serious data loss in rare cases
>=20
> The versions of Firefox in Debian proper (i.e., not experimental) are
> vulnerable to the following data loss bug:
>=20
> https://bugzilla.mozilla.org/show_bug.cgi?id=3D259708
>=20
> The bug description as written describes the behavior of 1.0PR before
> the fix in 0.10.1. Debian's 0.9.3 behaves differently, almost as
> described in bugzilla comment #22. If the download folder is an actual
> directory it will simply have its execute bit removed (making many
> normal filesystem operations with that directory give permission denied
> errors), but if it is really a file then the contents of the file will
> be overwritten. Those are the symptoms for the bugzilla testcase; it
> might be worse if someone wrote a different exploit.
>=20
> It occurs in everything before 0.10.1, so you could either fix this by
> getting the version in experimental into sarge/sid or by extracting the
> patch from the bugzilla history and applying it to 0.9.3.

--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--NgG1H2o5aFKkgPy/
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBa2w+YemOzxbZcMYRAp3+AJ4gg4svYZfnrXWu5JjHqcUK5gQLjgCfTBoH
+w3NLWeo7Ab0MoKE24JgUXI=
=Uhm/
-----END PGP SIGNATURE-----

--NgG1H2o5aFKkgPy/--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 23:38:14 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>
Subject: New upload to unstable make bugs fixed-in-experimental also fixed in unstable

tag 274311 - fixed-in-experimental
tag 274629 - fixed-in-experimental sid
tag 275786 - fixed-in-experimental sid
tag 277113 - fixed-in-experimental
tag 273700 - fixed-in-experimental
tag 265482 - fixed-in-experimental
tag 275563 - fixed-in-experimental
tag 262062 - fixed-in-experimental
tag 265907 - fixed-in-experimental
tag 269690 - fixed-in-experimental
tag 274258 - fixed-in-experimental
tag 274493 - fixed-in-experimental
tag 275844 - fixed-in-experimental
tag 274311 + sarge
tag 274629 + sarge
tag 275786 + sarge
tag 277113 + sarge
tag 273700 + sarge
tag 265482 + sarge
tag 275563 + sarge
tag 262062 + sarge
tag 265907 + sarge
tag 269690 + sarge
tag 274258 + sarge
tag 274493 + sarge
tag 275844 + sarge
thanks

New upload to unstable make bugs fixed-in-experimental also fixed in
unstable, thus untagging them sid if necessary, and tagging them sarge
only.

Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 18 Nov 2004 11:44:13 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>, <email address hidden>
Subject: 1.0-2 migrated to sarge

mozilla-firefox version 1.0-2 migrated to sarge, implying that these
bugs which were still in 0.9.3-5 but has been solved in the meanwhile,
are finally solved in sarge.

Mike

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.