Ubuntu
thunderbird package

Bug #1401454
Comment #1

Comment 1 for bug 1401454

Revision history for this message

In Mozilla Bugzilla #377630, Peter Bieringer (pb-bieringer) wrote on 2007-04-16:

User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.10) Gecko/20070313 Fedora/1.5.0.10-5.fc6 Firefox/1.5.0.10 pango-text
Build Identifier: 1.5.0.10

On at least Fedora Core every attachment which was openend is saved in /tmp. On a multi user system this can lead to a filename disclosure and therefore to a privacy problem, think about e.g.

/tmp/loveletter-from-girlfriend-xy.doc

Reproducible: Always

Steps to Reproduce:
1. Open attachment "secret-agenda-from-company.ppt" from an e-mail

2. login as different user and list /tmp directory
$ ls -al /tmp/*.ppt
-rw------- 1 peter peter 248832 16. Apr 14:08 /tmp/secret-agenda-from-company.ppt

Actual Results:
File name is unexpectly disclosed to all other non-root users

Expected Results:
File would be stored into a subdirectory in tmp, e.g.
/tmp/peter-thunderbird/secret-agenda-from-company.ppt
and
/tmp/peter-thunderbird is created with permissions 700

Ubuntuthunderbird package

Comment 1 for bug 1401454

Ubuntu
thunderbird package