Open Bug 1290635 Opened 9 years ago Updated 2 years ago

Insecure temporary files for child process crash-time metadata

Categories

(Toolkit :: Crash Reporting, defect)

46 Branch
Unspecified
Linux
defect

Tracking

()

People

(Reporter: jld, Unassigned)

Details

(Keywords: csectype-priv-escalation, sec-low)

I noticed that, as a result of bug 1236108, when a child process crashes it tries to open a predictable filename in /tmp (GeckoChildCrash%d.extra with its pid) with the flags O_WRONLY|O_CREAT|O_TRUNC. In particular, O_EXCL is not used. This means that if another user on the system creates a symlink there, Firefox will open an attacker-controlled file as the user running Firefox, truncate it to zero length, and then write (possibly empty) crash metadata to it. This isn't the most severe form of this type of bug, because it requires the process to crash instead of just operate normally, and I don't know if it's currently possible for an attacker to usefully control any of the data written to this file.
It isn't clear what you'd do with this aside wiping out a file or something so I'm just marking it sec-audit. Feel free to adjust as desired.
Group: toolkit-core-security

I could easily see this being able to delete a security-relevant dot-file in the user's home directory. e.g. known_hosts or .google_authenticator or similar.

Keywords: sec-auditsec-low
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.