Closed Bug 1853443 Opened 1 year ago Closed 1 year ago

Something in Firefox seems to be writing addons to /tmp/tmpaddon

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 117
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: 711924474as, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0

Steps to reproduce:

It looks like something in Firefox is writing extensions to /tmp/tmpaddon as part
of the installation process. (It is mentioned in errors such as
https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seems to confirm
This.) This needs to be confirmed to ensure it is not unsafe
There is a tempfile vulnerability, but even if it doesn't, you should be using a tempfile
Lock the temporary file name to avoid conflicts with other users.

I use the "system archlinux"
I added a new account, then the file appeared /tmp/tmpaddon and automatically redirected to Add-ons

about:addons
moz-extension://f284360f-2863-4b78-9913-49d941fd05aa/options/options.html
https://chrispederick.com/work/web-developer/installed/firefox/20/

It looks like there are two places that write things to tmpaddon: https://searchfox.org/mozilla-central/search?q=tmpaddon&path=

Product: Firefox → WebExtensions

The tmpaddon file (and tmp-*.xpi) is part of the GMP and system add-on installation/update process (bug 1753110).

This needs to be confirmed to ensure it is not unsafe

The add-on package's integrity and correctness is verified during the installation process. There used to be bugs, but these have been fixed by now (bug 1750565 / bug 1766047). If you have proof of a new vulnerability, please file a new bug with more details.

I added a new account, then the file appeared /tmp/tmpaddon and automatically redirected to Add-ons

Are you sure that these events are connected to each other? If you check the contents of the zip file, what do you see (unzip -l /tmp/tmpaddon )? I have one such file right now, and it's part of the GMP updater.

... and automatically redirected to Add-ons
about:addons
moz-extension://f284360f-2863-4b78-9913-49d941fd05aa/options/options.html
https://chrispederick.com/work/web-developer/installed/firefox/20/

The last one of this is opened by the Web Developer add-on when the extension has been installed or updated.
If by "added a new account", you meant that you've created a new account on the device, then the presence of this add-on could mean that the add-on is part of the distribution (or synchronized from another Firefox profile if you've logged in).

Group: firefox-core-security
See Also: → 1753110

Closing for now - if you have more information about why there is an actionable bug, it can be reopened.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.