CVE-2005-2353 run-mozilla.sh temporary file issue

RESOLVED FIXED

Status

Core Graveyard
Cmd-line Features
--
minor
RESOLVED FIXED
12 years ago
8 years ago

People

(Reporter: Josh Bressers, Assigned: dveditz)

Tracking

({fixed-aviary1.0.8, fixed1.7.13, fixed1.8})

Trunk
x86
Linux
fixed-aviary1.0.8, fixed1.7.13, fixed1.8
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8b5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low local], URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
An Ubuntu security advisory fixed a temporary file vulnerability in the
run-mozilla.sh script when run in debug mode.

The run-mozilla.sh script passes gdb arguments from a temporary file which is
named in a manner that makes it fairly easy to guess.  The temporary file should
be created using the mktemp program to ensure proper file permissions and a
unique filename.
(Reporter)

Comment 1

12 years ago
Created attachment 192382 [details] [diff] [review]
Suggested fix for this issue

Updated

12 years ago
Whiteboard: [sg:investigate]

Comment 2

12 years ago
Different patch was originally submitted by the author of the original bug :

http://bugs.debian.org/cgi-bin/bugreport.cgi/mozilla-thunderbird-1.0.diff?bug=306893;msg=5;att=1
(Assignee)

Comment 3

12 years ago
Nominating for a closer look based on Frederic's mail.
Flags: blocking1.8b5?
Flags: blocking1.7.13?
Flags: blocking1.7.12?
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.7?

Updated

12 years ago
Flags: blocking1.8b5? → blocking1.8b5+
(Assignee)

Updated

12 years ago
Assignee: nobody → dveditz

Updated

12 years ago
Attachment #192382 - Flags: review?(dveditz)

Updated

12 years ago
Whiteboard: [sg:investigate] → [sg:investigate][needs review dveditz]

Comment 4

12 years ago
Is the patch effective? Running out of time for 1.5b2 . .. 
(Assignee)

Updated

12 years ago
Attachment #192382 - Flags: superreview?(dbaron)
Attachment #192382 - Flags: review?(dveditz)
Attachment #192382 - Flags: review+
Attachment #192382 - Flags: approval1.8b5?

Comment 5

12 years ago
DBaron - need SR here.
Comment on attachment 192382 [details] [diff] [review]
Suggested fix for this issue

This patch doesn't actually work because of the spaces around the equals sign
in this line:

>+        mozargs_temp = `mktemp /tmp/mozargs.XXXXXX`

If you fix that, then it works, so sr=dbaron, conditional on removing those two
spaces.
Attachment #192382 - Flags: superreview?(dbaron) → superreview-
That said, I think the patch in comment 2 is preferable (except with the
whitespace cleaned up), both because it uses mktemp -t and because it removes
the temporary file under more conditions.

Comment 8

12 years ago
Comment on attachment 192382 [details] [diff] [review]
Suggested fix for this issue

please re-request approval when you've got a fully reviewed patch.
Attachment #192382 - Flags: approval1.8b5?

Comment 9

12 years ago
Dbaron, can you get that earlier patch in? This bug is stalled and we seem to
want it for beta2.
(Assignee)

Comment 10

12 years ago
(In reply to comment #9)
> Dbaron, can you get that earlier patch in? This bug is stalled and we seem to
> want it for beta2.

I was actually about to check this in
(Assignee)

Comment 11

12 years ago
fix checked into trunk
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking1.7.12?
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Flags: blocking-aviary1.0.7?
Whiteboard: [sg:investigate][needs review dveditz] → [sg:low local]

Updated

12 years ago
Attachment #192382 - Flags: approval1.8b5?

Comment 12

12 years ago
Note: RH7.3 doesn't have mktemp -t

Updated

12 years ago
Attachment #192382 - Flags: approval1.8b5? → approval1.8b5+
(Assignee)

Comment 13

12 years ago
dropped -t and went back to mktemp /tmp/mozargs.XXXXXX

fix checked into the 1.8 branch
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8
Resolution: --- → FIXED

Comment 14

12 years ago
Any hope to get it landed on on 1.0.x aviary branch too ?
(Assignee)

Updated

12 years ago
Keywords: fixed-aviary1.0.8, fixed1.7.13
(Reporter)

Updated

12 years ago
Summary: CAN-2005-2353 run-mozilla.sh temporary file issue → CVE-2005-2353 run-mozilla.sh temporary file issue

Updated

8 years ago
Component: Cmd-line Features → Cmd-line Features
Product: Core → Core Graveyard

Updated

8 years ago
QA Contact: cmd-line
You need to log in before you can comment on or make changes to this bug.