Closed
Bug 432042
Opened 17 years ago
Closed 17 years ago
file descriptors leaking to external applications
Categories
(Core Graveyard :: Viewer App, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 372734
People
(Reporter: bugs+mozilla, Unassigned)
Details
(Whiteboard: [sg:dupe 372734])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080416 Fedora/2.0.0.14-1.fc7 Firefox/2.0.0.14
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14)
When Thunderbird invokes the open-browser.sh helper script (to open an external http:// URL), all of Thunderbird open file descriptors are leaked into the shell process that runs the helper script. The shell passes these open file descriptors to whatever it executes next from open-browser.sh.
If the user has gnome-open installed, it executes the user browser in a clean environment, so these leaked descriptors stop at the gnome-open. But if the user doesn't have gnome-open, the script executes the browser directly, and all Thunderbird descriptors are leaked into the browser.
This raises some consequences:
1. Files and sockets used by Thunderbird are held open even after the user closes Thunderbird, until he/she also closes the browser;
2. The browser, with access to Thunderbird open files and sockets, may impose some level of security and privacy risk (although very difficult in practice);
Even if the user has gnome-open installed, the descriptor leakage still happens thanks to bug #432021.
Reproducible: Always
Steps to Reproduce:
There are two different ways to reproduce this problem. You need to have zenity installed, or change the following steps in order to print the output somewhere else.
The first is:
1. Edit your .../thunderbird-2.0.0.x/open-browser.sh script and add the following command near the beginning (requires zenity installed):
ls -l /proc/$$/fd | zenity --text-info
2. In Thunderbird, access menu Help->Release Notes.
The second is:
1. Create a $HOME/fake-browser.sh file, containing the code below, and set it to executable:
#!/bin/sh
ls -l /proc/$$/fd | zenity --text-info
2. Rename /usr/bin/gnome-open to something else temporarily in order to test this bug.
3. gconftool-2 -s /desktop/gnome/url-handlers/http/command -t string "$HOME/fake-browser.sh %s"
4. In Thunderbird, access menu Help->Release Notes.
5. Revert back /usr/bin/gnome-open.
6. gconftool-2 -s /desktop/gnome/url-handlers/http/command -t string "firefox %s"
Actual Results:
You see that all Thunderbird file descriptors are leaked to whatever command is executed as the user's browser.
Expected Results:
open-browser.sh is executed in a clean environment, without its file descriptor table populated with Thunderbird open files.
I'm setting this bug as security-related because that's how we usually consider descriptor leakage. But given the circumstances, it seems very difficult for a remote user to exploit or compromise the user system. The real security risks seem to be really small, but anyways, descriptor leakage should be avoided at all costs, and that makes this bug critical.
If you think that this bug doesn't deserve the confidentiality, feel free to unset the security status so that more users are able to contribute a patch to fix it.
|
Reporter | |
Comment 1•17 years ago
|
||
As Mark Banner noted on bugs #432021 and #432022, the open-browser.sh file is Fedora-specific. Bug this bug is still valid. I would like to update the Steps to reproduce:
1. Create the $HOME/fake-browser.sh as described before;
2. Set network.protocol-handler.app.http to point to it;
3. Access menu Help->Release Notes.
|
|
Reporter | |
Comment 2•17 years ago
|
||
I just checked and Firefox has very the same problem.
For example, I clicked on an irc:// link, and that executed the IRC client with all Firefox open descriptors.
~% lsof ~/.mozilla/firefox/default.ktn/search.sqlite
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
firefox-bin 7290 ju 54u REG 253,1 2048 4260869 .../.mozilla/firefox/default.ktn/search.sqlite
firefox-bin 7290 ju 55u REG 253,1 2048 4260869 .../.mozilla/firefox/default.ktn/search.sqlite
konversation 18140 ju 54u REG 253,1 2048 4260869 .../.mozilla/firefox/default.ktn/search.sqlite
konversation 18140 ju 55u REG 253,1 2048 4260869 .../.mozilla/firefox/default.ktn/search.sqlite
Component: General → Viewer App
Product: Thunderbird → Core
Summary: file descriptors leaking into open-browser.sh → file descriptors leaking to external applications
|
||
Comment 3•17 years ago
|
||
Dup of bug 372734?
|
|
Reporter | |
Comment 4•17 years ago
|
||
(In reply to comment #3)
> Dup of bug 372734?
Yes, it is. Sorry for the dupe, I didn't have access to that bug, and it didn't show on the search results.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
||
Updated•17 years ago
|
Whiteboard: [sg:dupe 372734]
|
Assignee | |
Updated•17 years ago
|
Product: Core → Core Graveyard
|
|
||
Updated•16 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•