Your message dated Mon, 9 May 2016 07:15:41 +0900 with message-id <[email protected]> and subject line Re: Bug#823772: iceweasel: getting root acces through iceweasel has caused the Debian Bug report #823772, regarding iceweasel: getting root acces through iceweasel to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 823772: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823772 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: iceweasel Version: 38.8.0esr-1~deb8u1 Severity: important Dear Maintainer, I recently installed Debian.. In iceweasel the default Download location (Save files to) was /root/Downloads. I downloaded a pdf-file and opened it with iceweasel (open contianing folder). Thunar was opened. There I could click on "open terminal here" and got root permission without entering the root passwort. Now I changed the download location and everything is fine. I can't choose the /root/Downloads folder as location anymore. But but this seems to be a serious security problem. -- Package-specific info: -- Extensions information Name: Default theme Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd} Package: iceweasel Status: enabled -- Plugins information -- Addons package information ii iceweasel 38.8.0esr-1~ amd64 Web browser based on Firefox -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages iceweasel depends on: ii debianutils 4.4+b1 ii fontconfig 2.11.0-6.3 ii libasound2 1.0.28-1 ii libatk1.0-0 2.14.0-1 ii libc6 2.19-18+deb8u4 ii libcairo2 1.14.0-2.1+deb8u1 ii libdbus-1-3 1.8.20-0+deb8u1 ii libdbus-glib-1-2 0.102-1 ii libevent-2.0-5 2.0.21-stable-2 ii libffi6 3.1-2+b2 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-3+deb8u1 ii libgcc1 1:4.9.2-10 ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u4 ii libglib2.0-0 2.42.1-1+b1 ii libgtk2.0-0 2.24.25-3+deb8u1 ii libhunspell-1.3-0 1.3.3-3 ii libpango-1.0-0 1.36.8-3 ii libsqlite3-0 3.8.7.1-1+deb8u1 ii libstartup-notification0 0.12-4 ii libstdc++6 4.9.2-10 ii libx11-6 2:1.6.2-3 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes3 1:5.0.1-2+b2 ii libxrender1 1:0.9.8-1+b1 ii libxt6 1:1.1.4-1+b1 ii procps 2:3.3.9-9 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages iceweasel recommends: ii gstreamer1.0-libav 1.4.4-2 ii gstreamer1.0-plugins-good 1.4.4-2 Versions of packages iceweasel suggests: pn fonts-mathjax <none> pn fonts-oflb-asana-math <none> pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-2.1 pn libgnomeui-0 <none> ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 pn mozplugger <none> -- no debconf information
--- End Message ---
--- Begin Message ---On Sun, May 08, 2016 at 09:57:55PM +0200, Jan Brupp wrote: > Package: iceweasel > Version: 38.8.0esr-1~deb8u1 > Severity: important > > Dear Maintainer, > > I recently installed Debian.. > In iceweasel the default Download location (Save files to) was > /root/Downloads. > I downloaded a pdf-file and opened it with iceweasel (open contianing folder). > Thunar was opened. There I could click on "open terminal here" and got root > permission without entering the root passwort. > > Now I changed the download location and everything is fine. I can't choose the > /root/Downloads folder as location anymore. > But but this seems to be a serious security problem. It seems you started iceweasel as root in the first place. Your scenario is simply impossible otherwise. Mike
--- End Message ---
