Bug#825198: marked as done (firefox: please disable any access from the browser to the clipboard)

[Debian Bug Tracking System]

Your message dated Thu, 22 Oct 2020 11:43:57 +0200
with message-id <20201022094357.GA1646031@jcristau-z4>
and subject line Re: Bug#825198: firefox: please disable any access from the 
browser to the clipboard
has caused the Debian Bug report #825198,
regarding firefox: please disable any access from the browser to the clipboard
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
825198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825198
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: firefox
Severity: important
Tags: security


Hi.

There is no reason why a browser should access the clipboard
of the client.
It opens all kinds of attack vetors and likely privacy leaks.

See e.g. recent exploits[0].

I wouldn't be all to surprised if Mozilla would also allow
to read out the current clip board contents, which wold be a
really grave issue, as it could contain passwords, keys, etc.

There has been some recent media coverage[1] (this one in
German) about [0].

Cheers,
Chris.

[0] https://github.com/dxa4481/Pastejacking
[1] 
http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-and-paste-1605-121062.html

--- End Message ---

--- Begin Message ---

Control: severity -1 wishlist
Control: tag -1 - security
Control: tag -1 wontfix

Closing as wontfix, feature requests belong upstream rather than in the BTS.

Cheers,
Julien

On Tue, May 24, 2016 at 03:57:28PM +0200, Christoph Anton Mitterer wrote:
> Source: firefox
> Severity: important
> Tags: security
> 
> 
> Hi.
> 
> There is no reason why a browser should access the clipboard
> of the client.
> It opens all kinds of attack vetors and likely privacy leaks.
> 
> See e.g. recent exploits[0].
> 
> I wouldn't be all to surprised if Mozilla would also allow
> to read out the current clip board contents, which wold be a
> really grave issue, as it could contain passwords, keys, etc.
> 
> There has been some recent media coverage[1] (this one in
> German) about [0].
> 
> Cheers,
> Chris.
> 
> [0] https://github.com/dxa4481/Pastejacking
> [1] 
> http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-and-paste-1605-121062.html

--- End Message ---