Package: iceweasel Version: 31.5.0esr-1~deb7u1 Severity: important Tags: security
Dear all, Iceweasel offers the possibility to open a file instead of downloading it. In such situation, the file is downloaded into /tmp directory and then opened. The permissions set on the downloaded temporary file are weak allowing anyone to open it as well. This has the wrong effect of disclosing the file to anyone who has access to the system, leading to a potential privacy disclose, depending on the file. It would be better that iceweasel grants limited permissions to the user only. -- Package-specific info: -- Extensions information Name: Français Language Pack locale Location: /usr/lib/iceweasel/browser/extensions/langpack...@iceweasel.mozilla.org.xpi Package: iceweasel-l10n-fr Status: enabled Name: Thème par défaut theme Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd} Package: iceweasel Status: enabled -- Plugins information Name: Gnome Shell Integration Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so Package: gnome-shell Status: enabled Name: iTunes Application Detector Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so Package: rhythmbox-plugins Status: enabled Name: Shockwave Flash Location: /usr/lib/gnash/libgnashplugin.so Package: browser-plugin-gnash Status: enabled -- Addons package information ii browser-plugin 0.8.11~git20 amd64 GNU Shockwave Flash (SWF) player ii gnome-shell 3.4.2-7+deb7 amd64 graphical shell for the GNOME des ii iceweasel 31.5.0esr-1~ amd64 Web browser based on Firefox ii iceweasel-l10n 1:31.5.0esr- all French language package for Icewe ii rhythmbox-plug 2.97-2.1 amd64 plugins for rhythmbox music playe -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iceweasel depends on: ii debianutils 4.3.2 ii fontconfig 2.9.0-7.1 ii libasound2 1.0.25-4 ii libatk1.0-0 2.4.0-2 ii libc6 2.13-38+deb7u8 ii libcairo2 1.12.2-3 ii libdbus-1-3 1.6.8-1+deb7u6 ii libdbus-glib-1-2 0.100.2-1 ii libevent-2.0-5 2.0.19-stable-3+deb7u1 ii libffi5 3.0.10-3 ii libfontconfig1 2.9.0-7.1 ii libfreetype6 2.4.9-1.1 ii libgcc1 1:4.7.2-5 ii libgdk-pixbuf2.0-0 2.26.1-1 ii libglib2.0-0 2.33.12+really2.32.4-5 ii libgtk2.0-0 2.24.10-2 ii libhunspell-1.3-0 1.3.2-4 ii libpango1.0-0 1.30.0-1 ii libsqlite3-0 3.7.13-1+deb7u1 ii libstartup-notification0 0.12-1 ii libstdc++6 4.7.2-5 ii libx11-6 2:1.5.0-1+deb7u1 ii libxext6 2:1.3.1-2+deb7u1 ii libxrender1 1:0.9.7-1+deb7u1 ii libxt6 1:1.1.3-1+deb7u1 ii procps 1:3.3.3-3 ii zlib1g 1:1.2.7.dfsg-13 iceweasel recommends no packages. Versions of packages iceweasel suggests: pn fonts-mathjax <none> pn fonts-oflb-asana-math <none> ii fonts-stix [otf-stix] 1.1.0-1 ii libcanberra0 0.28-6 ii libgnomeui-0 2.24.5-2 ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u3 pn mozplugger <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org