Package: firefox Version: 57.0-1 Severity: normal Something in Firefox seems to be writing addons to /tmp/tmpaddon as part of the installation process. (Mentions in bugs like https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seem to confirm this.) This needs confirmation to make sure it isn't an insecure tempfile vulnerability, but even if it isn't, it *should* be using a secure temporary file name to avoid conflict with other users.
-- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firefox depends on: ii debianutils 4.8.3 ii fontconfig 2.12.3-0.2 ii libatk1.0-0 2.26.1-1 ii libc6 2.24-17 ii libcairo-gobject2 1.15.8-2 ii libcairo2 1.15.8-2 ii libdbus-1-3 1.12.2-1 ii libdbus-glib-1-2 0.108-3 ii libevent-2.1-6 2.1.8-stable-4 ii libffi6 3.2.1-6 ii libfontconfig1 2.12.3-0.2 ii libfreetype6 2.8.1-0.1 ii libgcc1 1:7.2.0-16 ii libgdk-pixbuf2.0-0 2.36.11-1 ii libglib2.0-0 2.54.2-1 ii libgtk-3-0 3.22.26-1 ii libgtk2.0-0 2.24.31-2 ii libhunspell-1.6-0 1.6.2-1 ii libjsoncpp1 1.7.4-3 ii libnspr4 2:4.16-1 ii libnss3 2:3.33-1 ii libpango-1.0-0 1.40.13-2 ii libsqlite3-0 3.21.0-1 ii libstartup-notification0 0.12-4+b2 ii libstdc++6 7.2.0-16 ii libvpx4 1.6.1-3 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb-shm0 1.12-1 ii libxcb1 1.12-1 ii libxcomposite1 1:0.4.4-2 ii libxdamage1 1:1.1.4-3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1 ii procps 2:3.3.12-3 ii zlib1g 1:1.2.8.dfsg-5 firefox recommends no packages. Versions of packages firefox suggests: ii fonts-lmodern 2.004.5-3 pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-4 ii libgssapi-krb5-2 1.15.2-2 pn mozplugger <none> -- no debconf information