On Sat, Nov 18, 2017 at 08:03:21AM +0900, Mike Hommey wrote: > On Fri, Nov 17, 2017 at 02:32:43PM -0800, Josh Triplett wrote: > > Package: firefox > > Version: 57.0-1 > > Severity: normal > > > > Something in Firefox seems to be writing addons to /tmp/tmpaddon as part > > of the installation process. (Mentions in bugs like > > https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seem to confirm > > this.) This needs confirmation to make sure it isn't an insecure > > tempfile vulnerability, but even if it isn't, it *should* be using a > > secure temporary file name to avoid conflict with other users. > > toolkit/mozapps/extensions/internal/ProductAddonChecker.jsm does: > let f = await OS.File.openUnique(OS.Path.join(OS.Constants.Path.tmpDir, > "tmpaddon")) > > toolkit/mozapps/extensions/internal/XPIProvider.jsm does: > let path = OS.Path.join(OS.Constants.Path.tmpDir, "tmpaddon"); > let unique = await OS.File.openUnique(path); > > Those are the only two references to "tmpaddon", and openUnique creates > unique file names with the given prefix. So this shouldn't be happening.
~$ file /tmp/tmpaddon /tmp/tmpaddon: Zip archive data, at least v2.0 to extract ~$ unzip -l /tmp/tmpaddon Archive: /tmp/tmpaddon Length Date Time Name --------- ---------- ----- ---- 116 2017-08-21 20:25 gmpopenh264.info 1407459 2017-08-21 20:25 libgmpopenh264.so --------- ------- 1407575 2 files So that's an additional concern: Firefox *shouldn't* be downloading or using OpenH264. It shows up as "disabled" under about:plugins and about:addons. - Josh Triplett