On Wed, Jul 02, 2008 at 03:06:28PM +0200, Vincent Lefevre wrote: > Package: iceweasel > Version: 3.0~rc2-2 > Severity: grave > Justification: possible data loss or security hole > > https://bugzilla.mozilla.org/show_bug.cgi?id=443153 > > When I click on a PDF file, Firefox says: > > You have chosen to open > <file>.pdf > which is a: Adobe Acrobat Document > from: <URL> > What should iceweasel do with this file? > * Open with [xpdf (default)] > o Save File > [] Do this automatically... > > and when I click on OK, evince is executed instead of xpdf! > > There may be security/privacy implications since an arbitrary program > neither chosen by the user nor announced to the user is executed. > Worse, Firefox takes $PATH into account, so that the program may not > even be the expected one. For instance, if the user has created an > evince script (e.g. that does a "rm -rf") in his bin directory, this > script will be run without the user's consent. > > This bug also occurs in safe mode (-safe-mode option).
Please run with the following environment variable set, and send output here: NSPR_LOG_MODULES=HelperAppService:5 Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
