Using Thunderbird 38.8.0 in Ubuntu 16.04, when I open a pdf I now get a -r-------- 1 thomas thomas 19K Jun 16 18:28 filename.pdf
So nobody can read the file, which is 95% of the security fix. The remaining 5% would be to not expose the file name to other users. That's exactly how it is done for Mozilla Firefox 47.0/Ubuntu 16.04: Firefox now uses a directory which is only accessible by the user: drwx------ 1 thomas thomas 1,9K Jun 16 18:08 mozilla_thomas0 Thereby, using Firefox, the file names of temporary files in the directory are no longer exposed to other users. Would be great to have the same behaviour in Thunderbird as well. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone Status in Mozilla Thunderbird: Fix Released Status in thunderbird package in Ubuntu: Confirmed Bug description: When I open an attachment of an email in Thunderbird it gets written to disk with permission 644, so it is readable by everyone on the system. How to repeat: Open an E-Mail, Open an Attachment (e.g. google.png) $ cd /tmp; ls -lh -rw-r--r-- 1 theuser thegroup 2,4K Dez 11 10:39 google.png Instead, Thunderbird should write the file with permissions 600. Plus, to avoid conflicts between users, the file should be written into a directory per user, e.g. /tmp/theuser/google.png or another user specific temp directory. To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
