Dear all,

Iceweasel offers the possibility to open a file instead of downloading it. In
such situation, the file is downloaded into /tmp directory and then opened.
The permissions set on the downloaded temporary file are weak allowing anyone
to open it as well. This has the wrong effect of disclosing the file to anyone
who has access to the system, leading to a potential privacy disclose,
depending on the file.

It would be better that iceweasel grants limited permissions to the user only.

As a side note, as a better fix it would be interesting to move all the
temporary files from Iceweasel to a directory such as
/tmp/iceweasel-user-random/ to prevent any information leak regarding
the metadata of the temporary files.

Will report this to upstream.

More information again for this bug.
It also affects Sid with (31.5.0esr-1).
On the other hand, Firefox in Ubuntu Trusty (LTS) isn't affected
(36.0+build2-0ubuntu0.14.04.4).


Regarding my proposal, I've proposed it upstream at:
https://bugzilla.mozilla.org/show_bug.cgi?id=1140159

src:iceweasel has been superseded by src:firefox-esr in version
45.0esr-1 in March 2016. Transitional packages to ease upgrades were
provided in the wheezy, jessie, stretch and buster releases. The
transitional packages have been removed finally before the bullseye
release in August 2021.
After regular security support for buster ended in August 2022 and LTS
support ended in June 2024, I'm closing the remaining bug reports now.

Andreas