On 2007-09-10 22:36:53 +0200, Florian Weimer wrote: > * Eric Dorland: > > Since upstream does not consider this a critical bug, I don't > > think we should either.
I have several comments about this: First I think that Debian's security team shouldn't make their decisions based on what upstream decides. IMHO, upstream is sometimes wrong, in particular when you have some comments like: https://bugzilla.mozilla.org/show_bug.cgi?id=369761#c7 They did the same thing about the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=246524 Also I have the impression that upstream is more focused on Windows (where the problem may be less important) than on Linux. Moreover, the mailcap entry in Debian makes the bug even worse (in Debian). And note that there is at least a related bug that has the security flag set (thus its contents are not visible to the public). There's bug 369462, mentioned in comment #39: https://bugzilla.mozilla.org/show_bug.cgi?id=230606#c39 > Can't this be used to read SSH keys if the path to the home directory > can be guessed? I haven't tried, but I think I think it can be guessed using relative URL's, as the local HTML file may stored somewhere in the user's home directory. As several files can be opened, the attacker can try ".ssh/id_rsa", "../.ssh/id_rsa", "../../.ssh/id_rsa". But anyway, there is no need to guess the user's home directory: /etc/passwd is world-readable and gives sufficient information. Moreover, if the machine has a locate database installed (note: locate, not slocate), the attacker has access to a lot of filenames. On Bugzilla, it has been noted that one can open various /dev files to do some DoS. -- Vincent Lefèvre <[EMAIL PROTECTED]> - Web: <http://www.vinc17.org/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/> Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
