forcemerge 229547 451327 thanks * Paolo ([EMAIL PROTECTED]) wrote: > Package: iceweasel > Version: N/A > Severity: grave > > Seems that at some point, Mozilla has introduced a 'feature' that fixed the > 'another instance of ... already running' issue, so that if you start another > instance of FF it won't complain, but simply it'd open another window of the > already running instance. > So far so good. > The bad news is that this happens with FF launched on a remote system as well, > which is *not* what's supposed to happen. > Here's a scenario: > > L. local system: Sarge - stock FF1.5.0.12, FF2.0.0.8, SM1.1.5, Debian's FF. > R. remote system: Etch - same as above, except Debian's FF->IW . > > 1. On L, ssh -X into R > 2.1. On L, start FF - any version > 3.1 On R, start FF - any version: the window comes up surprisingly fast; > problem is, that's just another window of the locally running FF! ie > if FF1.5 is running on L, then 'iceweasel' on R opens FF1.5 again. > > The converse is also true: > > 2.2 On R, start IW (or FF/SM) > 3.2 On L, start FF (or SM): what you get is another window of the remote > IW/FF/SM. > > FF/SM fails to check if the running instance on current $DISPLAY belong to > same host+binary it's being started from. > This has some obvious, and perhaps some not so obvious, security issues.
Please don't file duplicate bugs. What precisely are the security risks? -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED]
signature.asc
Description: Digital signature
