On Tue, Apr 12, 2011 at 02:46:15PM +0200, Vincent Lefevre wrote: > retitle 622353 iceweasel: downloading a file from some web site can introduce > incorrect data in mimeTypes.rdf > tags 622353 security > severity 622353 grave > thanks > > On 2011-04-12 14:20:30 +0200, Vincent Lefevre wrote: > > Package: iceweasel > > Version: 3.5.18-1 > > Severity: normal > > > > Files served as "Content-Type: application/binary" are seen as Bzip > > archives. > > The problem seems to come from the mimeTypes.rdf, which contains: > > <RDF:Description RDF:about="urn:mimetype:application/binary" > NC:value="application/binary" > NC:editable="true" > NC:description="Bzip archive"> > <NC:handlerProp RDF:resource="urn:mimetype:handler:application/binary"/> > </RDF:Description> > > If I remove any reference to application/binary from mimeTypes.rdf, > the problem no longer appears after restarting Iceweasel. > > However if I download a real bzip archive with application/binary > content type, e.g. > > https://gforge.inria.fr/frs/download.php/28449/mpfr-3.0.1.tar.bz2 > > the lines reappear in the mimeTypes.rdf file, and the problem > reappears. > > Really, Iceweasel shouldn't corrupt the mimeTypes.rdf file in such > a way, that could affect other web sites. IMHO, this is a potential > security problem, as it can fool the user by giving wrong information > about the contents of a file.
Please file this upstream (reproducible with firefox 4.0), but I don't think this has much security implication. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
