Ubuntu
firefox package

Apport leaks the secret name of the Firefox profile directory

Bug #612185 reported by Till Ulen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
Invalid
Undecided
Unassigned
firefox (Ubuntu)
Fix Released
Medium
Chris Coulson

Bug Description

Binary package hint: firefox

Choose Help → Report a Problem... in Firefox and file a new bug to Launchpad. Your Firefox profiles.ini file will be automatically attached to the bug report. profiles.ini includes the name of your profile directory (it looks like ab1c2d3f.default where ab1c2d3f are some random letters and digits).

Firefox generates the profile directory name randomly as a security feature. The name of that directory is supposed to remain secret so that it cannot be guessed. Apport should sanitize every profile directory name to something of the form XXXXXXXX.profileName before uploading profiles.ini to Launchpad.

To demonstrate the problem, this bug was originally filed against Firefox.

For the curious, random salting of the profile directory can mitigate some real attacks:
https://bugzilla.mozilla.org/show_bug.cgi?id=56002
https://bugzilla.mozilla.org/show_bug.cgi?id=97180#c17
https://bugzilla.mozilla.org/show_bug.cgi?id=230606

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: firefox 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
ProcVersionSignature: Ubuntu 2.6.32-24.38-generic 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic i686
Architecture: i386
Date: Sun Aug 1 08:24:22 2010
FirefoxPackages:
 firefox 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
 firefox-gnome-support 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
 firefox-branding 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
 abroswer N/A
 abrowser-branding N/A
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: firefox

Revision history for this message
Till Ulen (tillulen) wrote :
Till Ulen (tillulen)
visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in firefox (Ubuntu):
assignee: nobody → Chris Coulson (chrisccoulson)
status: New → Confirmed
Changed in apport (Ubuntu):
status: New → Invalid
Chris Coulson (chrisccoulson)
Changed in firefox (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → Medium
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

bzr commit -m '* Fix LP: #612185 - Apport leaks the secret name of the Firefox
  profile directory
  - update debian/apport/firefox.py' --fixes 'lp:612185'
Committing to: /home/chr1s/src/firefox/3.6/
modified debian/changelog
modified debian/apport/firefox.py
Committed revision 647.

Changed in firefox (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.8+build1+nobinonly-0ubuntu2

---------------
firefox (3.6.8+build1+nobinonly-0ubuntu2) maverick; urgency=low

  [ Chris Coulson <email address hidden> ]
  * Provide iceweasel
    - update debian/control
  * Really build with MOZILLA_OFFICIAL=1 this time, so that the crash
    reporter is actually enabled
    - update debian/rules
  * Only enable the crashreporter and build the Breakpad symbols on i386,
    amd64 and armel
    - update debian/control
    - update debian/rules
  * Blacklist Firefox in Apport on architectures where we use the Mozilla
    crash reporter
    - add debian/apport/blacklist
    - update debian/rules
  * Drop the DEBIAN_META_NAME stuff - we don't need this now we are always
    using unversioned sources for the official in-archive version. This
    simplifies the wrapper script a little
    - update debian/rules
    - update debian/firefox.sh.in
  * Rework how abrowser is launched a little. Drop an unnecessary patch
    and ship both abrowser and abrowser-bin files in LIBDIR. With the
    DEBIAN_META_NAME bits gone, the wrapper script will always search for
    $LIBDIR/abrowser if you launch /usr/bin/abrowser. From there, the Mozilla
    scripts already handle this properly
    - update debian/firefox.sh.in
    - update debian/rules
    - remove debian/patches/abrowser_run_mozilla.patch
    - update debian/patches/series
  * Don't handle launching GDB in our wrapper script, run-mozilla.sh
    already does all this. Just make sure that we pass the right arguments
    - update debian/firefox.sh.in
  * Fix LP: #613049 - Default website link in Maverick firefox is invalid
    - update debian/patches/ubuntu_bookmarks.patch
  * Refresh favicon's in the default bookmark collection, so they display
    the latest Ubuntu branding on a fresh profile
    - update debian/patches/ubuntu_bookmarks.patch
  * Drop the mips-specific binutils build-depend - we don't even build
    on this arch
    - update debian/control
  * Only try to install the crashreporter binary when building with the
    bundled xulrunner library
    - update debian/firefox.install
    - update debian/rules
  * Fix LP: #615889 - Add Ubuntu One bookmark to Firefox fresh install
    - update debian/patches/ubuntu_bookmarks.patch
  * Fix LP: #612185 - Apport leaks the secret name of the Firefox
    profile directory
    - update debian/apport/firefox.py
  * Fix LP: #614190 - Chinese update for firefox.desktop. Thanks to
    Cheng-Chia Tseng and Aron Xu
    - update debian/firefox-final.desktop
  * Fix LP: #559083 - Incomplete Vietnamese translation for items listed
    in desktop main menu. Thanks to Vu Do Quynh for the translations
    - update debian/firefox-final.desktop

  [ Igor Zubarev <email address hidden> ]
  * Fix LP: #569762 - Add Russian translations to desktop files
    - update debian/abrowser.desktop
    - update debian/firefox-final.desktop
 -- Chris Coulson <email address hidden> Thu, 12 Aug 2010 21:52:18 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.