Comment 21 for bug 26040

forcemerge 229547 451327
thanks

* Paolo (<email address hidden>) wrote:
> Package: iceweasel
> Version: N/A
> Severity: grave
>
> Seems that at some point, Mozilla has introduced a 'feature' that fixed the
> 'another instance of ... already running' issue, so that if you start another
> instance of FF it won't complain, but simply it'd open another window of the
> already running instance.
> So far so good.
> The bad news is that this happens with FF launched on a remote system as well,
> which is *not* what's supposed to happen.
> Here's a scenario:
>
> L. local system: Sarge - stock FF1.5.0.12, FF2.0.0.8, SM1.1.5, Debian's FF.
> R. remote system: Etch - same as above, except Debian's FF->IW .
>
> 1. On L, ssh -X into R
> 2.1. On L, start FF - any version
> 3.1 On R, start FF - any version: the window comes up surprisingly fast;
> problem is, that's just another window of the locally running FF! ie
> if FF1.5 is running on L, then 'iceweasel' on R opens FF1.5 again.
>
> The converse is also true:
>
> 2.2 On R, start IW (or FF/SM)
> 3.2 On L, start FF (or SM): what you get is another window of the remote
> IW/FF/SM.
>
> FF/SM fails to check if the running instance on current $DISPLAY belong to
> same host+binary it's being started from.
> This has some obvious, and perhaps some not so obvious, security issues.

Please don't file duplicate bugs. What precisely are the security risks?

--
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>