Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
[opensuse] Firefox: is this a possible security problem?
I am running Leap 15.0 but with 2 "non-standard" files:

#1 - kernel-4.18.0-1, which comes from repo. '.../stable/standard/'; and

#2 - Firefox v62.0b1x, which I download directly from Mozilla.

I have no problems re the kernel but I mention it here to show that there is at least this file which is not 'standard' in my installation of Leap 15.0.

However, I have just experienced something regarding the version of Firefox which I did not expect and something which didn't happen in the past (as in many moons ago when I last used a Nightly version of either Firefox or Thunderbird). And what happened raised in my mind whether this is a security problem for a Linux system (ie, openSUSE).

Let me explain.

Since 28 July I have been downloading and using Firefox downloaded from Mozilla site -- the file is a *.tar.bz2 file which I then unarchive (using the F2 option in Midnight Commander (mc)); I then copy the '/firefox' directory resulting from this un-archiving to my /home directory.

To use this [new] version of Firefox I then edit the Firefox entry in the Applications menu and edit the Command to read '~/firefox/firefox %u'.

When I began doing this I started with Firefox v61.0.1, but on 5 August I downloaded and started to use FF v62.0b14, followed by v62.0b15 on 10 August.

For all of the (3) preceding files I downloaded the files myself, unarchived them, deleted/renamed the '/firefox' directory in '/home', and copied across the new version of FF to my '/home'.

Until today.

What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.

As I did in the past to download the latest version of FF, I clicked on HELP and when the box-menu appeared there was the message, normally seen on a Windows installation, "Restart Firefox  to <something>' and the version number showing was 62.0b17.

===

Now that I have written the above, I just now looked inside the '/firefox' directory in my '/home' and found to my surprise 2 files: 'updater' (156, 296 bytes big), and 'updater.ini' (681 bytes big). The contents of *.ini' is attached.

The only conclusion I can come to is that Firefox updated itself -- similarly to what it does in Windows! But how is this allowed in openSUSE/Linux?

I do understand that I manually installed Firefox in my /home directory and that it wasn't installed in the directory /usr/lib64/firefox accessed only by root but I certainly do not expect a program to self-update/upgrade without my manual intervention.

If openSUSE now allows the execution of the 'installer' in Firefox what is there to stop that 'installer' being modified to cause damage to the system?

(BTW, the same 'installer' is present in Thunderbird downloadable from Mozilla -- and I am using TB v60.0 [created 1 Aug].)

Is this ability in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?


BC


--
There comes a time in the affairs of a man when he has to take
the bull by the tail and face the situation.
W C Fields

< Previous Next >