Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
Re: [opensuse] Firefox: is this a possible security problem?
Am 15.08.2018 um 11:23 schrieb Basil Chupin:
I am running Leap 15.0 but with 2 "non-standard" files:

#1 - kernel-4.18.0-1, which comes from repo. '.../stable/standard/'; and

#2 - Firefox v62.0b1x, which I download directly from Mozilla.

I have no problems re the kernel but I mention it here to show that
there is at least this file which is not 'standard' in my installation
of Leap 15.0.

However, I have just experienced something regarding the version of
Firefox which I did not expect and something which didn't happen in the
past (as in many moons ago when I last used a Nightly version of either
Firefox or Thunderbird). And what happened raised in my mind whether
this is a security problem for a Linux system (ie, openSUSE).

Let me explain.

Since 28 July I have been downloading and using Firefox downloaded from
Mozilla site -- the file is a *.tar.bz2 file which I then unarchive
(using the F2 option in Midnight Commander (mc)); I then copy the
'/firefox' directory resulting from this un-archiving to my /home
directory.

To use this [new] version of Firefox I then edit the Firefox entry in
the Applications menu and edit the Command to read '~/firefox/firefox %u'.

When I began doing this I started with Firefox v61.0.1, but on 5 August
I downloaded and started to use FF v62.0b14, followed by v62.0b15 on 10
August.

For all of the (3) preceding files I downloaded the files myself,
unarchived them, deleted/renamed the '/firefox' directory in '/home',
and copied across the new version of FF to my '/home'.

Until today.

What occurred today is something which I did not expect on a Linux
system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.


Some useful information on this can be found here:

https://www.ghacks.net/2018/07/28/mozilla-makes-it-more-difficult-to-block-firefox-updates/


As I did in the past to download the latest version of FF, I clicked on
HELP and when the box-menu appeared there was the message, normally seen
on a Windows installation, "Restart Firefox  to <something>' and the
version number showing was 62.0b17.

===

Now that I have written the above, I just now looked inside the
'/firefox' directory in my '/home' and found to my surprise 2 files:
'updater' (156, 296 bytes big), and 'updater.ini' (681 bytes big). The
contents of *.ini' is attached.

The only conclusion I can come to is that Firefox updated itself --
similarly to what it does in Windows! But how is this allowed in
openSUSE/Linux?

I do understand that I manually installed Firefox in my /home directory
and that it wasn't installed in the directory /usr/lib64/firefox
accessed only by root but I certainly do not expect a program to
self-update/upgrade without my manual intervention.

If openSUSE now allows the execution of the 'installer' in Firefox what
is there to stop that 'installer' being modified to cause damage to the
system?

(BTW, the same 'installer' is present in Thunderbird downloadable from
Mozilla -- and I am using TB v60.0 [created 1 Aug].)

Is this ability in Firefox, and Thunderbird, acceptable behaviour or am
I being paranoid?


BC




--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References