openssh unix dev - Apr 2010 - Extremely weired Thunderbird OpenSSH interaction

Dear OpenSSH developers,
first thank you for this great tool!
Me and a friend have experienced some seriously crazy interaction
between Thunderbird and OpenSSH, the problem is it's
not reproducable but as it left definite traces on the server and it
could be a serious security problem I still want to report it.
so the following happened:
My friend is running Ubuntu 9.10 with the new Thunderbird from a PPA 
he connected to our server (running Debian Lenny) using OpenSSH in a
normal gnome-terminal. Then he launched Thunderbird from the application
menu and now it's getting really weired. 
When thunderbird launched and connected to the IMAP Servers the SSH
session in the currently unfocussed terminal was
flooded with data, specifically with subject lines from the mails in
Thunderbird this was to the degree that it created weired named files on
our server like "Gesendet:" ("sent" in German)
"bla at example.com" and so on.
The interesting thing being that albeit those are garbage they are
clearly noy chiffered. The only idea I could come up with is that
somehow the OpenSSL Input buffer used by Thunderbird could have leaked
into the one used by OpenSSH which would be quite catastrophic.
It could also have to do with the clipboard but we weren't able to
reproduce it or see anything like it with other software and he has been
running this Thunderbird version for some time now.
It's to fishy for a bug report but still to dangerours to simply ignore.
Greetings Niklas Schnelle

On 10-04-02 19:45, Niklas Schnelle <niklas at komani.de>
wrote:
> Dear OpenSSH developers,
> first thank you for this great tool!
> Me and a friend have experienced some seriously crazy interaction
> between Thunderbird and OpenSSH, the problem is it's
> not reproducable but as it left definite traces on the server and it
> could be a serious security problem I still want to report it.
> so the following happened:
> My friend is running Ubuntu 9.10 with the new Thunderbird from a PPA 
> he connected to our server (running Debian Lenny) using OpenSSH in a
> normal gnome-terminal. Then he launched Thunderbird from the application
> menu and now it's getting really weired. 
> When thunderbird launched and connected to the IMAP Servers the SSH
> session in the currently unfocussed terminal was
> flooded with data, specifically with subject lines from the mails in
> Thunderbird this was to the degree that it created weired named files on
> our server like "Gesendet:" ("sent" in German)
> "bla at example.com" and so on.
I would guess that you stumbled over the somewhat obscure and weird
"remote" feature of some Mozilla products[1]. Try starting thunderbird
with -no-remote as a parameter and see if it makes a difference.




Ciao,

Alexander Wuerstlein.

[1] https://developer.mozilla.org/en/Command_Line_Options