Dear OpenSSH developers, first thank you for this great tool! Me and a friend have experienced some seriously crazy interaction between Thunderbird and OpenSSH, the problem is it's not reproducable but as it left definite traces on the server and it could be a serious security problem I still want to report it. so the following happened: My friend is running Ubuntu 9.10 with the new Thunderbird from a PPA he connected to our server (running Debian Lenny) using OpenSSH in a normal gnome-terminal. Then he launched Thunderbird from the application menu and now it's getting really weired. When thunderbird launched and connected to the IMAP Servers the SSH session in the currently unfocussed terminal was flooded with data, specifically with subject lines from the mails in Thunderbird this was to the degree that it created weired named files on our server like "Gesendet:" ("sent" in German) "bla at example.com" and so on. The interesting thing being that albeit those are garbage they are clearly noy chiffered. The only idea I could come up with is that somehow the OpenSSL Input buffer used by Thunderbird could have leaked into the one used by OpenSSH which would be quite catastrophic. It could also have to do with the clipboard but we weren't able to reproduce it or see anything like it with other software and he has been running this Thunderbird version for some time now. It's to fishy for a bug report but still to dangerours to simply ignore. Greetings Niklas Schnelle
Alexander Wuerstlein
2010-Apr-02 18:50 UTC
Extremely weired Thunderbird OpenSSH interaction
On 10-04-02 19:45, Niklas Schnelle <niklas at komani.de> wrote:> Dear OpenSSH developers, > first thank you for this great tool! > Me and a friend have experienced some seriously crazy interaction > between Thunderbird and OpenSSH, the problem is it's > not reproducable but as it left definite traces on the server and it > could be a serious security problem I still want to report it. > so the following happened: > My friend is running Ubuntu 9.10 with the new Thunderbird from a PPA > he connected to our server (running Debian Lenny) using OpenSSH in a > normal gnome-terminal. Then he launched Thunderbird from the application > menu and now it's getting really weired. > When thunderbird launched and connected to the IMAP Servers the SSH > session in the currently unfocussed terminal was > flooded with data, specifically with subject lines from the mails in > Thunderbird this was to the degree that it created weired named files on > our server like "Gesendet:" ("sent" in German) > "bla at example.com" and so on.I would guess that you stumbled over the somewhat obscure and weird "remote" feature of some Mozilla products[1]. Try starting thunderbird with -no-remote as a parameter and see if it makes a difference. Ciao, Alexander Wuerstlein. [1] https://developer.mozilla.org/en/Command_Line_Options