Bug 477740

Summary: Disable FIPS should require inputting right password
Product: Red Hat Enterprise Linux 5 Reporter: Yolkfull Chow <yzhou>
Component: thunderbirdAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED UPSTREAM QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: desktop-bugs, gecko-bugs-nobody
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-22 01:14:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yolkfull Chow 2008-12-23 08:01:44 UTC 
Description of problem:
If FIPS is enabled, it should be designed to safeguard reading the mails via its password.However, if user click "Cancel" instead of inputting FIPS password when launching thunderbird, and go to Disable FIPS which does not require input password,and then he could read any mail and do any operation arbitrarily.

Version-Release number of selected component (if applicable):
thunderbird-2.0.0.19-1.el5_2

How reproducible:
Everytime

Steps to Reproduce:
1. enable FIPS and set a password
2. restart thunderbird and click "Cancel" when need input FIPS password
3. and then go to Disable FIPS, read any mail as you want
  
Actual results:
Anyone could read the mails of a FIPS protected account by just disabling it without inputting password.

Expected results:
It should require the password when disable FIPS.

Additional info:
Comment 1 Kai Engert (:kaie) (inactive account) 2009-01-22 01:14:41 UTC 
This sounds like a good idea to me on first sight, but it should be implemented at the upstream project, therefore I've filed bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=474723