Bug 477740 - Disable FIPS should require inputting right password
Disable FIPS should require inputting right password
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: thunderbird (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Kai Engert (:kaie)
desktop-bugs@redhat.com
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-23 03:01 EST by Yolkfull Chow
Modified: 2009-01-21 20:14 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-21 20:14:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 474723 None None None Never

  None (edit)
Description Yolkfull Chow 2008-12-23 03:01:44 EST
Description of problem:
If FIPS is enabled, it should be designed to safeguard reading the mails via its password.However, if user click "Cancel" instead of inputting FIPS password when launching thunderbird, and go to Disable FIPS which does not require input password,and then he could read any mail and do any operation arbitrarily.

Version-Release number of selected component (if applicable):
thunderbird-2.0.0.19-1.el5_2

How reproducible:
Everytime

Steps to Reproduce:
1. enable FIPS and set a password
2. restart thunderbird and click "Cancel" when need input FIPS password
3. and then go to Disable FIPS, read any mail as you want
  
Actual results:
Anyone could read the mails of a FIPS protected account by just disabling it without inputting password.

Expected results:
It should require the password when disable FIPS.

Additional info:
Comment 1 Kai Engert (:kaie) 2009-01-21 20:14:41 EST
This sounds like a good idea to me on first sight, but it should be implemented at the upstream project, therefore I've filed bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=474723

Note You need to log in before you can comment on or make changes to this bug.