[Secure-testing-team] Bug#566326: xulrunner-1.9: iceweasel "clear private data" leaves traces on disk due to linkage to system libsqlite3 instead of embedded copy

Fri Jan 22 22:24:56 UTC 2010

Package: xulrunner-1.9
Version: 1.9.0.16-1
Severity: important
Tags: security

The symptom:
 Run iceweasel.
 Visit some web pages.
 Tools / Clear Private Data
 cd .mozilla/firefox/*.default
 grep visited_hostname *.sqlite
 Result: places.sqlite and sometimes others

 There, one sees that the data that is supposed to be cleared is
 actually still on disk, until one does:
 for f in *.sqlitel; do sqlite3 "${f}" VACUUM; done
 (or it is overwritten by new data)

In https://bugzilla.mozilla.org/show_bug.cgi?id=385834#c33, it says
this should not happen because sqlite3 is compiled with
-DSQLITE_SECURE_DELETE, which causes deletes to overwrite old data
with zeros. Indeed, in db/sqlite3/src/Makefile.in:

DEFINES = \
  -DSQLITE_SECURE_DELETE=1 \

But that sqlite3 is not used, the one from package libsqlite3-0 is
used, and this one is *not* compiled with -DSQLITE_SECURE_DELETE!

Glancing at https://buildd.debian.org/build.php, this seems to be
solved in unstable by having libsqlite3-0 be compiled with
-DSQLITE_SECURE_DELETE, but IMHO we still need to solve that security
leak in stable.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable'), (200, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_LU.UTF-8, LC_CTYPE=fr_LU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xulrunner-1.9 depends on:
ii  libatk1.0-0           1.22.0-1           The ATK accessibility toolkit
ii  libbz2-1.0            1.0.5-1            high-quality block-sorting file co
ii  libc6                 2.7-18lenny2       GNU C Library: Shared libraries
ii  libcairo2             1.6.4-7            The Cairo 2D vector graphics libra
ii  libfontconfig1        2.6.0-3            generic font configuration library
ii  libfreetype6          2.3.7-2+lenny1     FreeType 2 font engine, shared lib
ii  libgcc1               1:4.3.2-1.1        GCC support library
ii  libglib2.0-0          2.16.6-2           The GLib library of C routines
ii  libgtk2.0-0           2.12.12-1~lenny1   The GTK+ graphical user interface 
ii  libhunspell-1.2-0     1.2.6-1            spell checker and morphological an
ii  libjpeg62             6b-14              The Independent JPEG Group's JPEG 
ii  liblcms1              1.17.dfsg-1+lenny2 Color management library
ii  libmozjs1d            1.9.0.16-1         The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d           4.7.1-5            NetScape Portable Runtime Library
ii  libnss3-1d            3.12.3.1-0lenny1   Network Security Service libraries
ii  libpango1.0-0         1.20.5-5           Layout and rendering of internatio
ii  libpng12-0            1.2.27-2+lenny2    PNG library - runtime
ii  libreadline5          5.2-3.1            GNU readline and history libraries
ii  libsqlite3-0          3.5.9-6            SQLite 3 shared library
ii  libstartup-notificati 0.9-1              library for program launch feedbac
ii  libstdc++6            4.3.2-1.1          The GNU Standard C++ Library v3
ii  libx11-6              2:1.1.5-2          X11 client-side library
ii  libxrender1           1:0.9.4-2          X Rendering Extension client libra
ii  libxt6                1:1.0.5-3          X11 toolkit intrinsics library
ii  zlib1g                1:1.2.3.3.dfsg-12  compression library - runtime

xulrunner-1.9 recommends no packages.

Versions of packages xulrunner-1.9 suggests:
ii  xulrunner-1.9-gnome-support   1.9.0.16-1 Support for GNOME in xulrunner app

-- no debconf information