[Secure-testing-team] Bug#795576: iceweasel: When using default settings, user will be subscribed to services only by hovering over links
Boris Shtrasman
borissh1983+bugs at gmail.com
Sat Aug 15 11:32:58 UTC 2015
Package: iceweasel
Version: 38.1.0esr-3
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
This is related to mozilla bug 814169, Where a user using default
settings hover over a link without clicking on it ( which trigger a link prefetch case). this will leak device
information and provide access to user wallet.
Many services are pay per use, and merely clinking on a link will cause
the provider to sucbsribe to the services. And in cases of pay per-ad this
will cause unwanted charges for the user.
I belive that at least network-prefetch-next and network.http.speculative-parallel-limit should be disabled by default.
https://bugzilla.mozilla.org/show_bug.cgi?id=814169 the workarounds for
that bug is to disable the network-prefetch-next and network.http.speculative-parallel-limit
-- Package-specific info:
-- Extensions information
Name: Adblock Plus
Location: ${PROFILE_EXTENSIONS}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
Status: enabled
Name: BetterPrivacy
Location: ${PROFILE_EXTENSIONS}/{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
Status: enabled
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled
Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere at eff.org
Status: enabled
Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Status: enabled
Name: Places Maintenance
Location: ${PROFILE_EXTENSIONS}/places-maintenance at bonardo.net.xpi
Status: enabled
-- Plugins information
Name: MozPlugger 1.14.5 handles QuickTime and Windows Media Player Plugin (1.14.5)
Location: /usr/lib/mozilla/plugins/mozplugger.so
Package: mozplugger
Status: disabled
-- Addons package information
ii iceweasel 38.1.0esr-3 amd64 Web browser based on Firefox
ii mozplugger 1.14.5-2 amd64 Plugin allowing external viewers
-- System Information:
Debian Release: stretch/sid
APT prefers stable
APT policy: (1001, 'stable'), (900, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.5.1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.29-1
ii libatk1.0-0 2.16.0-2
ii libc6 2.19-19
ii libcairo2 1.14.2-2
ii libdbus-1-3 1.8.20-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.2.1-3
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgcc1 1:5.2.1-14
ii libgdk-pixbuf2.0-0 2.31.5-1
ii libglib2.0-0 2.44.1-1.1
ii libgtk2.0-0 2.24.28-1
ii libhunspell-1.3-0 1.3.3-3
ii libnspr4 2:4.10.8-2
ii libnss3 2:3.19.2-1
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.11.1-1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libvpx2 1.4.0-4
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.10-2
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1.4.5-3
ii gstreamer1.0-plugins-good 1.4.5-2+b1
Versions of packages iceweasel suggests:
ii fonts-mathjax 2.5.3-1
pn fonts-oflb-asana-math <none>
ii fonts-stix [otf-stix] 1.1.1-3
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.13.2+dfsg-2
ii mozplugger 1.14.5-2
-- no debconf information
More information about the Secure-testing-team
mailing list