[Secure-testing-team] Bug#797602: iceweasel: ice* apps are not secured
Richard Jasmin
frazzledjazz at gmail.com
Mon Aug 31 20:16:23 UTC 2015
Package: iceweasel
Version: 38.2.0esr-1~deb8u1
Severity: grave
Tags: upstream security patch
Justification: user security hole
Attaching to upstream FFOX also.
Bug # 1200375
This issue is caused by one of two problems.
1) We are given SLOP from mozilla which will not harden, the code needs to be
rejected until it can be hardened
2) This code is not compiled to be hardened, whether by mistake or otherwise
before distribution in debian
A simple scan of a running ice* application reveals the problem.
(check-security)
No stack canary
No RELRO
No PIE
other Dangerous options used
Firefox and its relatives are NOT GREEN. Next to zero hardening options are
used.
Web browser is 50% of incoming attack vector on client side, MAIL is the other
50%. 100% of the code is NOT SECURE.
All mozilla apps use the same code base and internal browser capabilities.
I dont think sylpheed and claws are affected(both are pretty much the same
application). This is a mozilla issue.
Dunno about you, but I sure as all hades do not appreciate this. People wonder
why they get hacked...the application is RIPE for the hacking.
There is NO reason why ANY application should not use these "options"(which
shouldnt even be optional, they should be MANDATED).
-- Package-specific info:
-- Extensions information
Name: Browser JSGuard
Location: ${PROFILE_EXTENSIONS}/jid1-iazLAsIkHmx2Vw at jetpack.xpi
Status: user-disabled
Name: BugMeNot Plugin
Location: ${PROFILE_EXTENSIONS}/{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi
Status: enabled
Name: Capture & Print
Location: ${PROFILE_EXTENSIONS}/{146f1820-2b0d-49ef-acbf-d85a6986e10c}.xpi
Status: enabled
Name: CommentBlocker
Location: ${PROFILE_EXTENSIONS}/commentblocker at xertoz.se.xpi
Status: enabled
Name: Copy As Plain Text
Location: ${PROFILE_EXTENSIONS}/{1a5dabbd-0e74-41da-b532-a364bb552cab}.xpi
Status: enabled
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: Disable Anti-Adblock
Location: ${PROFILE_EXTENSIONS}/{d49a148e-817e-4025-bee3-5d541376de3b}.xpi
Status: enabled
Name: Disable DHE
Location: ${PROFILE_EXTENSIONS}/5aa55fd5-6e61-4896-b186-fdc6f298ec92 at mozilla.xpi
Status: enabled
Name: Do Not Survey
Location: ${PROFILE_EXTENSIONS}/do-not-survey at erikvold.com.xpi
Status: enabled
Name: Easy Youtube Video Downloader Express
Location: ${PROFILE_EXTENSIONS}/{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi
Status: enabled
Name: econoRead
Location: ${PROFILE_EXTENSIONS}/jid1-64wQpLbPpBDxfg at jetpack.xpi
Status: enabled
Name: Ecosia — The search engine that plants trees!
Location: ${PROFILE_EXTENSIONS}/{d04b0b40-3dab-4f0b-97a6-04ec3eddbfb0}.xpi
Status: enabled
Name: F.B. Purity - Cleans Up Facebook
Location: ${PROFILE_EXTENSIONS}/fbp at fbpurity.com.xpi
Status: enabled
Name: FanFic Filter
Location: ${PROFILE_EXTENSIONS}/jid1-wwKu3QcaAIwbIQ at jetpack.xpi
Status: enabled
Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled
Name: Foobar
Location: ${PROFILE_EXTENSIONS}/foobar at unnecessarilylongurl.com.xpi
Status: enabled
Name: h264ify
Location: ${PROFILE_EXTENSIONS}/jid1-TSgSxBhncsPBWQ at jetpack.xpi
Status: enabled
Name: HTTP Nowhere
Location: ${PROFILE_EXTENSIONS}/http-nowhere at cwilper.github.com.xpi
Status: enabled
Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere-eff at eff.org
Status: enabled
Name: HTTPS-Everywhere
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywhere at eff.org
Package: xul-ext-https-everywhere
Status: enabled
Name: I don't care about cookies
Location: ${PROFILE_EXTENSIONS}/jid1-KKzOGWgsW3Ao4Q at jetpack.xpi
Status: enabled
Name: KeeFox
Location: ${PROFILE_EXTENSIONS}/keefox at chris.tomlinson
Status: enabled
Name: Long URL Please
Location: ${PROFILE_EXTENSIONS}/longurlplease at darragh.curran.xpi
Status: enabled
Name: Mozilla Archive Format
Location: ${PROFILE_EXTENSIONS}/{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi
Status: enabled
Name: NO Google Analytics
Location: ${PROFILE_EXTENSIONS}/jid1-JcGokIiQyjoBAQ at jetpack.xpi
Status: enabled
Name: NoSquint
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/nosquint at urandom.ca
Package: xul-ext-nosquint
Status: enabled
Name: OpenComment
Location: ${PROFILE_EXTENSIONS}/opencomment at opncmnt.com.xpi
Status: enabled
Name: PDF Download
Location: ${PROFILE_EXTENSIONS}/{37E4D8EA-8BDA-4831-8EA1-89053939A250}.xpi
Status: enabled
Name: Perspectives
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/perspectives at cmu.edu
Package: xul-ext-perspectives
Status: enabled
Name: Plain Text Offenders
Location: ${PROFILE_EXTENSIONS}/jid1-BAGUIOWuPtBZiA at jetpack.xpi
Status: enabled
Name: Prevent writing passwords without SSL
Location: ${PROFILE_EXTENSIONS}/francesco at galgani.it.xpi
Status: enabled
Name: Print Edit
Location: ${PROFILE_EXTENSIONS}/printedit at DW-dev.xpi
Status: enabled
Name: Readability
Location: ${PROFILE_EXTENSIONS}/readability at readability.com.xpi
Status: enabled
Name: Redirect Remover
Location: ${PROFILE_EXTENSIONS}/{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}.xpi
Status: user-disabled
Name: Remove Cookies for Site
Location: ${PROFILE_EXTENSIONS}/{06997db0-c027-4d5f-bd37-b0d9230226ea}.xpi
Status: enabled
Name: Report Pedophile
Location: ${PROFILE_EXTENSIONS}/reportpedophile at internetpredatortracker.com
Status: enabled
Name: RightToClick
Location: ${PROFILE_EXTENSIONS}/{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi
Status: enabled
Name: ShapeShift Lens
Location: ${PROFILE_EXTENSIONS}/jid1-cmnEvLpJOY8wMA at jetpack.xpi
Status: enabled
Name: signup-block
Location: ${PROFILE_EXTENSIONS}/jid1-qbA1LkvFoEKD5A at jetpack.xpi
Status: enabled
Name: Stylish
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
Package: xul-ext-stylish
Status: enabled
Name: Tinfoil
Location: ${PROFILE_EXTENSIONS}/jid1-qBe6fIS7EMdhDA at jetpack.xpi
Status: enabled
Name: uBlock
Location: ${PROFILE_EXTENSIONS}/{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi
Status: enabled
Name: unmask
Location: ${PROFILE_EXTENSIONS}/jid1-yV76nfxgqelbWQ at jetpack.xpi
Status: enabled
Name: URL Fixer
Location: ${PROFILE_EXTENSIONS}/{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi
Status: enabled
Name: User Agent Switcher
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
Package: xul-ext-useragentswitcher
Status: enabled
Name: Wide screen stackexchange sites
Location: ${PROFILE_EXTENSIONS}/jid1-uYPnGckIKsprTw at jetpack.xpi
Status: enabled
Name: WOT
Location: ${PROFILE_EXTENSIONS}/{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
Status: enabled
Name: YouTube ALL HTML5
Location: ${PROFILE_EXTENSIONS}/jid1-qj0w91o64N7Eeg at jetpack.xpi
Status: enabled
Name: YouTube High Definition
Location: ${PROFILE_EXTENSIONS}/{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi
Status: enabled
Name: YouTube HTML5-Video
Location: ${PROFILE_EXTENSIONS}/jid0-MXvUXM1npF7yTcY3bpZVht72AR4 at jetpack.xpi
Status: enabled
Name: Zotero
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/zotero at chnm.gmu.edu
Package: xul-ext-zotero
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
Name: Skype Buttons for Kopete
Location: /usr/lib/mozilla/plugins/skypebuttons.so
Package: kopete
Status: enabled
-- Addons package information
ii gnome-shell 3.14.4-1~deb amd64 graphical shell for the GNOME des
ii iceweasel 38.2.0esr-1~ amd64 Web browser based on Firefox
ii kopete 4:4.14.1-2 amd64 instant messaging and chat applic
ii xul-ext-https- 4.0.2-3 all extension to force the use of HTT
ii xul-ext-nosqui 2.1.9-2 all control the size of text of websi
ii xul-ext-perspe 4.5.2-1 all verify HTTPS sites through notary
ii xul-ext-stylis 1.4.3-2 all styles manager to customize web s
ii xul-ext-userag 0.7.3-1 all Iceweasel/Firefox addon that allo
ii xul-ext-zotero 4.0.22-1 all Iceweasel extension to organize a
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.18-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u2
ii libglib2.0-0 2.42.1-1
ii libgtk2.0-0 2.24.25-3
ii libhunspell-1.3-0 1.3.3-3
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1:1.4.5-dmo1
ii gstreamer1.0-plugins-good 1.4.4-2
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.12.1+dfsg-19
pn mozplugger <none>
-- no debconf information
More information about the Secure-testing-team
mailing list