[Secure-testing-team] Bug#786565: iceweasel: breaks xul-ext-requestpolicy

Thorsten Glaser tg at mirbsd.de
Fri May 22 21:25:43 UTC 2015 

Package: iceweasel
Version: 38.0.1-1
Severity: serious
Tags: security
Justification: security/privacy issue

The new version of iceweasel auto-disables the requestpolicy plugin.
To add insult to injury, it cannot be manually enabled, apparently
due to a version incompatibility.

This leads to page views no longer honouring the requestpolicy
settings but loading *all* external resources, thus violating
privacy and security, leaking user data to unwanted third parties,
disabling the probably most effective (if icky to use) ad blocker,
and cause general slowness due to ad javascript on several pages
(especially since the Intel Atom on an EeePC is so slow my Pentium M
(with less MHz) feels fast compared to it, before already).

-- Package-specific info:

-- Extensions information
Name: Classic Theme Restorer
Location: ${PROFILE_EXTENSIONS}/ClassicThemeRestorer at ArisT2Noia4dev.xpi
Status: enabled

Name: Clear Search 2
Location: ${PROFILE_EXTENSIONS}/ClearSearch2 at extension-id.invalid.xpi
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: Firebug
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/firebug at software.joehewitt.com
Package: xul-ext-firebug
Status: enabled

Name: Greasemonkey
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Package: xul-ext-greasemonkey
Status: user-disabled

Name: HTTPS-Everywhere
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywhere at eff.org
Package: xul-ext-https-everywhere
Status: user-disabled

Name: It's All Text!
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/itsalltext at docwhat.gerf.org
Package: xul-ext-itsalltext
Status: enabled

Name: RequestPolicy
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/requestpolicy at requestpolicy.com
Package: xul-ext-requestpolicy
Status: app-disabled

Name: Status-4-Evar
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/status4evar at caligonstudios.com
Package: xul-ext-status4evar
Status: enabled

Name: Y U no validate
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{20d36f97-15da-47ed-9f0a-13cbe85bdc84}
Package: xul-ext-y-u-no-validate
Status: enabled

-- Plugins information

-- Addons package information
ii  iceweasel      38.0.1-1     i386         Web browser based on Firefox
ii  xul-ext-firebu 2.0.4-1      all          web development plugin for Icewea
ii  xul-ext-grease 3.1-2        all          customization of webpages with us
ii  xul-ext-https- 4.0.3-1      all          extension to force the use of HTT
ii  xul-ext-itsall 1.9.1-2      all          extension to edit textareas using
ii  xul-ext-reques 0.5.28-1     all          improve your browsing: more priva
ii  xul-ext-status 2015.02.06.2 all          Status bar widgets and progress i
ii  xul-ext-y-u-no 2013052401-2 all          browser extension to make securit

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 4.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages iceweasel depends on:
ii  debianutils               4.5
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.16.0-2
ii  libc6                     2.19-18
ii  libcairo2                 1.14.2-2
ii  libdbus-1-3               1.8.18-1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-4
ii  libgcc1                   1:5.1.1-5
ii  libgdk-pixbuf2.0-0        2.31.1-2+b1
ii  libglib2.0-0              2.44.0-3
ii  libgtk2.0-0               2.24.25-3
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.8-1
ii  libnss3                   2:3.19-1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.10.1-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                5.1.1-5
ii  libvpx2                   1.4.0-3
ii  libx11-6                  2:1.6.3-1
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
pn  gstreamer1.0-libav         <none>
pn  gstreamer1.0-plugins-good  <none>

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-2.1
pn  libgnomeui-0           <none>
ii  libgssapi-krb5-2       1.12.1+dfsg-20
pn  mozplugger             <none>

-- no debconf information

More information about the Secure-testing-team mailing list