[Secure-testing-team] Bug#833627: firefox-esr: wrong dependency to libhunspell-1.3-0 but in Stretch there is only libhunspell-1.4-0

Davide Prina Davide.Prina at gmail.com
Sun Aug 7 08:17:07 UTC 2016


Package: firefox-esr
Version: 45.2.0esr-1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

please adjust severity and tags as appropriate.
I put grave severity because this firefox-esr version correct some security problems.

>From changelog I see:
firefox-esr (45.3.0esr-1~deb8u1) stable-security; urgency=medium

  * New upstream release.
  * Fixes for mfsa2016-{62-65,67,70,72-73,76-80}, also known as:
    CVE-2016-2836, CVE-2016-2830, CVE-2016-2838, CVE-2016-2839,
    CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259,
    CVE-2016-5262, CVE-2016-2837, CVE-2016-5263, CVE-2016-5264,
    CVE-2016-5265.

In Stretch it is impossible to upgrade firefox-esr package:

# apt-get update
[...]
# LANG=en_EN apt-get install firefox-esr
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 firefox-esr : Depends: libhunspell-1.3-0 (>= 1.3.3) but it is not installable
E: Unable to correct problems, you have held broken packages.


but in Stetch there is not libhunspell-1.3-0:
$ LANG=en_EN apt-cache search libhunspell
libhunspell-1.4-0 - spell checker and morphological analyzer (shared library)
libhunspell-dev - spell checker and morphological analyzer (development)

The problem is that in the "Depends:" clausole there is libhunspell-1.3-0 and not libhunspell-1.4

$ LANG=en_EN apt-cache show firefox-esr
Package: firefox-esr
Version: 45.3.0esr-1~deb8u1
Installed-Size: 97643
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers at lists.alioth.debian.org>
Architecture: amd64
Provides: gnome-www-browser, www-browser
Depends: libasound2 (>= 1.0.16), libatk1.0-0 (>= 1.12.4), libc6 (>= 2.17), libcairo2 (>= 1.2.4), libdbus-1-3 (>= 1.0.2), libdbus-glib-1-2 (>= 0.78), libevent-2.0-5 (>= 2.0.10-stable), libffi6 (>= 3.0.4), libfontconfig1 (>= 2.11), libfreetype6 (>= 2.2.1), libgcc1 (>= 1:4.1.1), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.20.0), libgtk2.0-0 (>= 2.24.0), libhunspell-1.3-0 (>= 1.3.3), libpango-1.0-0 (>= 1.14.0), libstartup-notification0 (>= 0.8), libstdc++6 (>= 4.9), libx11-6, libxcomposite1 (>= 1:0.3-1), libxdamage1 (>= 1:1.1), libxext6, libxfixes3, libxrender1, libxt6, zlib1g (>= 1:1.2.0), fontconfig, procps, debianutils (>= 1.16), libsqlite3-0 (>= 3.7.12-1~)
Suggests: fonts-stix | otf-stix, fonts-lmodern, mozplugger, libgssapi-krb5-2 | libkrb53, libgnomeui-0, libcanberra0
Conflicts: iceweasel (<< 45), j2re1.4, pango-graphite (<< 0.9.3)
Breaks: xul-ext-torbutton
Description-en: Mozilla Firefox web browser - Extended Support Release (ESR)
 Firefox ESR is a powerful, extensible web browser with support for modern
 web application technologies.
Description-md5: 88ee196fd829d9218a763b4d498a6f6a
Recommends: gstreamer1.0-libav, gstreamer1.0-plugins-good
Section: web
Priority: optional
Filename: pool/updates/main/f/firefox-esr/firefox-esr_45.3.0esr-1~deb8u1_amd64.deb
Size: 43485954
MD5sum: 59609951e33090ab11c463b83640a2ce
SHA1: 1d7bb2ac5b9080036b6ee69f2eb0f77eecd337e2
SHA256: 8441844a0be2fd00cf7b5f888a7d8622c0ffd5b4c5f4a2ed1092957f1bd93ffb

Ciao
Davide



-- Package-specific info:

-- Extensions information
[cut]

-- Plugins information
[cut]

-- Addons package information
ii  firefox-esr    45.2.0esr-1  amd64        Mozilla Firefox web browser - Ext
[...]

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firefox-esr depends on:
ii  debianutils               4.8
ii  fontconfig                2.11.0-6.4
ii  libasound2                1.1.1-2
ii  libatk1.0-0               2.20.0-1
ii  libc6                     2.23-4
ii  libcairo2                 1.14.6-1+b1
ii  libdbus-1-3               1.10.8-1
ii  libdbus-glib-1-2          0.106-1
ii  libevent-2.0-5            2.0.21-stable-2+b1
ii  libffi6                   3.2.1-4
ii  libfontconfig1            2.11.0-6.4
ii  libfreetype6              2.6.3-3+b1
ii  libgcc1                   1:6.1.1-10
ii  libgdk-pixbuf2.0-0        2.34.0-1
ii  libglib2.0-0              2.48.1-2
ii  libgtk2.0-0               2.24.30-4
ii  libhunspell-1.4-0         1.4.1-2
ii  libnspr4                  2:4.12-2
ii  libnss3                   2:3.23-2
ii  libpango-1.0-0            1.40.1-1
ii  libsqlite3-0              3.13.0-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                6.1.1-10
ii  libvpx3                   1.5.0-3
ii  libx11-6                  2:1.6.3-1
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.2-1
ii  libxrender1               1:0.9.9-2
ii  libxt6                    1:1.1.5-1
ii  procps                    2:3.3.12-2
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages firefox-esr recommends:
ii  gstreamer1.0-libav         1.8.2-1
ii  gstreamer1.0-plugins-good  1.8.2-1

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-3
ii  fonts-stix [otf-stix]  1.1.1-4
ii  libcanberra0           0.30-3
ii  libgnomeui-0           2.24.5-3.1
ii  libgssapi-krb5-2       1.14.3+dfsg-1
pn  mozplugger             <none>

-- no debconf information



More information about the Secure-testing-team mailing list