[Secure-testing-team] Bug#864790: firefox-esr: settings in /etc/firefox-esr/firefox[-esr].js are ignored after the first lock_pref
Christoph Anton Mitterer
calestyo at scientia.net
Wed Jun 14 21:49:31 UTC 2017
Package: firefox-esr
Version: 52.2.0esr-1
Severity: important
Tags: security
Hi.
It seems that any perferences set it /etc/firefox-esr/firefox[-esr].js after the
first lock_pref(); are ignored and not actually set (or at least not visible as
such in about:config.
Consider e.g.
pref("media.eme.enabled", false);
pref("media.eme.apiVisible", false);
lock_pref("app.update.enabled", false);
pref("security.ssl.require_safe_negotiation", true);
then only the first three options will actually be set, while security.ssl.require_safe_negotiation
remains at Firefox' default.
Tagging +security, since this may cause security relevant options to be ignored.
Cheers,
Chris.
-- Package-specific info:
-- Extensions information
Name: Adblock Plus
Location: /usr/share/xul-ext/adblock-plus
Package: xul-ext-adblock-plus
Status: enabled
Name: Application Update Service Helper
Location: ${PROFILE_EXTENSIONS}/aushelper at mozilla.org.xpi
Status: enabled
Name: Certificate Patrol
Location: /usr/share/xul-ext/certificatepatrol
Package: xul-ext-certificatepatrol
Status: user-disabled
Name: Classic Theme Restorer
Location: /usr/share/xul-ext/classic-theme-restorer
Package: xul-ext-classic-theme-restorer
Status: user-disabled
Name: Cookie Monster
Location: /usr/share/xul-ext/cookie-monster
Package: xul-ext-cookie-monster
Status: enabled
Name: Default theme
Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled
Name: DownThemAll!
Location: /usr/share/xul-ext/downthemall
Package: xul-ext-downthemall
Status: enabled
Name: Firebug
Location: /usr/share/xul-ext/firebug
Package: xul-ext-firebug
Status: user-disabled
Name: FirePath
Location: /usr/share/xul-ext/firexpath
Package: xul-ext-firexpath
Status: enabled
Name: Flashblock
Location: /usr/share/xul-ext/flashblock
Package: xul-ext-flashblock
Status: enabled
Name: FoxyProxy Standard
Location: /usr/share/xul-ext/foxyproxy-standard
Package: xul-ext-foxyproxy-standard
Status: enabled
Name: HTTPS Everywhere
Location: /usr/share/xul-ext/https-everywhere
Package: xul-ext-https-everywhere
Status: enabled
Name: Lightbeam
Location: /usr/share/xul-ext/lightbeam
Package: xul-ext-lightbeam
Status: enabled
Name: Live HTTP headers(Fixed By Danyial.com)
Location: /usr/share/xul-ext/livehttpheaders
Package: xul-ext-livehttpheaders
Status: enabled
Name: Multi-process staged rollout
Location: ${PROFILE_EXTENSIONS}/e10srollout at mozilla.org.xpi
Status: enabled
Name: NoScript
Location: /usr/share/xul-ext/noscript
Package: xul-ext-noscript
Status: enabled
Name: Pocket
Location: ${PROFILE_EXTENSIONS}/firefox at getpocket.com.xpi
Status: enabled
Name: SearchLoad Options
Location: /usr/share/xul-ext/searchload-options
Package: xul-ext-searchload-options
Status: enabled
Name: Status-4-Evar
Location: /usr/share/xul-ext/status4evar
Package: xul-ext-status4evar
Status: enabled
Name: Tab Mix Plus
Location: /usr/share/xul-ext/tabmixplus
Package: xul-ext-tabmixplus
Status: enabled
Name: User Agent Switcher
Location: /usr/share/xul-ext/useragentswitcher
Package: xul-ext-useragentswitcher
Status: enabled
Name: Web Compat
Location: ${PROFILE_EXTENSIONS}/webcompat at mozilla.org.xpi
Status: enabled
Name: Web Developer
Location: /usr/share/xul-ext/webdeveloper
Package: xul-ext-webdeveloper
Status: enabled
Name: Y U no validate
Location: /usr/share/xul-ext/y-u-no-validate
Package: xul-ext-y-u-no-validate
Status: enabled
-- Plugins information
Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled
-- Addons package information
ii browser-plugin 0.8.11~git20 amd64 GNU Shockwave Flash (SWF) player
ii firefox-esr 52.2.0esr-1 amd64 Mozilla Firefox web browser - Ext
ii xul-ext-adbloc 2.7.3+dfsg-1 all advertisement blocking extension
ii xul-ext-certif 2.0.14-5 all Certificate Monitor for Iceweasel
ii xul-ext-classi 1.5.9-1 all customize the new Firefox interfa
ii xul-ext-cookie 1.3.0.5-1 all manage cookies in a whitelist-bas
ii xul-ext-downth 3.0.7-1 all Firefox extension with advanced d
ii xul-ext-firebu 2.0.17-1 all web development plugin for Firefo
ii xul-ext-firexp 0.9.7.1-3 all extension for Firebug to edit, in
ii xul-ext-flashb 1.5.20-2 all Mozilla extension to block Adobe
ii xul-ext-foxypr 4.5.6-debian all advanced proxy management tool fo
ii xul-ext-https- 5.2.8-1 all extension to force the use of HTT
ii xul-ext-lightb 1.3.1+dfsg-1 all visualize sites that may be track
ii xul-ext-liveht 0.17.1-2 all add information about HTTP header
ii xul-ext-noscri 2.9.0.14-1 all permissions manager for Firefox
ii xul-ext-search 0.8.0-3 all tweak the searchbar's functionali
ii xul-ext-status 2016.10.11.0 all Status bar widgets and progress i
ii xul-ext-tabmix 0.5.0.1-1 all add dozens of new capabilities to
ii xul-ext-userag 0.7.3-3 all Firefox addon that allows the use
ii xul-ext-webdev 1.2.5+repack all web developer extension
ii xul-ext-y-u-no 2013052407-3 all browser extension to make securit
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages firefox-esr depends on:
ii debianutils 4.8.1.1
ii fontconfig 2.11.0-6.7+b1
ii libasound2 1.1.3-5
ii libatk1.0-0 2.22.0-1
ii libc6 2.24-11
ii libcairo-gobject2 1.14.8-1
ii libcairo2 1.14.8-1
ii libdbus-1-3 1.10.18-1
ii libdbus-glib-1-2 0.108-2
ii libevent-2.0-5 2.0.21-stable-3
ii libffi6 3.2.1-6
ii libfontconfig1 2.11.0-6.7+b1
ii libfreetype6 2.6.3-3.2
ii libgcc1 1:6.3.0-18
ii libgdk-pixbuf2.0-0 2.36.5-2
ii libglib2.0-0 2.50.3-2
ii libgtk-3-0 3.22.12-1
ii libgtk2.0-0 2.24.31-2
ii libhunspell-1.4-0 1.4.1-2+b2
ii libjsoncpp1 1.7.4-3
ii libpango-1.0-0 1.40.5-1
ii libsqlite3-0 3.16.2-5
ii libstartup-notification0 0.12-4+b2
ii libstdc++6 6.3.0-18
ii libvpx4 1.6.1-3
ii libx11-6 2:1.6.4-3
ii libx11-xcb1 2:1.6.4-3
ii libxcb-shm0 1.12-1
ii libxcb1 1.12-1
ii libxcomposite1 1:0.4.4-2
ii libxdamage1 1:1.1.4-2+b3
ii libxext6 2:1.3.3-1+b2
ii libxfixes3 1:5.0.3-1
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1
ii procps 2:3.3.12-3
ii zlib1g 1:1.2.8.dfsg-5
firefox-esr recommends no packages.
Versions of packages firefox-esr suggests:
ii fonts-lmodern 2.004.5-3
ii fonts-stix [otf-stix] 1.1.1-4
ii libcanberra0 0.30-3
ii libgssapi-krb5-2 1.15-1
pn mozplugger <none>
-- Configuration Files:
/etc/firefox-esr/firefox-esr.js changed [not included]
-- no debconf information
More information about the Secure-testing-team
mailing list