[Secure-testing-team] Bug#864790: firefox-esr: settings in /etc/firefox-esr/firefox[-esr].js are ignored after the first lock_pref

Christoph Anton Mitterer calestyo at scientia.net
Wed Jun 14 21:49:31 UTC 2017


Package: firefox-esr
Version: 52.2.0esr-1
Severity: important
Tags: security


Hi.

It seems that any perferences set it /etc/firefox-esr/firefox[-esr].js after the
first lock_pref(); are ignored and not actually set (or at least not visible as
such in about:config.

Consider e.g.
pref("media.eme.enabled", false);
pref("media.eme.apiVisible", false);
lock_pref("app.update.enabled", false);
pref("security.ssl.require_safe_negotiation", true);

then only the first three options will actually be set, while security.ssl.require_safe_negotiation
remains at Firefox' default.

Tagging +security, since this may cause security relevant options to be ignored.


Cheers,
Chris.



-- Package-specific info:

-- Extensions information
Name: Adblock Plus
Location: /usr/share/xul-ext/adblock-plus
Package: xul-ext-adblock-plus
Status: enabled

Name: Application Update Service Helper
Location: ${PROFILE_EXTENSIONS}/aushelper at mozilla.org.xpi
Status: enabled

Name: Certificate Patrol
Location: /usr/share/xul-ext/certificatepatrol
Package: xul-ext-certificatepatrol
Status: user-disabled

Name: Classic Theme Restorer
Location: /usr/share/xul-ext/classic-theme-restorer
Package: xul-ext-classic-theme-restorer
Status: user-disabled

Name: Cookie Monster
Location: /usr/share/xul-ext/cookie-monster
Package: xul-ext-cookie-monster
Status: enabled

Name: Default theme
Location: /usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled

Name: DownThemAll!
Location: /usr/share/xul-ext/downthemall
Package: xul-ext-downthemall
Status: enabled

Name: Firebug
Location: /usr/share/xul-ext/firebug
Package: xul-ext-firebug
Status: user-disabled

Name: FirePath
Location: /usr/share/xul-ext/firexpath
Package: xul-ext-firexpath
Status: enabled

Name: Flashblock
Location: /usr/share/xul-ext/flashblock
Package: xul-ext-flashblock
Status: enabled

Name: FoxyProxy Standard
Location: /usr/share/xul-ext/foxyproxy-standard
Package: xul-ext-foxyproxy-standard
Status: enabled

Name: HTTPS Everywhere
Location: /usr/share/xul-ext/https-everywhere
Package: xul-ext-https-everywhere
Status: enabled

Name: Lightbeam
Location: /usr/share/xul-ext/lightbeam
Package: xul-ext-lightbeam
Status: enabled

Name: Live HTTP headers(Fixed By Danyial.com)
Location: /usr/share/xul-ext/livehttpheaders
Package: xul-ext-livehttpheaders
Status: enabled

Name: Multi-process staged rollout
Location: ${PROFILE_EXTENSIONS}/e10srollout at mozilla.org.xpi
Status: enabled

Name: NoScript
Location: /usr/share/xul-ext/noscript
Package: xul-ext-noscript
Status: enabled

Name: Pocket
Location: ${PROFILE_EXTENSIONS}/firefox at getpocket.com.xpi
Status: enabled

Name: SearchLoad Options
Location: /usr/share/xul-ext/searchload-options
Package: xul-ext-searchload-options
Status: enabled

Name: Status-4-Evar
Location: /usr/share/xul-ext/status4evar
Package: xul-ext-status4evar
Status: enabled

Name: Tab Mix Plus
Location: /usr/share/xul-ext/tabmixplus
Package: xul-ext-tabmixplus
Status: enabled

Name: User Agent Switcher
Location: /usr/share/xul-ext/useragentswitcher
Package: xul-ext-useragentswitcher
Status: enabled

Name: Web Compat
Location: ${PROFILE_EXTENSIONS}/webcompat at mozilla.org.xpi
Status: enabled

Name: Web Developer
Location: /usr/share/xul-ext/webdeveloper
Package: xul-ext-webdeveloper
Status: enabled

Name: Y U no validate
Location: /usr/share/xul-ext/y-u-no-validate
Package: xul-ext-y-u-no-validate
Status: enabled

-- Plugins information
Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled


-- Addons package information
ii  browser-plugin 0.8.11~git20 amd64        GNU Shockwave Flash (SWF) player 
ii  firefox-esr    52.2.0esr-1  amd64        Mozilla Firefox web browser - Ext
ii  xul-ext-adbloc 2.7.3+dfsg-1 all          advertisement blocking extension 
ii  xul-ext-certif 2.0.14-5     all          Certificate Monitor for Iceweasel
ii  xul-ext-classi 1.5.9-1      all          customize the new Firefox interfa
ii  xul-ext-cookie 1.3.0.5-1    all          manage cookies in a whitelist-bas
ii  xul-ext-downth 3.0.7-1      all          Firefox extension with advanced d
ii  xul-ext-firebu 2.0.17-1     all          web development plugin for Firefo
ii  xul-ext-firexp 0.9.7.1-3    all          extension for Firebug to edit, in
ii  xul-ext-flashb 1.5.20-2     all          Mozilla extension to block Adobe 
ii  xul-ext-foxypr 4.5.6-debian all          advanced proxy management tool fo
ii  xul-ext-https- 5.2.8-1      all          extension to force the use of HTT
ii  xul-ext-lightb 1.3.1+dfsg-1 all          visualize sites that may be track
ii  xul-ext-liveht 0.17.1-2     all          add information about HTTP header
ii  xul-ext-noscri 2.9.0.14-1   all          permissions manager for Firefox
ii  xul-ext-search 0.8.0-3      all          tweak the searchbar's functionali
ii  xul-ext-status 2016.10.11.0 all          Status bar widgets and progress i
ii  xul-ext-tabmix 0.5.0.1-1    all          add dozens of new capabilities to
ii  xul-ext-userag 0.7.3-3      all          Firefox addon that allows the use
ii  xul-ext-webdev 1.2.5+repack all          web developer extension
ii  xul-ext-y-u-no 2013052407-3 all          browser extension to make securit

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firefox-esr depends on:
ii  debianutils               4.8.1.1
ii  fontconfig                2.11.0-6.7+b1
ii  libasound2                1.1.3-5
ii  libatk1.0-0               2.22.0-1
ii  libc6                     2.24-11
ii  libcairo-gobject2         1.14.8-1
ii  libcairo2                 1.14.8-1
ii  libdbus-1-3               1.10.18-1
ii  libdbus-glib-1-2          0.108-2
ii  libevent-2.0-5            2.0.21-stable-3
ii  libffi6                   3.2.1-6
ii  libfontconfig1            2.11.0-6.7+b1
ii  libfreetype6              2.6.3-3.2
ii  libgcc1                   1:6.3.0-18
ii  libgdk-pixbuf2.0-0        2.36.5-2
ii  libglib2.0-0              2.50.3-2
ii  libgtk-3-0                3.22.12-1
ii  libgtk2.0-0               2.24.31-2
ii  libhunspell-1.4-0         1.4.1-2+b2
ii  libjsoncpp1               1.7.4-3
ii  libpango-1.0-0            1.40.5-1
ii  libsqlite3-0              3.16.2-5
ii  libstartup-notification0  0.12-4+b2
ii  libstdc++6                6.3.0-18
ii  libvpx4                   1.6.1-3
ii  libx11-6                  2:1.6.4-3
ii  libx11-xcb1               2:1.6.4-3
ii  libxcb-shm0               1.12-1
ii  libxcb1                   1.12-1
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-2+b3
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  procps                    2:3.3.12-3
ii  zlib1g                    1:1.2.8.dfsg-5

firefox-esr recommends no packages.

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-3
ii  fonts-stix [otf-stix]  1.1.1-4
ii  libcanberra0           0.30-3
ii  libgssapi-krb5-2       1.15-1
pn  mozplugger             <none>

-- Configuration Files:
/etc/firefox-esr/firefox-esr.js changed [not included]

-- no debconf information



More information about the Secure-testing-team mailing list