More testing has been done over the weekend and here's the details.
First to address a response from Stefan Benter -
This issue manifested itself not on a Debian Bullseye, it manifests itself on a
Debian:
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Kernel: Linux 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28)
x86_64 GNU/Linux
This bug specifically manifest itself on systems running:
GNOME: 3.30.2
Graphics: Device-1: Intel 3rd Gen Core processor Graphics driver: i915 v:
kernel
Display: wayland server: X.Org 1.20.4 driver: i915 resolution:
2560x1080~60Hz
OpenGL: renderer: Mesa DRI Intel Ivybridge Mobile v: 4.2 Mesa 18.3.6
This bug only evident (in my testing) when the following condition exits:
System has installed package 'firefox-esr' version - 78.6.1esr-1~deb10u1 (from
Debian repo) AND (!)
system has installed package 'tor-browser' version - 78.6.0esr - 10.0.7 (from
Tor Project directly)
When both of those packages are present on the system, it causes some sort of a
conflict with in the GNOME UI, specifically, how GNOME processes mouse clicks
on the UI elements.
This condition arises due to the delay between a point in time when Mozilla
releases a new version of firefox, and time-frame it takes for TorProject to
code, test, and release an updated version of the TorBrowser based on the most
recent version of the firefox by Mozilla.
As of today, Jan 17, 2021, once both packages have the same versions:
firefox-esr 78.6.1esr-1~deb10u1
and
torbrowser 78.6.1esr - 10.0.8
... the GNOME UI big in handling mouse 'left' clicks + 'right' clicks - NO
LONGER exists.
On the systems (it has been verified) with the versions mismatch, GNOME is NOT
properly handling mouse clicks.
That's the bug I have experienced.
This issue took place on a multiple different (hardware) machines.
Regarding the content of:
Location: /usr/lib/firefox-esr/browser/omni.ja
... the concern is not the presence of this file, the concern is of it's
content, specifically references to the 'extensions'.
This is an excerpt from: Location: /usr/lib/firefox-esr/browser/omni.ja
-- Extensions information
Name: Amazon.com
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled
Name: Bing
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled
Name: DoH Roll-Out
Location: /usr/lib/firefox-esr/browser/features/doh-roll...@mozilla.org.xpi
Package: firefox-esr
Status: enabled
Name: eBay
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled
Name: Firefox Screenshots
Location: /usr/lib/firefox-esr/browser/features/screensh...@mozilla.org.xpi
Package: firefox-esr
Status: enabled
Name: Google
Location: /usr/lib/firefox-esr/browser/omni.ja
Package: firefox-esr
Status: enabled
There is no place in the firefox-esr GUI that shows/discloses to the users
presence of these extensions, while clearly they are present AND enabled!
There is no place in firefox-esr to locate and control, disable these
extensions.
I consider this a security issue and potentially a violation of core values of
the Debian Project.
Therefor, I would like to ask Debian Security Team to review and potentially
mark this ticket as 'Serious' if not 'Critical'.
This is a security issue and I don't think should be taken lightly.
Damien
