Bug#1017896: Ships copies of libraries that are packaged in Debian

Sebastian Dröge Mon, 22 Aug 2022 00:45:20 -0700

Package: firefox-esr
Version: 102.1.0esr-2
Severity: serious

Hi,


The firefox source package currently ships various libraries that are packaged
in Debian, but at build time the local copies are used instead. The package
build process should use the versions packaged in Debian.

Examples of these are basically everything in the third_party directory,
specifically the ones I'm aware of and why I'm reporting this here are the
ones in third_party/rust.

  - third_party/rust/semver corresponds to the rust-semver package in Debian.
  - third_party/rust/time corresponds to the rust-time package in Debian.
  - third_party/rust/nom corresponds to the rust-nom package in Debian.

These are just examples, basically everything in the directory is affected.

In addition all the libraries that currently are not packaged in Debian should
ideally be packaged in Debian instead of using some arbitrary version that is
bundled with firefox.

Note that various of these libraries had CVEs in the past, e.g. CVE-2022-24713
for third_party/rust/regex, so having various copies of them in different
source packages is clearly not ideal.

-- Package-specific info:

-- Extensions information
Name: DoH Roll-Out
Location: /usr/lib/firefox-esr/browser/features/doh-roll...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: English (GB) Language Pack locale
Location: 
/usr/lib/firefox-esr/browser/extensions/langpack-en...@firefox-esr.mozilla.org.xpi
Package: firefox-esr-l10n-en-gb
Status: enabled

Name: Firefox Screenshots
Location: /usr/lib/firefox-esr/browser/features/screensh...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: Form Autofill
Location: /usr/lib/firefox-esr/browser/features/formautof...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: HTTPS Everywhere
Location: /usr/share/webext/https-everywhere
Package: webext-https-everywhere
Status: enabled

Name: Picture-In-Picture
Location: /usr/lib/firefox-esr/browser/features/pictureinpict...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: uBlock Origin
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/ublo...@raymondhill.net
Package: webext-ublock-origin-firefox
Status: enabled

Name: Web Compatibility Interventions
Location: /usr/lib/firefox-esr/browser/features/webcom...@mozilla.org.xpi
Package: firefox-esr
Status: enabled

Name: WebCompat Reporter
Location: 
/usr/lib/firefox-esr/browser/features/webcompat-repor...@mozilla.org.xpi
Package: firefox-esr
Status: user-disabled


-- Addons package information
ii  firefox-esr                  102.1.0esr-2  amd64        Mozilla Firefox web 
browser - Extended Support Release (ESR)
ii  firefox-esr-l10n-en-gb       102.1.0esr-2  all          English (United 
Kingdom) language package for Firefox ESR
ii  webext-https-everywhere      2022.5.11-1   all          Extension to force 
the use of HTTPS on many sites
ii  webext-ublock-origin-firefox 1.42.0+dfsg-1 all          lightweight and 
efficient ads, malware, trackers blocker (Firefox)

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (700, 'unstable'), (500, 'unstable-debug'), (100, 
'experimental'), (1, 'experimental-debug')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox-esr depends on:
ii  debianutils          5.7-0.3
ii  fontconfig           2.13.1-4.4
ii  libasound2           1.2.7.2-1
ii  libatk1.0-0          2.38.0-1
ii  libc6                2.34-4
ii  libcairo-gobject2    1.16.0-6
ii  libcairo2            1.16.0-6
ii  libdbus-1-3          1.14.0-2
ii  libdbus-glib-1-2     0.112-2
ii  libevent-2.1-7       2.1.12-stable-5+b1
ii  libffi8              3.4.2-4
ii  libfontconfig1       2.13.1-4.4
ii  libfreetype6         2.12.1+dfsg-3
ii  libgcc-s1            12.1.0-8
ii  libgdk-pixbuf-2.0-0  2.42.9+dfsg-1
ii  libglib2.0-0         2.72.3-1+b1
ii  libgtk-3-0           3.24.34-1
ii  libnspr4             2:4.34-1
ii  libnss3              2:3.81-2
ii  libpango-1.0-0       1.50.9+ds-1
ii  libstdc++6           12.1.0-8
ii  libvpx7              1.12.0-1
ii  libx11-6             2:1.8.1-2
ii  libx11-xcb1          2:1.8.1-2
ii  libxcb-shm0          1.15-1
ii  libxcb1              1.15-1
ii  libxcomposite1       1:0.4.5-1
ii  libxdamage1          1:1.1.5-2
ii  libxext6             2:1.3.4-1
ii  libxfixes3           1:6.0.0-1
ii  libxrandr2           2:1.5.2-2+b1
ii  libxtst6             2:1.2.3-1.1
ii  procps               2:3.3.17-7+b1
ii  zlib1g               1:1.2.11.dfsg-4.1

Versions of packages firefox-esr recommends:
ii  libavcodec57  7:3.4.3-1
ii  libavcodec58  7:4.4.2-1+b3
ii  libavcodec59  7:5.1-2+b1

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.005-1
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-10
ii  libgssapi-krb5-2       1.20-1
ii  pulseaudio             15.0+dfsg1-4+b1

-- no debconf information

Bug#1017896: Ships copies of libraries that are packaged in Debian

Reply via email to