Bug#833278: firefox-esr: lack of apparmor profile

2023-12-30 Thread Sam Lee 
On Wed, 4 Dec 2019 02:15:16 +0300 dinar qurbanov  wrote:
> it is in apparmor-profiles package:
> https://packages.debian.org/stretch/all/apparmor-profiles/filelist

For Debian bookworm, an AppArmor profile is also available in the
apparmor-profiles package, but that profile is obsolete. It confines
binaries that match /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]}
[1], which would not match the current location of the firefox-esr
binary which is at /usr/lib/firefox-esr/firefox-esr.

Debian should definitely ship an AppArmor profile with the firefox-esr
package. Web browsers are widely installed and have lots of security
vulnerabilities.

[1]: 
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/3.0.8-3/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox#L21

Bug#833278: firefox-esr: lack of apparmor profile

2016-08-02 Thread Guy Rouger 
Package: firefox-esr
Version: 45.2.0esr-1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
Run Firefox-esr on Debian Stretch with Apparmor active
   * What exactly did you do (or not do) that was effective (or ineffective)?
Run Firefox-esr
   * What was the outcome of this action?
Firefox-esr is running without protection
   * What outcome did you expect instead?
Firefox-esr would run with apparmor protection
but there is no profile
root@debian:/etc/apparmor.d# ls
abstractions  usr.lib.dovecot.dovecot-lda
apache2.d usr.lib.dovecot.imap
bin.ping  usr.lib.dovecot.imap-login
cache usr.lib.dovecot.lmtp
disable   usr.lib.dovecot.log
force-complainusr.lib.dovecot.managesieve
gst_plugin_scannerusr.lib.dovecot.managesieve-login
local usr.lib.dovecot.pop3
sbin.klogdusr.lib.dovecot.pop3-login
sbin.syslogd  usr.lib.dovecot.ssl-params
sbin.syslog-ngusr.sbin.apt-cacher-ng
tunables  usr.sbin.avahi-daemon
usr.bin.chromium-browser  usr.sbin.cups-browsed
usr.bin.evinceusr.sbin.cupsd
usr.bin.icedove   usr.sbin.dnsmasq
usr.bin.irssi usr.sbin.dovecot
usr.bin.pidginusr.sbin.identd
usr.bin.totem usr.sbin.mdnsd
usr.bin.totem-previewers  usr.sbin.nmbd
usr.lib.dovecot.anvil usr.sbin.nscd
usr.lib.dovecot.auth  usr.sbin.smbd
usr.lib.dovecot.configusr.sbin.smbldap-useradd
usr.lib.dovecot.deliver   usr.sbin.tcpdump
usr.lib.dovecot.dict  usr.sbin.traceroute
usr.lib.dovecot.dovecot-auth



*** End of the template - remove these template lines ***



-- Package-specific info:

-- Extensions information
Name: Adguard AdBlocker
Location: ${PROFILE_EXTENSIONS}/adguardadbloc...@adguard.com.xpi
Status: enabled

Name: Default theme
Location: 
/usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled

Name: Firefox Hello Beta
Location: ${PROFILE_EXTENSIONS}/l...@mozilla.org.xpi
Status: enabled

Name: Français Language Pack locale
Location: 
/usr/lib/firefox-esr/browser/extensions/langpack...@firefox-esr.mozilla.org.xpi
Package: firefox-esr-l10n-fr
Status: enabled

Name: Zoom Page
Location: ${PROFILE_EXTENSIONS}/zoomp...@dw-dev.xpi
Status: enabled

-- Plugins information
Name: IcedTea-Web Plugin (using IcedTea-Web 1.6.2 (1.6.2-3))
Location: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
Package: icedtea-8-plugin:amd64
Status: enabled

Name: Shockwave Flash (22.0.0.192)
Location: /usr/lib/pipelight/libpipelight-flash.so
Status: enabled

Name: Silverlight Plug-In (5.1.30214.0)
Location: /usr/lib/pipelight/libpipelight-silverlight5.0.so
Status: enabled

Name: Widevine Media Optimizer (6.0.0.12442)
Location: /usr/lib/pipelight/libpipelight-widevine.so
Status: enabled


-- Addons package information
ii  firefox-esr45.2.0esr-1  amd64Mozilla Firefox web browser - Ext
ii  firefox-esr-l1 45.2.0esr-1  all  French language package for Firef
ii  icedtea-8-plug 1.6.2-3  amd64web browser plugin based on OpenJ

-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firefox-esr depends on:
ii  debianutils   4.8
ii  fontconfig2.11.0-6.4
ii  libasound21.1.1-2
ii  libatk1.0-0   2.20.0-1
ii  libc6 2.23-4
ii  libcairo2 1.14.6-1+b1
ii  libdbus-1-3   1.10.8-1
ii  libdbus-glib-1-2  0.106-1
ii  libevent-2.0-52.0.21-stable-2+b1
ii  libffi6   3.2.1-4
ii  libfontconfig12.11.94-0ubuntu1
ii  libfreetype6  2.6.3-3+b1
ii  libgcc1   1:6.1.1-10
ii  libgdk-pixbuf2.0-02.34.0-1
ii  libglib2.0-0  2.48.1-2
ii  libgtk2.0-0   2.24.30-4
ii  libhunspell-1.4-0 1.4.1-2
ii  libnspr4  2:4.12-2
ii  libnss3   2:3.23-2
ii  libpango-1.0-01.40.1-1
ii  libsqlite3-0  3.13.0-1
ii  libstartup-notification0  0.12-4
ii  libstdc++66.1.1-10
ii  libvpx3   1.5.0-3
ii  libx11-6  2:1.6.3-1
ii  libxcomposite11:0.4.4-1
ii  libxdamage1   1:1.1.4-2+b1
ii  libxext6  2:1.3.3-1
ii  libxfixes31:5.0.2-1
ii  libxrender1   1:0.9.9-2