[Secure-testing-team] Bug#786565: iceweasel: breaks xul-ext-requestpolicy

[Thorsten Glaser]

Package: iceweasel
Version: 38.0.1-1
Severity: serious
Tags: security
Justification: security/privacy issue

The new version of iceweasel auto-disables the requestpolicy plugin.
To add insult to injury, it cannot be manually enabled, apparently
due to a version incompatibility.

This leads to page views no longer honouring the requestpolicy
settings but loading *all* external resources, thus violating
privacy and security, leaking user data to unwanted third parties,
disabling the probably most effective (if icky to use) ad blocker,
and cause general slowness due to ad javascript on several pages
(especially since the Intel Atom on an EeePC is so slow my Pentium M
(with less MHz) feels fast compared to it, before already).

-- Package-specific info:

-- Extensions information
Name: Classic Theme Restorer
Location: ${PROFILE_EXTENSIONS}/classicthemeresto...@arist2noia4dev.xpi
Status: enabled

Name: Clear Search 2
Location: ${PROFILE_EXTENSIONS}/clearsear...@extension-id.invalid.xpi
Status: enabled

Name: Default theme
Location: 
/usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: Firebug
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/fire...@software.joehewitt.com
Package: xul-ext-firebug
Status: enabled

Name: Greasemonkey
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Package: xul-ext-greasemonkey
Status: user-disabled

Name: HTTPS-Everywhere
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywh...@eff.org
Package: xul-ext-https-everywhere
Status: user-disabled

Name: It's All Text!
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/itsallt...@docwhat.gerf.org
Package: xul-ext-itsalltext
Status: enabled

Name: RequestPolicy
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/requestpol...@requestpolicy.com
Package: xul-ext-requestpolicy
Status: app-disabled

Name: Status-4-Evar
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/status4e...@caligonstudios.com
Package: xul-ext-status4evar
Status: enabled

Name: Y U no validate
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{20d36f97-15da-47ed-9f0a-13cbe85bdc84}
Package: xul-ext-y-u-no-validate
Status: enabled

-- Plugins information

-- Addons package information
ii  iceweasel      38.0.1-1     i386         Web browser based on Firefox
ii  xul-ext-firebu 2.0.4-1      all          web development plugin for Icewea
ii  xul-ext-grease 3.1-2        all          customization of webpages with us
ii  xul-ext-https- 4.0.3-1      all          extension to force the use of HTT
ii  xul-ext-itsall 1.9.1-2      all          extension to edit textareas using
ii  xul-ext-reques 0.5.28-1     all          improve your browsing: more priva
ii  xul-ext-status 2015.02.06.2 all          Status bar widgets and progress i
ii  xul-ext-y-u-no 2013052401-2 all          browser extension to make securit

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 4.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages iceweasel depends on:
ii  debianutils               4.5
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.16.0-2
ii  libc6                     2.19-18
ii  libcairo2                 1.14.2-2
ii  libdbus-1-3               1.8.18-1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-4
ii  libgcc1                   1:5.1.1-5
ii  libgdk-pixbuf2.0-0        2.31.1-2+b1
ii  libglib2.0-0              2.44.0-3
ii  libgtk2.0-0               2.24.25-3
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.8-1
ii  libnss3                   2:3.19-1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.10.1-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                5.1.1-5
ii  libvpx2                   1.4.0-3
ii  libx11-6                  2:1.6.3-1
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
pn  gstreamer1.0-libav         <none>
pn  gstreamer1.0-plugins-good  <none>

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-2.1
pn  libgnomeui-0           <none>
ii  libgssapi-krb5-2       1.12.1+dfsg-20
pn  mozplugger             <none>

-- no debconf information

_______________________________________________
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team