Package: iceweasel
Version: 38.2.0esr-1~deb8u1
Severity: grave
Tags: upstream security patch
Justification: user security hole
Attaching to upstream FFOX also.
Bug # 1200375
This issue is caused by one of two problems.
1) We are given SLOP from mozilla which will not harden, the code needs to be
rejected until it can be hardened
2) This code is not compiled to be hardened, whether by mistake or otherwise
before distribution in debian
A simple scan of a running ice* application reveals the problem.
(check-security)
No stack canary
No RELRO
No PIE
other Dangerous options used
Firefox and its relatives are NOT GREEN. Next to zero hardening options are
used.
Web browser is 50% of incoming attack vector on client side, MAIL is the other
50%. 100% of the code is NOT SECURE.
All mozilla apps use the same code base and internal browser capabilities.
I dont think sylpheed and claws are affected(both are pretty much the same
application). This is a mozilla issue.
Dunno about you, but I sure as all hades do not appreciate this. People wonder
why they get hacked...the application is RIPE for the hacking.
There is NO reason why ANY application should not use these "options"(which
shouldnt even be optional, they should be MANDATED).
-- Package-specific info:
-- Extensions information
Name: Browser JSGuard
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: user-disabled
Name: BugMeNot Plugin
Location: ${PROFILE_EXTENSIONS}/{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi
Status: enabled
Name: Capture & Print
Location: ${PROFILE_EXTENSIONS}/{146f1820-2b0d-49ef-acbf-d85a6986e10c}.xpi
Status: enabled
Name: CommentBlocker
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Copy As Plain Text
Location: ${PROFILE_EXTENSIONS}/{1a5dabbd-0e74-41da-b532-a364bb552cab}.xpi
Status: enabled
Name: Default theme
Location:
/usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: Disable Anti-Adblock
Location: ${PROFILE_EXTENSIONS}/{d49a148e-817e-4025-bee3-5d541376de3b}.xpi
Status: enabled
Name: Disable DHE
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Do Not Survey
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Easy Youtube Video Downloader Express
Location: ${PROFILE_EXTENSIONS}/{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi
Status: enabled
Name: econoRead
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Ecosia — The search engine that plants trees!
Location: ${PROFILE_EXTENSIONS}/{d04b0b40-3dab-4f0b-97a6-04ec3eddbfb0}.xpi
Status: enabled
Name: F.B. Purity - Cleans Up Facebook
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: FanFic Filter
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled
Name: Foobar
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: h264ify
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: HTTP Nowhere
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: HTTPS-Everywhere
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/[email protected]
Package: xul-ext-https-everywhere
Status: enabled
Name: I don't care about cookies
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: KeeFox
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Long URL Please
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Mozilla Archive Format
Location: ${PROFILE_EXTENSIONS}/{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi
Status: enabled
Name: NO Google Analytics
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: NoSquint
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/[email protected]
Package: xul-ext-nosquint
Status: enabled
Name: OpenComment
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: PDF Download
Location: ${PROFILE_EXTENSIONS}/{37E4D8EA-8BDA-4831-8EA1-89053939A250}.xpi
Status: enabled
Name: Perspectives
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/[email protected]
Package: xul-ext-perspectives
Status: enabled
Name: Plain Text Offenders
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Prevent writing passwords without SSL
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Print Edit
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Readability
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Redirect Remover
Location: ${PROFILE_EXTENSIONS}/{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}.xpi
Status: user-disabled
Name: Remove Cookies for Site
Location: ${PROFILE_EXTENSIONS}/{06997db0-c027-4d5f-bd37-b0d9230226ea}.xpi
Status: enabled
Name: Report Pedophile
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: RightToClick
Location: ${PROFILE_EXTENSIONS}/{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi
Status: enabled
Name: ShapeShift Lens
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: signup-block
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Stylish
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
Package: xul-ext-stylish
Status: enabled
Name: Tinfoil
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: uBlock
Location: ${PROFILE_EXTENSIONS}/{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi
Status: enabled
Name: unmask
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: URL Fixer
Location: ${PROFILE_EXTENSIONS}/{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi
Status: enabled
Name: User Agent Switcher
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
Package: xul-ext-useragentswitcher
Status: enabled
Name: Wide screen stackexchange sites
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: WOT
Location: ${PROFILE_EXTENSIONS}/{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
Status: enabled
Name: YouTube ALL HTML5
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: YouTube High Definition
Location: ${PROFILE_EXTENSIONS}/{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi
Status: enabled
Name: YouTube HTML5-Video
Location: ${PROFILE_EXTENSIONS}/[email protected]
Status: enabled
Name: Zotero
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/[email protected]
Package: xul-ext-zotero
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
Name: Skype Buttons for Kopete
Location: /usr/lib/mozilla/plugins/skypebuttons.so
Package: kopete
Status: enabled
-- Addons package information
ii gnome-shell 3.14.4-1~deb amd64 graphical shell for the GNOME des
ii iceweasel 38.2.0esr-1~ amd64 Web browser based on Firefox
ii kopete 4:4.14.1-2 amd64 instant messaging and chat applic
ii xul-ext-https- 4.0.2-3 all extension to force the use of HTT
ii xul-ext-nosqui 2.1.9-2 all control the size of text of websi
ii xul-ext-perspe 4.5.2-1 all verify HTTPS sites through notary
ii xul-ext-stylis 1.4.3-2 all styles manager to customize web s
ii xul-ext-userag 0.7.3-1 all Iceweasel/Firefox addon that allo
ii xul-ext-zotero 4.0.22-1 all Iceweasel extension to organize a
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.18-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u2
ii libglib2.0-0 2.42.1-1
ii libgtk2.0-0 2.24.25-3
ii libhunspell-1.3-0 1.3.3-3
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1:1.4.5-dmo1
ii gstreamer1.0-plugins-good 1.4.4-2
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.12.1+dfsg-19
pn mozplugger <none>
-- no debconf information
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
