Your message dated Thu, 11 Jul 2013 23:03:01 +0000
with message-id <[email protected]>
and subject line Bug#714168: fixed in adblock-plus 2.3-1
has caused the Debian Bug report #714168,
regarding [xul-ext-adblock-plus] adblock plus: typo correction potential 
security issue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
714168: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714168
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xul-ext-adblock-plus
Version: 2.2.4-1
Severity: normal

--- Please enter the report below this line. ---

Although this is disabled by default AdBlock will ask you if you want to enable 
it when you typo a website for the first time. There is no indication that 
enabling this feature would download a set of rules
from a remote website over HTTP!

In lib/typoRules.js typo correction rules are downloaded from a remote site 
over http:
 loadRulesFrom("http://urlfixer.org/download/rules.json?version="; + 
RULES_VERSION, false, function(success)

This ruleset can contain arbitrary regular expressions that can rewrite URLs, 
insert affiliate tags, etc.,
so controlling this ruleset would allow an attacker to control what websites 
you are visiting.

Fixing this is unfortunately not as simple as using an https:// URL, as 
although the website supports https the download URL no longer works for the 
rules.json over HTTPS.

I'm not sure what the appropriate course of action would be, but here are some 
suggestions:
 * warn the user that enabling typo correction makes them vulnerable
 * warn them that enabling typo correction might insert some affiliate tags 
(see Monetization here:
https://adblockplus.org/blog/typo-correction-feature-in-adblock-plus)
 * have upstream provide an HTTPs URL for the rules
 * have a Debian package that provides the rules.json


--- System information. ---
Architecture: amd64
Kernel:       Linux 3.9.5

Debian Release: jessie/sid
  500 unstable        ftp.ro.debian.org 
  500 stable          security.debian.org 
  500 stable          ftp.ro.debian.org 

--- Package information. ---
Depends        (Version) | Installed
========================-+-===========
iceweasel     (>= 16.0)  | 17.0.7esr-1
 OR icedove   (>= 16.0)  | 17.0.5-2
 OR iceape     (>= 2.13) | 


Package's Recommends field is empty.

Package's Suggests field is empty.

--- End Message ---
--- Begin Message ---
Source: adblock-plus
Source-Version: 2.3-1

We believe that the bug you reported is fixed in the latest version of
adblock-plus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated adblock-plus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 11 Jul 2013 18:42:01 -0400
Source: adblock-plus
Binary: xul-ext-adblock-plus
Architecture: source all
Version: 2.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Mozilla Extension Maintainers 
<[email protected]>
Changed-By: David Prévot <[email protected]>
Description: 
 xul-ext-adblock-plus - advertisement blocking extension for web browsers
Closes: 714168
Changes: 
 adblock-plus (2.3-1) unstable; urgency=low
 .
   * New upstream release:
     - Removed typo correction feature (Closes: #714168)
   * Remove version dependency for mozilla-devscripts
   * Remove Conflicts with mozilla-firefox-adblock
   * Maintainer and Uploaders update: team as Maintainer, and replace Benjamin
     Drung as requested, thanks for your work on adblock-plus!
Checksums-Sha1: 
 22bc0a504a90c136694edf374635ef7b55a6b3ff 1780 adblock-plus_2.3-1.dsc
 ec6fe48bea0262f99e000eb54148234cc4cd8457 637717 adblock-plus_2.3.orig.tar.gz
 5cc6cb3f22bfd1bcc0eb2e6fe5f38394408339f7 6879 adblock-plus_2.3-1.debian.tar.gz
 18e8047dddcc160956761ccb14b71c7ab9085795 568606 
xul-ext-adblock-plus_2.3-1_all.deb
Checksums-Sha256: 
 6b6149dc65b6667987f2283757d8616d6ff6182620fb7ac41db44dd7cbae5955 1780 
adblock-plus_2.3-1.dsc
 00462b0a010f239b3a6f2f09dc7b6833b332175b5301f317b65abb92cee84cfb 637717 
adblock-plus_2.3.orig.tar.gz
 a3edd15ca1e12fb9d8857bdd5497595dc12a577341e188194582626506e83d44 6879 
adblock-plus_2.3-1.debian.tar.gz
 af4300ba564eab426ec2b8bd58c4cd662cac56e810468f48440ede226ab9fe85 568606 
xul-ext-adblock-plus_2.3-1_all.deb
Files: 
 18a7a407bf479f311939a0f29332ae6d 1780 web optional adblock-plus_2.3-1.dsc
 2e51e08b78bb542e721a35e32a566af2 637717 web optional 
adblock-plus_2.3.orig.tar.gz
 e9438b445941bd08490a66e33bbdab86 6879 web optional 
adblock-plus_2.3-1.debian.tar.gz
 93c784ca37094be0658a790962bd9f0e 568606 web optional 
xul-ext-adblock-plus_2.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJR3zXNAAoJEAWMHPlE9r08k3kH/3ddIPgHGOA8J2ARvc2RaEoM
GhO6mqsTdLoKjfMHguqx+nTz/QVQysVOFAhkhxLA+yxnT3MhusoZLTL/hCSUNcHL
ly5GJWhfBIar7H8aHsiNmPXkajclqkNEXj/iLTPITrGSGlcPflfwYCqwKEfVwV7i
sUb7u1GzP+KDLjkH/dPTp9SAvdTNm8aSx1/jEpcVSBj34hpM9zR8WNNbFyEjJqDV
LmdNGlhzAwSTbCNU5jxR/CbN7BTs7Um+Ozc+hlD3ceTU78q3LJPQn3DB4Jma1qke
m0WcI1YVHkqrGElsPXiQL8nE9i5WiNCTD+D4Q95HEnYFfjuma+6XsP64o9lUISQ=
=8wqo
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to