Package: firefox Version: 103.0.2-2 Severity: serious Hi,
The firefox source package currently ships various libraries that are packaged in Debian, but at build time the local copies are used instead. The package build process should use the versions packaged in Debian. Examples of these are basically everything in the third_party directory, specifically the ones I'm aware of and why I'm reporting this here are the ones in third_party/rust. - third_party/rust/semver corresponds to the rust-semver package in Debian. - third_party/rust/time corresponds to the rust-time package in Debian. - third_party/rust/time-0.1.44 corresponds to the rust-time-0.1 package in Debian. - third_party/rust/nom corresponds to the rust-nom package in Debian. - third_party/rust/nom-6.1.2 corresponds to the rust-nom package in Debian too but currently no nom-6 version is packaged. These are just examples, basically everything in the directory is affected. In addition all the libraries that currently are not packaged in Debian should ideally be packaged in Debian instead of using some arbitrary version that is bundled with firefox. Note that various of these libraries had CVEs in the past, e.g. CVE-2022-24713 for third_party/rust/regex, so having various copies of them in different source packages is clearly not ideal. -- Package-specific info: -- Extensions information Name: Add-ons Search Detection Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: Amazon.com Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: Bing Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: Dark theme Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: user-disabled Name: DoH Roll-Out Location: /usr/lib/firefox/browser/features/doh-roll...@mozilla.org.xpi Package: firefox Status: enabled Name: DuckDuckGo Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: eBay Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: Firefox Alpenglow theme Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: user-disabled Name: Firefox Multi-Account Containers Location: ${PROFILE_EXTENSIONS}/@testpilot-containers.xpi Status: enabled Name: Firefox Screenshots Location: /usr/lib/firefox/browser/features/screensh...@mozilla.org.xpi Package: firefox Status: enabled Name: Form Autofill Location: /usr/lib/firefox/browser/features/formautof...@mozilla.org.xpi Package: firefox Status: enabled Name: GNOME Shell integration Location: ${PROFILE_EXTENSIONS}/chrome-gnome-sh...@gnome.org.xpi Status: enabled Name: Google Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: HTTPS Everywhere Location: ${PROFILE_EXTENSIONS}/https-everywhere-...@eff.org.xpi Status: enabled Name: Light theme Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: No Flash Location: ${PROFILE_EXTENSIONS}/jid1-cplltty501t...@jetpack.xpi Status: app-disabled Name: Picture-In-Picture Location: /usr/lib/firefox/browser/features/pictureinpict...@mozilla.org.xpi Package: firefox Status: enabled Name: Privacy Badger Location: ${PROFILE_EXTENSIONS}/jid1-mnnxcxisbpnsxq-...@jetpack.xpi Status: user-disabled Name: System theme — auto theme Location: /usr/lib/firefox/omni.ja Package: firefox Status: user-disabled Name: uBlock Origin Location: ${PROFILE_EXTENSIONS}/ublo...@raymondhill.net.xpi Status: enabled Name: Video DownloadHelper Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi Status: enabled Name: Web Compatibility Interventions Location: /usr/lib/firefox/browser/features/webcom...@mozilla.org.xpi Package: firefox Status: enabled Name: WebCompat Reporter Location: /usr/lib/firefox/browser/features/webcompat-repor...@mozilla.org.xpi Package: firefox Status: user-disabled Name: Wikipedia (en) Location: /usr/lib/firefox/browser/omni.ja Package: firefox Status: enabled Name: Yomichan Location: ${PROFILE_EXTENSIONS}/a...@foosoft.net.xpi Status: enabled -- Addons package information ii firefox 103.0.2-2 amd64 Mozilla Firefox web browser -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (700, 'unstable'), (500, 'unstable-debug'), (100, 'experimental'), (1, 'experimental-debug') merged-usr: no Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-4-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firefox depends on: ii debianutils 5.7-0.3 ii fontconfig 2.13.1-4.4 ii libasound2 1.2.7.2-1 ii libatk1.0-0 2.38.0-1 ii libc6 2.34-4 ii libcairo-gobject2 1.16.0-6 ii libcairo2 1.16.0-6 ii libdbus-1-3 1.14.0-2 ii libdbus-glib-1-2 0.112-2 ii libevent-2.1-7 2.1.12-stable-5+b1 ii libffi8 3.4.2-4 ii libfontconfig1 2.13.1-4.4 ii libfreetype6 2.12.1+dfsg-3 ii libgcc-s1 12.1.0-8 ii libgdk-pixbuf-2.0-0 2.42.9+dfsg-1 ii libglib2.0-0 2.72.3-1+b1 ii libgtk-3-0 3.24.34-1 ii libnspr4 2:4.34-1 ii libnss3 2:3.81-2 ii libpango-1.0-0 1.50.9+ds-1 ii libstdc++6 12.1.0-8 ii libvpx7 1.12.0-1 ii libx11-6 2:1.8.1-2 ii libx11-xcb1 2:1.8.1-2 ii libxcb-shm0 1.15-1 ii libxcb1 1.15-1 ii libxcomposite1 1:0.4.5-1 ii libxdamage1 1:1.1.5-2 ii libxext6 2:1.3.4-1 ii libxfixes3 1:6.0.0-1 ii libxrandr2 2:1.5.2-2+b1 ii libxtst6 2:1.2.3-1.1 ii procps 2:3.3.17-7+b1 ii zlib1g 1:1.2.11.dfsg-4.1 Versions of packages firefox recommends: ii libavcodec57 7:3.4.3-1 ii libavcodec58 7:4.4.2-1+b3 ii libavcodec59 7:5.1-2+b1 Versions of packages firefox suggests: ii fonts-lmodern 2.005-1 pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-10 ii libgssapi-krb5-2 1.20-1 ii pulseaudio 15.0+dfsg1-4+b1 -- no debconf information