Package: firefox
Version: 103.0.2-2
Severity: serious
Hi,
The firefox source package currently ships various libraries that are packaged
in Debian, but at build time the local copies are used instead. The package
build process should use the versions packaged in Debian.
Examples of these are basically everything in the third_party directory,
specifically the ones I'm aware of and why I'm reporting this here are the
ones in third_party/rust.
- third_party/rust/semver corresponds to the rust-semver package in Debian.
- third_party/rust/time corresponds to the rust-time package in Debian.
- third_party/rust/time-0.1.44 corresponds to the rust-time-0.1 package in
Debian.
- third_party/rust/nom corresponds to the rust-nom package in Debian.
- third_party/rust/nom-6.1.2 corresponds to the rust-nom package in Debian
too but currently no nom-6 version is packaged.
These are just examples, basically everything in the directory is affected.
In addition all the libraries that currently are not packaged in Debian should
ideally be packaged in Debian instead of using some arbitrary version that is
bundled with firefox.
Note that various of these libraries had CVEs in the past, e.g. CVE-2022-24713
for third_party/rust/regex, so having various copies of them in different
source packages is clearly not ideal.
-- Package-specific info:
-- Extensions information
Name: Add-ons Search Detection
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Amazon.com
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Bing
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Dark theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: user-disabled
Name: DoH Roll-Out
Location: /usr/lib/firefox/browser/features/doh-roll...@mozilla.org.xpi
Package: firefox
Status: enabled
Name: DuckDuckGo
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: eBay
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Firefox Alpenglow theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: user-disabled
Name: Firefox Multi-Account Containers
Location: ${PROFILE_EXTENSIONS}/@testpilot-containers.xpi
Status: enabled
Name: Firefox Screenshots
Location: /usr/lib/firefox/browser/features/screensh...@mozilla.org.xpi
Package: firefox
Status: enabled
Name: Form Autofill
Location: /usr/lib/firefox/browser/features/formautof...@mozilla.org.xpi
Package: firefox
Status: enabled
Name: GNOME Shell integration
Location: ${PROFILE_EXTENSIONS}/chrome-gnome-sh...@gnome.org.xpi
Status: enabled
Name: Google
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: HTTPS Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere-...@eff.org.xpi
Status: enabled
Name: Light theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: No Flash
Location: ${PROFILE_EXTENSIONS}/jid1-cplltty501t...@jetpack.xpi
Status: app-disabled
Name: Picture-In-Picture
Location: /usr/lib/firefox/browser/features/pictureinpict...@mozilla.org.xpi
Package: firefox
Status: enabled
Name: Privacy Badger
Location: ${PROFILE_EXTENSIONS}/jid1-mnnxcxisbpnsxq-...@jetpack.xpi
Status: user-disabled
Name: System theme — auto theme
Location: /usr/lib/firefox/omni.ja
Package: firefox
Status: user-disabled
Name: uBlock Origin
Location: ${PROFILE_EXTENSIONS}/ublo...@raymondhill.net.xpi
Status: enabled
Name: Video DownloadHelper
Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
Status: enabled
Name: Web Compatibility Interventions
Location: /usr/lib/firefox/browser/features/webcom...@mozilla.org.xpi
Package: firefox
Status: enabled
Name: WebCompat Reporter
Location: /usr/lib/firefox/browser/features/webcompat-repor...@mozilla.org.xpi
Package: firefox
Status: user-disabled
Name: Wikipedia (en)
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Yomichan
Location: ${PROFILE_EXTENSIONS}/a...@foosoft.net.xpi
Status: enabled
-- Addons package information
ii firefox 103.0.2-2 amd64 Mozilla Firefox web browser
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (700, 'unstable'), (500, 'unstable-debug'), (100,
'experimental'), (1, 'experimental-debug')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firefox depends on:
ii debianutils 5.7-0.3
ii fontconfig 2.13.1-4.4
ii libasound2 1.2.7.2-1
ii libatk1.0-0 2.38.0-1
ii libc6 2.34-4
ii libcairo-gobject2 1.16.0-6
ii libcairo2 1.16.0-6
ii libdbus-1-3 1.14.0-2
ii libdbus-glib-1-2 0.112-2
ii libevent-2.1-7 2.1.12-stable-5+b1
ii libffi8 3.4.2-4
ii libfontconfig1 2.13.1-4.4
ii libfreetype6 2.12.1+dfsg-3
ii libgcc-s1 12.1.0-8
ii libgdk-pixbuf-2.0-0 2.42.9+dfsg-1
ii libglib2.0-0 2.72.3-1+b1
ii libgtk-3-0 3.24.34-1
ii libnspr4 2:4.34-1
ii libnss3 2:3.81-2
ii libpango-1.0-0 1.50.9+ds-1
ii libstdc++6 12.1.0-8
ii libvpx7 1.12.0-1
ii libx11-6 2:1.8.1-2
ii libx11-xcb1 2:1.8.1-2
ii libxcb-shm0 1.15-1
ii libxcb1 1.15-1
ii libxcomposite1 1:0.4.5-1
ii libxdamage1 1:1.1.5-2
ii libxext6 2:1.3.4-1
ii libxfixes3 1:6.0.0-1
ii libxrandr2 2:1.5.2-2+b1
ii libxtst6 2:1.2.3-1.1
ii procps 2:3.3.17-7+b1
ii zlib1g 1:1.2.11.dfsg-4.1
Versions of packages firefox recommends:
ii libavcodec57 7:3.4.3-1
ii libavcodec58 7:4.4.2-1+b3
ii libavcodec59 7:5.1-2+b1
Versions of packages firefox suggests:
ii fonts-lmodern 2.005-1
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-10
ii libgssapi-krb5-2 1.20-1
ii pulseaudio 15.0+dfsg1-4+b1
-- no debconf information
