Bug#911364: firefox-esr: Master password lost after update from ESR v52.9.0 to ESR v60.2.2 (along with all user certificates and saved passwords)
I have a terminal served system but I am unsure who might have the issue. Is there a way to scan the users firefox settings to see how many users have the "master password" set? Huge thanks, Bernie
Bug#911364: firefox-esr: Master password lost after update from ESR v52.9.0 to ESR v60.2.2 (along with all user certificates and saved passwords)
Package: firefox-esr Version: 60.3.0esr-1~deb8u1 Followup-For: Bug #911364 Dear Maintainer, what could possibly go wrong when updating Firefox ESR to the next major release? This issue now arrived in Debian Jessie. I can confirm and reproduce it with this steps. Prerequisite is that a master password is used: 1. Delete ~/.mozilla directory and restore it from a backup that was made from Firefox ESR 52 2. Start Firefox ESR 60 3. Close Firefox ESR 60 4. Start Firefox ESR 60 again -> All saved passwords are permanently gone! The issue can be avoided by entering the master password on the very first start of Firefox ESR 60. Reproduction steps: 1. Delete ~/.mozilla directory and restore it from a backup that was made from Firefox ESR 52 2. Start Firefox ESR 60 3. Unlock the password store by entering the master password 4. Close Firefox ESR 60 5. Start Firefox ESR 60 again -> Saved passwords are intact. The key issue is that the key3.db file is not properly migrated to the new version and during the migration it is even destroyed. The key3.db is therefore required from a backup to restore the saved passwords. This can be even an older backup. That way, it is possible to restore recently saved passwords by using a key3.db file from an older backup: 1. Delete key4.db file from the Firefox ESR 60 profile (e.g. ~/.mozilla/firefox/.default/key4.db) 2. Replace key3.db file from an older backup 3. Start Firefox ESR 60 4. Unlock the password store by entering the master password 5. Close Firefox ESR 60 6. Start Firefox ESR 60 again -> Saved passwords are restored. On affected systems both key3.db and key4.db files exist. Where on a properly migrated installation, only key4.db file exists. It should be therefore possible to detect if a user was affected by this issue. Thanks Andreas -- Package-specific info: -- Addons package information -- System Information: Debian Release: 8.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-0.bpo.6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firefox-esr depends on: ii debianutils 4.4+b1 ii fontconfig2.11.0-6.3+deb8u1 ii libasound21.0.28-1 ii libatk1.0-0 2.14.0-1 ii libc6 2.19-18+deb8u10 ii libcairo-gobject2 1.14.0-2.1+deb8u2 ii libcairo2 1.14.0-2.1+deb8u2 ii libdbus-1-3 1.8.22-0+deb8u1 ii libdbus-glib-1-2 0.102-1 ii libevent-2.0-52.0.21-stable-2+deb8u1 ii libffi6 3.1-2+deb8u1 ii libfontconfig12.11.0-6.3+deb8u1 ii libfreetype6 2.5.2-3+deb8u2 ii libgcc1 1:4.9.2-10+deb8u1 ii libgdk-pixbuf2.0-02.31.1-2+deb8u7 ii libglib2.0-0 2.42.1-1+b1 ii libgtk-3-03.14.5-1+deb8u1 ii libpango-1.0-01.36.8-3 ii libstartup-notification0 0.12-4 ii libstdc++64.9.2-10+deb8u1 ii libx11-6 2:1.6.2-3+deb8u2 ii libx11-xcb1 2:1.6.2-3+deb8u2 ii libxcb-shm0 1.10-3+b1 ii libxcb1 1.10-3+b1 ii libxcomposite11:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes31:5.0.1-2+deb8u1 ii libxrender1 1:0.9.8-1+b1 ii libxt61:1.1.4-1+b1 ii procps2:3.3.9-9+deb8u1 ii zlib1g1:1.2.8.dfsg-2+b1 Versions of packages firefox-esr recommends: ii libavcodec56 6:11.12-1~deb8u1 Versions of packages firefox-esr suggests: pn fonts-lmodern pn fonts-stix | otf-stix ii libcanberra0 0.30-2.1 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u4 ii libgtk2.0-02.24.25-3+deb8u2 pn pulseaudio -- no debconf information
Bug#911364: firefox-esr: Master password lost after update from ESR v52.9.0 to ESR v60.2.2 (along with all user certificates and saved passwords)
Package: firefox-esr Version: 60.2.2esr-1~deb9u1 Severity: critical Tags: upstream Justification: causes serious data loss Dear Maintainer, The recent update of firefox-esr from ESR v52.9.0 to ESR v60.2.2 leads to loss of user certificates (technically, to the loss of the private key) along with saved passwords. The issue appears to be related to the use of a master password along with the migration from key3.db to key4.db for private key storage. The first time firefox v60 starts (using a v52 profile) all certificates are properly preserved along with the use of a master password (as reported in about:preferences#privacy). However, closing that firefox instance and opening it again reports that the use of a master password is disabled. Private keys for user certificates and saved passwords are permanently lost at that point. Workaround: 1- Before starting firefox-esr v60, create a backup of your profile information at ~/.mozilla/firefox. 2- Start firefox-esr v60 for the first time. 3- Change master password. 4- Close firefox-esr v60. Unfortunately, users having this issue may notice this workaround once it is too late and they already lost important information. Notes: - Does not seem to be an extension issue (firefox-esr -safe-mode does not help). - Trying to read upgraded profile data with certutil yields messages which appear related to https://bugzilla.mozilla.org/show_bug.cgi?id=497672 : certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: could not authenticate to token NSS Certificate DB.: An I/O error occurred during security authorization. Kind regards, Ian Blanes -- Package-specific info: -- Addons package information -- System Information: Debian Release: 9.5 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firefox-esr depends on: ii debianutils 4.8.1.1 ii fontconfig2.11.0-6.7+b1 ii libasound21.1.3-5 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u3 ii libcairo-gobject2 1.14.8-1 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.26-0+deb9u1 ii libdbus-glib-1-2 0.108-2 ii libevent-2.0-52.0.21-stable-3 ii libffi6 3.2.1-6 ii libfontconfig12.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgcc1 1:6.3.0-18+deb9u1 ii libgdk-pixbuf2.0-02.36.5-2+deb9u2 ii libglib2.0-0 2.50.3-2 ii libgtk-3-03.22.11-1 ii libjsoncpp1 1.7.4-3 ii libpango-1.0-01.40.5-1 ii libstartup-notification0 0.12-4+b2 ii libstdc++66.3.0-18+deb9u1 ii libvpx4 1.6.1-3+deb9u1 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb-shm0 1.12-1 ii libxcb1 1.12-1 ii libxcomposite11:0.4.4-2 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes31:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii procps2:3.3.12-3+deb9u1 ii zlib1g1:1.2.8.dfsg-5 Versions of packages firefox-esr recommends: ii libavcodec57 7:3.2.12-1~deb9u1 Versions of packages firefox-esr suggests: ii fonts-lmodern 2.004.5-3 ii fonts-stix [otf-stix] 1.1.1-4 ii libcanberra0 0.30-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libgtk2.0-02.24.31-2 ii pulseaudio 10.0-1+deb9u1 -- no debconf information