Package: iceweasel Version: 38.0-2 Severity: grave Tags: upstream I opened up the developer menu in Firefox 38, and saw the new "WebIDE". I opened that up to take a look at it, and then closed it, without running anything else.
That action alone apparently caused Firefox to silently download the "ADB Helper" and "Valence" extensions in the background (see extension list below), install them without prompting, and run them. That in turn downloaded and ran a pre-compiled adb binary in the background (which Firefox launches at startup). While it's potentially acceptable to *optionally* install such extensions on user request, or even prompt to install them, silently doing so without user consent in response to opening WebIDE (and doing absolutely nothing with it) is definitely not OK. This is upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1114380 - Josh Triplett -- Package-specific info: -- Extensions information Name: ADB Helper Location: ${PROFILE_EXTENSIONS}/adbhel...@mozilla.org Status: enabled Name: Adblock Plus Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Package: xul-ext-adblock-plus Status: enabled Name: Default theme Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd} Package: iceweasel Status: enabled Name: HTTPS-Everywhere Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywh...@eff.org Package: xul-ext-https-everywhere Status: enabled Name: It's All Text! Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/itsallt...@docwhat.gerf.org Package: xul-ext-itsalltext Status: enabled Name: Valence Location: ${PROFILE_EXTENSIONS}/fxdevtools-adapt...@mozilla.org Status: enabled -- Plugins information Name: Gnome Shell Integration Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so Package: gnome-shell Status: enabled Name: iTunes Application Detector Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so Package: rhythmbox-plugins Status: enabled -- Addons package information ii gnome-shell 3.14.4-1 amd64 graphical shell for the GNOME des ii iceweasel 38.0-2 amd64 Web browser based on Firefox ii rhythmbox-plug 3.2.1-1 amd64 plugins for rhythmbox music playe ii xul-ext-adbloc 2.6.9+dfsg-2 all advertisement blocking extension ii xul-ext-https- 4.0.3-1 all extension to force the use of HTT ii xul-ext-itsall 1.9.1-2 all extension to edit textareas using -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages iceweasel depends on: ii debianutils 4.5 ii fontconfig 2.11.0-6.3 ii libasound2 1.0.28-1 ii libatk1.0-0 2.16.0-2 ii libc6 2.19-18 ii libcairo2 1.14.2-2 ii libdbus-1-3 1.8.18-1 ii libdbus-glib-1-2 0.102-1 ii libevent-2.0-5 2.0.21-stable-2 ii libffi6 3.1-2+b2 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-4 ii libgcc1 1:5.1.1-5 ii libgdk-pixbuf2.0-0 2.31.1-2+b1 ii libglib2.0-0 2.44.0-3 ii libgtk2.0-0 2.24.25-3 ii libhunspell-1.3-0 1.3.3-3 ii libnspr4 2:4.10.8-1 ii libnss3 2:3.19-1 ii libpango-1.0-0 1.36.8-3 ii libsqlite3-0 3.8.10.1-1 ii libstartup-notification0 0.12-4 ii libstdc++6 5.1.1-5 ii libvpx2 1.4.0-3 ii libx11-6 2:1.6.3-1 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes3 1:5.0.1-2+b2 ii libxrender1 1:0.9.8-1+b1 ii libxt6 1:1.1.4-1+b1 ii procps 2:3.3.9-9 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages iceweasel recommends: ii gstreamer1.0-libav 1.4.4-2 ii gstreamer1.0-plugins-good 1.4.5-2+b1 Versions of packages iceweasel suggests: pn fonts-mathjax <none> pn fonts-oflb-asana-math <none> pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-2.1 ii libgnomeui-0 2.24.5-3 ii libgssapi-krb5-2 1.12.1+dfsg-20 pn mozplugger <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
