[Pkg-mozext-maintainers] mozilla-noscript 5.1.7-1 MIGRATED to testing
FYI: The status of the mozilla-noscript source package in Debian's testing distribution has changed. Previous version: 5.0.10-1 Current version: 5.1.7-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers
[Pkg-mozext-maintainers] Bug#891882: enigmail 2.0~beta1 runs unsandboxed code (pepmda) from the Internet without prompting the user
Package: enigmail Version: 2:2.0~beta1-1 Severity: normal enigmail 2.0 downloads pepmda from the internet by default, even for users who have not opted into using pep. This includes the following files, which either duplicate code already in debian, or which we don't have source for in debian: 3589171 28708 -rwxr-xr-x 1 tst tst 29394216 Feb 25 14:48 pepmda/bin/pep-json-server 3589180 4 -rw-r--r-- 1 tst tst 1206 Feb 25 14:49 pepmda/release.json 3589178 18816 -rw-r--r-- 1 tst tst 19267584 Feb 25 14:48 pepmda/share/pEp/system.db 3589169 4 -rw-r--r-- 1 tst tst 1150 Feb 25 14:49 pepmda/share/pEp/html/json-test.ico 3589177 4 -rw-r--r-- 1 tst tst 2991 Feb 25 14:49 pepmda/share/pEp/html/index.html 3572660 20 -rw-r--r-- 1 tst tst 18104 Feb 25 14:49 pepmda/share/pEp/html/interactive.js 3589188 84 -rw-r--r-- 1 tst tst 85589 Feb 25 14:49 pepmda/share/pEp/html/jquery-2.2.0.min.js 3534200 4292 -rwxr-xr-x 1 tst tst 4393056 Feb 25 14:48 pepmda/lib/libetpan.so.17 3589184304 -rw-r--r-- 1 tst tst308360 Feb 25 14:48 pepmda/lib/libevent-2.0.so.5 3589182596 -rwxr-xr-x 1 tst tst610128 Feb 25 14:48 pepmda/lib/libpEpEngine.so 3572662 1796 -rw-r--r-- 1 tst tst 1835928 Feb 25 14:48 pepmda/lib/libstdc++.so.6 3589170 84 -rw-r--r-- 1 tst tst 85112 Feb 25 14:48 pepmda/lib/libgpg-error.so.0 3589189284 -rw-r--r-- 1 tst tst289192 Feb 25 14:48 pepmda/lib/libgpgme.so.11 3589185 1064 -rw-r--r-- 1 tst tst 1088904 Feb 25 14:48 pepmda/lib/libsqlite3.so.0 3589183196 -rw-r--r-- 1 tst tst198432 Feb 25 14:48 pepmda/lib/libboost_thread.so.1.62.0 3589174108 -rw-r--r-- 1 tst tst108816 Feb 25 14:48 pepmda/lib/libz.so.1 3589186 80 -rw-r--r-- 1 tst tst 81560 Feb 25 14:48 pepmda/lib/libassuan.so.0 3589172608 -rw-r--r-- 1 tst tst618832 Feb 25 14:48 pepmda/lib/libboost_program_options.so.1.62.0 3589179 96 -rw-r--r-- 1 tst tst 97392 Feb 25 14:48 pepmda/lib/libgcc_s.so.1 3589181116 -rw-r--r-- 1 tst tst116672 Feb 25 14:48 pepmda/lib/libboost_filesystem.so.1.62.0 3589173 24 -rw-r--r-- 1 tst tst 22288 Feb 25 14:48 pepmda/lib/libuuid.so.1 3589187 20 -rw-r--r-- 1 tst tst 18520 Feb 25 14:48 pepmda/lib/libboost_system.so.1.62.0 I don't think it is appropriate for a package in debian; users can't ensure that these packages are kept up-to-date (or that they meet debian standards), and they don't necessarily have the free software guarantees that they might expect, even if pep as distributed today is entirely free software. in particular, they are fetched by package/installPep.jsm, which pulls the info about the p≡p library from https://www.enigmail.net/service/getPepDownload.svc, which looks like it permits the controller of https://www.enigmail.net/ to serve arbitrary data (the fingerprints of the files to download are not embedded in the enigmail source). (there are other nagging technical details too, such as this profile not working in a multiarch scenario, but those are secondary to the software freedom and arbitrary code execution concerns above) This appears to remain the situation in subsequent betas of enigmail, so i'm going to raise the concern upstream. I do not think this enigmail should make it into debian unstable with this behavior. While i'm trying to figure out a satisfactory solution with upstream, i'll most likely try to patch this part out if i can figure out how to do so cleanly. --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages enigmail depends on: ii gnupg2.2.5-1 ii gnupg-agent 2.2.5-1 ii gnupg2 2.2.5-1 ii gpg-agent [gnupg-agent] 2.2.5-1 ii icedove 1:52.4.0-1 ii thunderbird 1:52.6.0-1+b1 Versions of packages enigmail recommends: ii pinentry-gnome3 [pinentry-x11] 1.1.0-1 ii pinentry-gtk2 [pinentry-x11]1.1.0-1 ii pinentry-qt [pinentry-x11] 1.1.0-1 enigmail suggests no packages. -- no debconf information ___ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org
[Pkg-mozext-maintainers] Bug#878695: marked as done (xul-ext-noscript: no longer works on existing profiles since last update)
Your message dated Thu, 01 Mar 2018 16:00:28 +0100 with message-id <1519916428.3941.9.ca...@scientia.net> and subject line Re: [Pkg-mozext-maintainers] Bug#878695: xul-ext-noscript: no longer works on existing profiles since last update has caused the Debian Bug report #878695, regarding xul-ext-noscript: no longer works on existing profiles since last update to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878695 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: xul-ext-noscript Version: 5.1.2-1 Severity: grave Tags: security Justification: renders package unusable Hi. Since the upgrade to 5.1.2-1 the plugin, while still appearing in the add-ons list (and marked enabled there), no longer seems to work. It's "icons/menus/etc" disappeared and cannot be added back again. It does seem to appear on fresh profiles and it works again with the existing profiles when downgrading to 5.0.10-1 Any ideas? tag security, since all scripts seem to be now allowed. Cheers, Chris. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xul-ext-noscript depends on: ii firefox56.0-2 ii iceweasel 100 xul-ext-noscript recommends no packages. xul-ext-noscript suggests no packages. -- Configuration Files: /etc/iceweasel/searchplugins/common/opensearch_html.xml [Errno 2] No such file or directory: '/etc/iceweasel/searchplugins/common/opensearch_html.xml' -- no debconf information --- End Message --- --- Begin Message --- On Thu, 2018-03-01 at 08:17 -0500, Daniel Kahn Gillmor wrote: > isn't this due to not having the webext version packaged? No, that was before Mozilla choose to break all addons ^^ On Thu, 2018-03-01 at 08:18 -0500, Daniel Kahn Gillmor wrote: > fwiw, xul-ext-noscript 5.1.7-1 works for me with firefox-esr > 52.6.0esr-2+b1. It does indeed still work with 52 (but didn't with 56, for which I reported the bug)... but since 56 is out of Debian, and the current non-esr broke the XUL-addon anyway, I can just close the bug. Thanks, Chris.--- End Message --- ___ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers
[Pkg-mozext-maintainers] Bug#878695: Bug#878695: xul-ext-noscript: no longer works on existing profiles since last update
On Thu 2018-03-01 08:17:07 -0500, Daniel Kahn Gillmor wrote: > On Sun 2017-10-15 23:25:16 +0200, Christoph Anton Mitterer wrote: >> Package: xul-ext-noscript >> Version: 5.1.2-1 >> Severity: grave >> Tags: security >> Justification: renders package unusable > >> Versions of packages xul-ext-noscript depends on: >> ii firefox56.0-2 > > isn't this due to not having the webext version packaged? perhaps this > could be merged with #882287. fwiw, xul-ext-noscript 5.1.7-1 works for me with firefox-esr 52.6.0esr-2+b1. --dkg ___ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers
