Bug#775755: marked as done (Logs usernames filled into login dialogs)

[Debian Bug Tracking System]

Your message dated Tue, 20 Jan 2015 12:01:59 +0900
with message-id <20150120030159.ga5...@glandium.org>
and subject line Re: Bug#775755: Logs usernames filled into login dialogs
has caused the Debian Bug report #775755,
regarding Logs usernames filled into login dialogs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
775755: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775755
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: iceweasel
Version: 32.0-1
Severity: important
Tags: security

iceweasel seems to have some kind of debugging message that logs values filled
in by the password manager, producing lines like these:

Jan 19 08:35:10 thin iceweasel.desktop[21101]: field value:
Jan 19 08:35:10 thin iceweasel.desktop[21101]: selectedLogin value: 
j...@joshtriplett.org
Jan 19 08:35:14 thin iceweasel.desktop[21101]: field value: 
j...@joshtriplett.org
Jan 19 08:35:14 thin iceweasel.desktop[21101]: selectedLogin value: 
j...@joshtriplett.org

- Josh Triplett

-- Package-specific info:

-- Extensions information
Name: Adblock Plus
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled

Name: Default theme
Location: 
/usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: HTTPS-Everywhere
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/https-everywh...@eff.org
Package: xul-ext-https-everywhere
Status: enabled

Name: It's All Text!
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/itsallt...@docwhat.gerf.org
Package: xul-ext-itsalltext
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled


-- Addons package information
ii  gnome-shell    3.14.2-3+b1  amd64        graphical shell for the GNOME des
ii  iceweasel      32.0-1       amd64        Web browser based on Firefox
ii  rhythmbox-plug 3.1-1        amd64        plugins for rhythmbox music playe
ii  xul-ext-adbloc 2.6.6+dfsg-1 all          advertisement blocking extension 
ii  xul-ext-https- 4.0.2-3      all          extension to force the use of HTT
ii  xul-ext-itsall 1.8.1-2      all          extension to edit textareas using

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.18.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iceweasel depends on:
ii  debianutils               4.4+b1
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.14.0-1
ii  libc6                     2.19-13
ii  libcairo2                 1.14.0-2.1
ii  libdbus-1-3               1.8.14-1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-2
ii  libgcc1                   1:4.9.2-10
ii  libgdk-pixbuf2.0-0        2.31.1-2+b1
ii  libglib2.0-0              2.42.1-1
ii  libgtk2.0-0               2.24.25-1
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.7-1
ii  libnss3                   2:3.17.2-1.1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.7.4-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                4.9.2-10
ii  libvpx1                   1.3.0-3
ii  libx11-6                  2:1.6.2-3
ii  libxext6                  2:1.3.3-1
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-8
ii  zlib1g                    1:1.2.8.dfsg-2+b1

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.12.1+dfsg-16
pn  mozplugger             <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Version: 33.0-1

On Mon, Jan 19, 2015 at 06:33:15PM -0800, Josh Triplett wrote:
> On Tue, Jan 20, 2015 at 11:19:06AM +0900, Mike Hommey wrote:
> > On Mon, Jan 19, 2015 at 05:56:46PM -0800, Josh Triplett wrote:
> > > On Tue, Jan 20, 2015 at 10:39:21AM +0900, Mike Hommey wrote:
> > > > On Mon, Jan 19, 2015 at 05:05:48PM -0800, Josh Triplett wrote:
> > > > > On Tue, Jan 20, 2015 at 07:56:16AM +0900, Mike Hommey wrote:
> > > > > > On Mon, Jan 19, 2015 at 08:38:07AM -0800, Josh Triplett wrote:
> > > > > > > Package: iceweasel
> > > > > > > Version: 32.0-1
> > > > > > > Severity: important
> > > > > > > Tags: security
> > > > > > > 
> > > > > > > iceweasel seems to have some kind of debugging message that logs 
> > > > > > > values filled
> > > > > > > in by the password manager, producing lines like these:
> > > > > > > 
> > > > > > > Jan 19 08:35:10 thin iceweasel.desktop[21101]: field value:
> > > > > > > Jan 19 08:35:10 thin iceweasel.desktop[21101]: selectedLogin 
> > > > > > > value: j...@joshtriplett.org
> > > > > > > Jan 19 08:35:14 thin iceweasel.desktop[21101]: field value: 
> > > > > > > j...@joshtriplett.org
> > > > > > > Jan 19 08:35:14 thin iceweasel.desktop[21101]: selectedLogin 
> > > > > > > value: j...@joshtriplett.org
> > > > > > 
> > > > > > What if you turn javascript.options.showInConsole to false?
> > > > > 
> > > > > No change; all of those messages still appear.
> > > > 
> > > > Where are these showing up? for what site? Does it happen if you
> > > > downgrade to 31 or upgrade to 35?
> > > 
> > > Any site for which I have a username and password remembered in the
> > > password manager.  gandi.net, patreon.com, twitter.com, ...
> > > 
> > > It doesn't seem to happen in 35.
> > 
> > Does it happen with 31? I can't reproduce with either version, and you
> > still didn't tell where that log is showing up?
> 
> I'd prefer not to downgrade Firefox; I've encountered non-trivial
> problems with my profile when I've done so in the past.
> 
> And when you said "Where are these showing up?", I thought you meant
> "where on the web", which I answered; I didn't realize you meant "what
> log".
> 
> They show up in Firefox's stdout or stderr.  Once upon a time they would
> have ended up in .xsession-errors; now they end up in user.log and the
> journal.
> 
> A quick search for "field value" and "selectedLogin value" shows other
> reports of firefox producing this output.

It also brings to https://bugzilla.mozilla.org/show_bug.cgi?id=1070777
and looking at the code in question, it shows it was added to Firefox 32
and removed in Firefox 33.

Mike

--- End Message ---