Package: libproxy1-plugin-mozjs
Version: 0.4.15-13
Severity: important
Tags: patch upstream
Forwarded: https://github.com/libproxy/libproxy/issues/119
I made the mistake of trying to add an autopkgtest to
libproxy1-plugin-mozjs, which revealed that it does not, in fact, work.
At least when compiled with recent toolchains, the URL and host passed
to FindProxyForURL() are corrupted due to a use-after-free, which makes
the JavaScript proxy autoconfiguration unable to express anything that
couldn't be done in a much simpler way with static proxy configuration.
I sent a patch upstream.
However, this plugin has a popcon of 108 installations (compared with 27K
for its webkit counterpart), wasn't shipped in buster, and I don't think
we consider mozjs68 to be safe for use with untrusted content (although
PAC is probably at least semi-trusted in any reasonable threat model);
so perhaps it should just be removed instead?
smcv
