Bug#959804: debian-security-support: Consider marking src:mozjs68 as "support limited"

Simon McVittie smcv at debian.org
Tue May 5 15:17:59 BST 2020


Package: debian-security-support
Version: 2020.04.16
Severity: normal
X-Debbugs-Cc: security at debian.org, mozjs68 at packages.debian.org, libproxy at packages.debian.org

mozjs68 has essentially the same security status as mozjs60, and I'm not
sure how realistic it is to expect it to be safe for use with untrusted
content. The GNOME team mainly maintains it as a dependency of gjs, where
this restriction is not a problem because the JavaScript code is fully
trusted anyway (JavaScript as an alternative to Python etc., rather than
JavaScript as a sandboxed language like its use on the web).

Note that this conflicts somewhat with the existence of
libproxy1-plugin-mozjs, which uses mozjs68 to parse proxy
autoconfiguration files; but that isn't a regression, because older
versions of libproxy1-plugin-mozjs used mozjs60 or older, which have
the same limited security support. I'm not sure whether there is any
reasonable threat model where PAC is *completely* untrusted content, but
I'm not sure whether it can be considered to be completely trusted either?

libproxy1-plugin-mozjs doesn't actually *work* in non-trivial cases
(https://github.com/libproxy/libproxy/issues/119), it has a popcon score
of 108 installations, and mozjs68 appears to be less portable than
WebKitGTK in practice, so perhaps it would make sense to just remove
that plugin.

    smcv



More information about the pkg-gnome-maintainers mailing list