Onion Browser Button extension for IceCat is insecure

Hi dear Fedora officials ! I my previous post here I discribed Fedora to be one of the most secure distro - see:
https://discussion.fedoraproject.org/t/open-thankfull-message-for-fedora-project-developers-team-packagers-with-suggestions/7664/4

However, there is some thing very very bad break my previous opinion - I wish I’m wrong ! See this bug that I’m already opened:
https://bugzilla.redhat.com/show_bug.cgi?id=1842171

It’s date of post at 30 \ 5 \ 2020

I was suriprised why it is still mantained the defected add-on all this time …

Today, I received new post inform that the GNU foundation already removed the defected add-on from IceCat - see last comment in bug above - bellow is copy/past of it:
Oyvind Saether 2020-09-08 22:52:15 UTC

The Onion Browser Button extension from 2010 has been removed upstream because it is wildly insecure, it doesn’t do what it is supposed to do and it tells you that you’re connected to Tor when you’re not.

Fedora should remove it from the IceCat build it ships ASAP, see

Moreover, I was shocked from what I read in the link given by the poster - see the following link:

It is talking badly on our distro (Fedora) put a question mark about it’s security practice !! Bellow I will copy/past the talk:

GNU IceCat used to bundle an additional extension called “Onion Browser Button” which claimed to allow you to “Easily browse the internet using TOR proxy with just one click!”. It didn’t, it would claim to enable Tor and do absolutely nothing beyond claiming Tor was enabled.

The bundled “Onion Browser Button” extension, last updated in 2010, was finally removed from the GNU IceCat git repository in June 2020 after it had been included in a broken state for half a decade. Several GNU/Linux distributions, including Fedora 32 and 33, still ship this totally useless and outright dangerous extension with their GNU IceCat builds. That is a total scandal. The reason it is such a scandal is that the long-broken “Onion Browser Button” extension will tell end-users that they are using the Tor network to anonymously connect to the website they visit when they are, in fact, not.

We can only hope that distributions get a clue and eradicate the long-broken useless “Onion Browser Button” extension from their builds. The Fedora GNU IceCat maintainer appears to have problems getting a clue if IBM/RedHat bug #1842171 is any indication, he seems to think that a GUI telling users they are using Tor when they aren’t isn’t a gigantic security issue. That indicates that one may want to ask some hard questions about Fedora’s security practices.

Please behave urgently … The most important is that you should investigate whether the Fedora maintainer of GNU IceCat maintain this security risk INTENDEDLY or not ??

Thank you for your attention !

I don’t use icecat and I don’t follow its development. How it works, such extension was in the icecat sources (bundled) or is up to a Linux distribution packager to include it?

BTW I see that 68.10 was released upstream on June 30, 68.11 on July 27 and 68.12 on August 25. In Fedora, the 68.11 package was submitted roughly a month ago and 68.12 circa two weeks ago.
In addition, as far as I can see, Fedora 33 currently ships Icecat 78.2
If upstream removed such bundled extension with the June release (68.10), are you saying that the Fedora maintainer is still including it in the Fedora package? One of the Fedora guidelines for packagers is to stay close to upstream sources and decisions without adding any unnecessary patch.

Hi @alciregi
I’m on Fedora 32 X64 bit Cinnamon edition with IceCat installed from official Fedora repository.
IceCat on my system is version 68.12.0esr (X64 bit) & still has the insecure risky add-on ! And as you mentioned upstream released version 68.12 on 25th of Aug, so yes the Fedora maintainer still keeping this risky addd-on in version 68.12 ! For that I post this issue.

Mmm. @FranciscoD you have more experiences than me in packaging.
In reality Icecat sources in the RPM spec file are not grabbed from the GNU repository but from a modified one on gitlab owned by the Icecat package maintainer (and it seems that he continue to include the mentioned extension). Is this allowed?

Removed today, Commit - rpms/icecat - 098e69f05f2224099180c5e45b4c3fa4eae96799 - src.fedoraproject.org

It isn’t prohibited, but it is only done when necessary—usually when the source bundles some non-free bits that we need to remove before uploading it to the look aside cache.

Ah, great. I’d like to note that this happened because someone commented on a bug to let the maintainer know that the extension was no longer to be used:

Comment 15

So, in short, contacting the maintainer directly is much much quicker

@alciregi
@grumpey
@FranciscoD
Thank you all for fixing this, & hoping that the maintainer push new updating package to correct this from binaries also not only from source code …

But 2 notes:

1. the maintainer of IceCat for Fedora should be more careful & alert about such changes … It seem that he did not look always for original repository of IceCat so that the change escape from his eyes. This should not happened again …
2. package from GNU not containing non-free codes ! In fact, GNU foundation create IceCat from Firefox for nothing other than to remove the non-free codes that used by original Firefox. So, why the maintainer not using the official GNU repository of IceCat ?!

Best regards.

I am glad this issue got soved quickly.

Gnu wrote:

While the Firefox source code from the Mozilla project is free software, they distribute and recommend nonfree software as plug-ins and addons.

I would like to learn what non-free codecs are included in Firefox. I can’t image that there are any because if there was, FF would not be included in Fedora.

Q: Is it just about the potential distribution of non-free add-ons…?!

@nokia808, just fyi, back to the very first words of your post, there are no Fedora officials. The Fedora Project consists entirely of volunteers and the Fedora distributions are community developed and supported.

Again, I reiterate: you should be speaking to the maintainer, not to us. Discussing things on community forums is fine, but there are certain tasks where one should take the next step to speak to the actual point of contact. All we’ve done here is act as middle-men that made the maintainer aware of the new change. We don’t know the reasons behind their way of packaging, and so we cannot answer your questions

I gave “removal of non-free codecs” as an example of when a maintainer may modify the upstream source. For icecat, please look at the spec here:

https://src.fedoraproject.org/rpms/icecat/blob/master/f/icecat.spec#_124

You can check the status of package updates yourself:
https://bodhi.fedoraproject.org/updates/?packages=icecat

@florian
Yes, it is about add-on & extensions. Original firefox allow you to install non-free add-on & plugins & extensions … All those are prevented in IceCat unless you add them manually … When click on add-on in IceCat it will direct you to page other than Firefox add-on page.

Also, there is additionally a license issue.

For more details see:
https://www.gnu.org/software/gnuzilla/

@FranciscoD
I contact you just because I saw the gap interval was so long for maintainer after the removal of insecure add-on from a version & he already pushed recently a version that should has no this add-on …

Sorry if I behave in exaggerated way, but it was so painful to me when I read bad statement on our Fedora in the link that I was already mentioned in my 1st post of this issue.

No worries, that’s fine. I’m only highlighting that stuff gets done quicker if we use the shortest communication paths to the volunteers responsible

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.