Bug#555955: xulrunner-1.9.1: cookies.sqlite not cleared using sqlite secure delete when private data cleared

Josh Triplett josh at joshtriplett.org
Thu Nov 12 20:46:28 UTC 2009 

Package: xulrunner-1.9.1
Version: 1.9.1.4-1
Severity: important

xulrunner now builds against sqlite with the secure deletion facility
available, and seems to securely delete data from places.sqlite when
using "Clear Recent History".  However, it does not securely delete data
from cookies.sqlite.

Steps to reproduce:

1) Either start from a new profile, or do a "Clear Recent History" with
   time range "Everything" and at least the "Cookies" box checked
   followed by running "sqlite3 cookies.sqlite vacuum"

2) Run "strings cookies.sqlite | grep -i google", and observe that no
   results appear.

3) Open Iceweasel, and visit google.com.  Close Iceweasel.

4) Run "strings cookies.sqlite | grep -i google", and observe that some
   results appear, as expected.

5) Open Iceweasel.  Do a "Clear Recent History" with time range
   "Everything" and at least the "Cookies" box checked.  Close
   Iceweasel.

6) Run "strings cookies.sqlite | grep -i google", and observe that the
   results from step 4 still appear, despite having cleared cookies.

- Josh Triplett

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xulrunner-1.9.1 depends on:
ii  libasound2             1.0.21a-1         shared library for ALSA applicatio
ii  libatk1.0-0            1.28.0-1          The ATK accessibility toolkit
ii  libbz2-1.0             1.0.5-3           high-quality block-sorting file co
ii  libc6                  2.10.1-6          GNU C Library: Shared libraries
ii  libcairo2              1.8.8-2           The Cairo 2D vector graphics libra
ii  libdbus-1-3            1.2.16-2          simple interprocess messaging syst
ii  libfontconfig1         2.6.0-4           generic font configuration library
ii  libfreetype6           2.3.11-1          FreeType 2 font engine, shared lib
ii  libgcc1                1:4.4.2-2         GCC support library
ii  libglib2.0-0           2.22.2-2          The GLib library of C routines
ii  libgtk2.0-0            2.18.3-1          The GTK+ graphical user interface 
ii  libhunspell-1.2-0      1.2.8-5           spell checker and morphological an
ii  libjpeg62              6b-15             The Independent JPEG Group's JPEG 
ii  libmozjs2d             1.9.1.4-1         The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d            4.8.2-1           NetScape Portable Runtime Library
ii  libnss3-1d             3.12.4-1          Network Security Service libraries
ii  libpango1.0-0          1.26.0-1          Layout and rendering of internatio
ii  libpng12-0             1.2.40-1          PNG library - runtime
ii  libreadline5           5.2-7             GNU readline and history libraries
ii  libsqlite3-0           3.6.20-1          SQLite 3 shared library
ii  libstartup-notificatio 0.10-1            library for program launch feedbac
ii  libstdc++6             4.4.2-2           The GNU Standard C++ Library v3
ii  libx11-6               2:1.2.2-1         X11 client-side library
ii  libxrender1            1:0.9.4-2         X Rendering Extension client libra
ii  libxt6                 1:1.0.6-1         X11 toolkit intrinsics library
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

xulrunner-1.9.1 recommends no packages.

Versions of packages xulrunner-1.9.1 suggests:
ii  xulrunner-1.9.1-gnome-support 1.9.1.4-1  Support for GNOME in xulrunner app

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list