Bug#790498: iceweasel: upgrading from jessie makes all passwords in the password manager invalid

Török Edwin edwin at etorok.net
Mon Jun 29 20:28:02 UTC 2015 

Package: iceweasel
Version: 38.0.1-5
Severity: grave
Justification: causes non-serious data loss

Dear Maintainer,

I have upgraded Iceweasel from jessie (31.7.0esr-1~deb8u1) to testing and
suddenly none of my saved passwords worked, and the password manager doesn't
even show all the websites
that have stored passwords in the jessie version.

I am still able to login to my websites if I manually type in the correct
password (and tell iceweasel to save the updated passwords),
however using the prefilled passwords doesn't work, and looking up the
passwords in the password manager and pressing show password
reveals the wrong password.

When I press show passwords most passwords look like base64 (a-zA-Z0-9+/)
whereas the original passwords had a combination of alphanumeric and symbols.

If I downgrade to the version in jessie then the passwords work correctly again
(including the ones overwritten by the testing version of iceweasel).

I tried to create a new account just for the purpose of testing this bug, but
the site and associated password doesn't show up at all when upgrading
iceweasel (and is visible again when downgrading),
haven't figured out so far what makes a site/user/password "survive" the
upgrade.

I've marked the bug as 'causes data loss', because initially that is what I
thought happened when none of the passwords worked, and I'm still not sure how
safe the data in the password manager is
across upgrades/downgrades (so far downgrading has restored all passwords, but
I can't be sure it'll stay that way).






-- Package-specific info:

-- Extensions information
Name: Certificate Patrol
Location: ${PROFILE_EXTENSIONS}/CertPatrol at PSYC.EU.xpi
Status: enabled

Name: Click-to-Play Manager
Location: ${PROFILE_EXTENSIONS}/click-to-play-manager at xulforge.com.xpi
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: It's All Text!
Location: ${PROFILE_EXTENSIONS}/itsalltext at docwhat.gerf.org
Status: enabled

Name: Live HTTP headers
Location: ${PROFILE_EXTENSIONS}/{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
Status: enabled

Name: uBlock Origin
Location: ${PROFILE_EXTENSIONS}/uBlock0 at raymondhill.net.xpi
Status: enabled

-- Plugins information

-- Addons package information
ii  iceweasel      38.0.1-5     amd64        Web browser based on Firefox

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages iceweasel depends on:
ii  debianutils               4.4+b1
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.14.0-1
ii  libc6                     2.19-18
ii  libcairo2                 1.14.0-2.1
ii  libdbus-1-3               1.8.18-0+deb8u1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-3
ii  libgcc1                   1:4.9.2-10
ii  libgdk-pixbuf2.0-0        2.31.1-2+b1
ii  libglib2.0-0              2.42.1-1
ii  libgtk2.0-0               2.24.25-3
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.7-1
ii  libnss3                   2:3.17.2-1.1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.7.1-1+deb8u1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                4.9.2-10
ii  libvpx2                   1.4.0-4
ii  libx11-6                  2:1.6.2-3
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
ii  gstreamer1.0-libav         1.4.4-2
ii  gstreamer1.0-plugins-good  1.4.4-2

Versions of packages iceweasel suggests:
ii  fonts-mathjax          2.4-2
ii  fonts-oflb-asana-math  000.907-6
ii  fonts-stix [otf-stix]  1.1.1-1
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.12.1+dfsg-19
pn  mozplugger             <none>

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list