Bug 1582116 - firefox exposes private libraries in Provides:
Summary: firefox exposes private libraries in Provides:
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Horak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-24 09:26 UTC by Dominik 'Rathann' Mierzejewski
Modified: 2022-12-12 15:11 UTC (History)
12 users (show)

Fixed In Version: firefox-84.0-7.fc34 firefox-105.0.2-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-09 18:33:02 UTC
Type: Bug
Embargoed:
bcotton: fedora_prioritized_bug+


Attachments (Terms of Use)

Description Dominik 'Rathann' Mierzejewski 2018-05-24 09:26:59 UTC
Description of problem:
Firefox exposes private libraries from %{_libdir}/firefox in package metadata. These should be filtered from both Provides: and Requires:

Version-Release number of selected component (if applicable):
firefox-60.0-4.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ls -1 /usr/lib64/firefox/lib*.so
2. rpm -q --provides firefox | egrep 'lib(gpllibs|moz(avcodec|avutil|gtk|sandbox)|xul)'
3. rpm -qR firefox | egrep 'lib(gpllibs|moz(avcodec|avutil|gtk|sandbox)|xul)'

Actual results:
$ ls -1 /usr/lib64/firefox/lib*.so
/usr/lib64/firefox/liblgpllibs.so
/usr/lib64/firefox/libmozavcodec.so
/usr/lib64/firefox/libmozavutil.so
/usr/lib64/firefox/libmozgtk.so
/usr/lib64/firefox/libmozsandbox.so
/usr/lib64/firefox/libxul.so
$ rpm -q --provides firefox | egrep 'lib(gpllibs|moz(avcodec|avutil|gtk|sandbox)|xul)'
libmozavcodec.so()(64bit)
libmozavutil.so()(64bit)
libmozgtk.so()(64bit)
libmozsandbox.so()(64bit)
libxul.so()(64bit)
libxul.so(xul60)(64bit)
$ rpm -qR firefox | egrep 'lib(gpllibs|moz(avcodec|avutil|gtk|sandbox)|xul)'
libmozavutil.so()(64bit)
libmozgtk.so()(64bit)
libmozsandbox.so()(64bit)
libxul.so()(64bit)
libxul.so(xul60)(64bit)

Expected results:
The above rpm -q --provides/--requires output should be empty.

Additional info:
https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering

Comment 1 Ben Cotton 2019-05-02 20:30:07 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 2 Dominik 'Rathann' Mierzejewski 2019-05-07 12:00:35 UTC
Still an issue on F29:
$ rpm -q firefox
firefox-66.0.3-1.fc29.x86_64
$ rpm -q --provides firefox | grep \.so
libclearkey.so()(64bit)
liblgpllibs.so()(64bit)
libmozavcodec.so()(64bit)
libmozavcodec.so(libmozavcodec.so)(64bit)
libmozavutil.so()(64bit)
libmozavutil.so(libmozavutil.so)(64bit)
libmozgtk.so()(64bit)
libmozsandbox.so()(64bit)
libmozsqlite3.so()(64bit)
libmozsqlite3.so(libmozsqlite3.so)(64bit)
libmozwayland.so()(64bit)
libxul.so()(64bit)
libxul.so(xul66)(64bit)

Comment 3 Dominik 'Rathann' Mierzejewski 2019-09-03 12:40:38 UTC
Still an issue on F30, too:
$ rpm -q firefox
firefox-68.0.2-1.fc30.x86_64
$ rpm -q --provides firefox | grep \.so
libclearkey.so()(64bit)
liblgpllibs.so()(64bit)
libmozavcodec.so()(64bit)
libmozavcodec.so(libmozavcodec.so)(64bit)
libmozavutil.so()(64bit)
libmozavutil.so(libmozavutil.so)(64bit)
libmozgtk.so()(64bit)
libmozsandbox.so()(64bit)
libmozsqlite3.so()(64bit)
libmozsqlite3.so(libmozsqlite3.so)(64bit)
libmozwayland.so()(64bit)
libxul.so()(64bit)
libxul.so(xul68)(64bit)

Comment 4 Dominik 'Rathann' Mierzejewski 2020-04-16 13:22:18 UTC
Still an issue on F31:
$ rpm -q firefox
firefox-75.0-1.fc31.x86_64
$ rpm -q --provides firefox | grep \.so
libclearkey.so()(64bit)
liblgpllibs.so()(64bit)
libmozavcodec.so()(64bit)
libmozavcodec.so(libmozavcodec.so)(64bit)
libmozavutil.so()(64bit)
libmozavutil.so(libmozavutil.so)(64bit)
libmozgtk.so()(64bit)
libmozsandbox.so()(64bit)
libmozsqlite3.so()(64bit)
libmozsqlite3.so(libmozsqlite3.so)(64bit)
libmozwayland.so()(64bit)
libxul.so()(64bit)
libxul.so(xul75)(64bit)

Comment 5 Ben Cotton 2020-11-03 15:00:55 UTC
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Dominik 'Rathann' Mierzejewski 2020-11-04 11:11:54 UTC
Still not fixed.

Comment 7 Fedora Update System 2020-12-21 18:37:35 UTC
FEDORA-2020-77631a1fea has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Miro Hrončok 2020-12-25 23:55:46 UTC
The fix was reverted because it was wrong (it caused fails to install). Reopening.

Comment 9 Miro Hrončok 2021-01-04 09:42:20 UTC
I'm nominating this as prioritized bug.

While normally the impact is minimal, the fact that firefox does not filter out private libraries from provides caused a distro-wide breakage in bz1908791 when a certain library was bundled.

This has a huge potential to break the distro in the future again. Some comments in bz1908791 are baout the filtering.

Comment 10 Ben Cotton 2021-01-12 15:45:04 UTC
This bug will be discussed at the Fedora Prioritized Bugs meeting on 2021-01-13 at 1600 UTC in #fedora-meeting
https://apps.fedoraproject.org/calendar/base/#m9788

Comment 12 Jan Horak 2021-01-28 07:34:51 UTC
Should be fixed by firefox-85.0-4 and higher.

Comment 13 Miro Hrončok 2021-01-28 09:49:15 UTC
Does it not miss some actual requires?

$ diff -u <(rpm -qp --requires firefox-84.0.2-2.fc34.i686.rpm | sort | uniq) <(rpm -qp --requires firefox-85.0-4.fc34.i686.rpm | sort | uniq) 
--- /dev/fd/63	2021-01-28 10:48:43.900131134 +0100
+++ /dev/fd/62	2021-01-28 10:48:43.901131136 +0100
@@ -8,175 +8,54 @@
 libc.so.6
 libc.so.6(GLIBC_2.0)
 libc.so.6(GLIBC_2.1)
-libc.so.6(GLIBC_2.10)
-libc.so.6(GLIBC_2.11)
-libc.so.6(GLIBC_2.1.2)
 libc.so.6(GLIBC_2.1.3)
-libc.so.6(GLIBC_2.15)
 libc.so.6(GLIBC_2.17)
-libc.so.6(GLIBC_2.18)
-libc.so.6(GLIBC_2.2)
 libc.so.6(GLIBC_2.2.4)
-libc.so.6(GLIBC_2.27)
-libc.so.6(GLIBC_2.28)
 libc.so.6(GLIBC_2.3)
 libc.so.6(GLIBC_2.3.2)
-libc.so.6(GLIBC_2.32)
-libc.so.6(GLIBC_2.3.3)
 libc.so.6(GLIBC_2.33)
 libc.so.6(GLIBC_2.3.4)
 libc.so.6(GLIBC_2.4)
 libc.so.6(GLIBC_2.7)
-libc.so.6(GLIBC_2.8)
-libc.so.6(GLIBC_2.9)
-libdbus-glib-1.so.2
-libdbus-1.so.3
-libdbus-1.so.3(LIBDBUS_1_3)
 libdl.so.2
 libdl.so.2(GLIBC_2.0)
 libdl.so.2(GLIBC_2.1)
-libfdk-aac.so.2
-libffi.so.6
-libfontconfig.so.1
-libfreetype.so.6
 libgcc_s.so.1
 libgcc_s.so.1(GCC_3.0)
-libgcc_s.so.1(GCC_3.3)
-libgcc_s.so.1(GCC_3.4)
-libgcc_s.so.1(GCC_4.0.0)
 libgcc_s.so.1(GLIBC_2.0)
 libgdk_pixbuf-2.0.so.0
-libgdk-x11-2.0.so.0
 libgdk-3.so.0
 libgio-2.0.so.0
 libglib-2.0.so.0
 libgobject-2.0.so.0
 libgthread-2.0.so.0
-libgtk-x11-2.0.so.0
 libgtk-3.so.0
 libharfbuzz.so.0
-liblgpllibs.so
-libmozavutil.so
-libmozavutil.so(libmozavutil.so)
-libmozgtk.so
-libmozsandbox.so
-libmozsqlite3.so
-libmozsqlite3.so(libmozsqlite3.so)
-libmozwayland.so
 libm.so.6
 libm.so.6(GLIBC_2.0)
-libm.so.6(GLIBC_2.1)
-libm.so.6(GLIBC_2.2)
-libm.so.6(GLIBC_2.27)
-libm.so.6(GLIBC_2.29)
 libnspr4.so
-libnssutil3.so
-libnssutil3.so(NSSUTIL_3.12)
-libnssutil3.so(NSSUTIL_3.12.3)
-libnssutil3.so(NSSUTIL_3.12.5)
-libnssutil3.so(NSSUTIL_3.13)
-libnss3.so
-libnss3.so(NSS_3.10)
-libnss3.so(NSS_3.10.2)
-libnss3.so(NSS_3.11)
-libnss3.so(NSS_3.11.2)
-libnss3.so(NSS_3.12)
-libnss3.so(NSS_3.12.3)
-libnss3.so(NSS_3.12.4)
-libnss3.so(NSS_3.12.5)
-libnss3.so(NSS_3.13)
-libnss3.so(NSS_3.13.2)
-libnss3.so(NSS_3.15)
-libnss3.so(NSS_3.16.1)
-libnss3.so(NSS_3.16.2)
-libnss3.so(NSS_3.19)
-libnss3.so(NSS_3.2)
-libnss3.so(NSS_3.21)
-libnss3.so(NSS_3.22)
-libnss3.so(NSS_3.3)
-libnss3.so(NSS_3.30)
-libnss3.so(NSS_3.4)
-libnss3.so(NSS_3.44)
-libnss3.so(NSS_3.45)
-libnss3.so(NSS_3.47)
-libnss3.so(NSS_3.5)
-libnss3.so(NSS_3.55)
-libnss3.so(NSS_3.6)
-libnss3.so(NSS_3.7)
-libnss3.so(NSS_3.8)
-libnss3.so(NSS_3.9)
-libnss3.so(NSS_3.9.2)
-libnss3.so(NSS_3.9.3)
 libpangocairo-1.0.so.0
-libpangoft2-1.0.so.0
 libpango-1.0.so.0
 libplc4.so
 libplds4.so
 libpthread.so.0
 libpthread.so.0(GLIBC_2.0)
 libpthread.so.0(GLIBC_2.1)
-libpthread.so.0(GLIBC_2.12)
-libpthread.so.0(GLIBC_2.2)
 libpthread.so.0(GLIBC_2.3.2)
 libpthread.so.0(GLIBC_2.3.3)
-librt.so.1
-librt.so.1(GLIBC_2.2)
-libsmime3.so
-libsmime3.so(NSS_3.13)
-libsmime3.so(NSS_3.16)
-libsmime3.so(NSS_3.2)
-libsmime3.so(NSS_3.4)
-libssl3.so
-libssl3.so(NSS_3.12.6)
-libssl3.so(NSS_3.13)
-libssl3.so(NSS_3.13.2)
-libssl3.so(NSS_3.14)
-libssl3.so(NSS_3.15)
-libssl3.so(NSS_3.15.4)
-libssl3.so(NSS_3.2)
-libssl3.so(NSS_3.21)
-libssl3.so(NSS_3.22)
-libssl3.so(NSS_3.23)
-libssl3.so(NSS_3.27)
-libssl3.so(NSS_3.28)
-libssl3.so(NSS_3.30.0.1)
-libssl3.so(NSS_3.33)
-libssl3.so(NSS_3.4)
 libstdc++.so.6
 libstdc++.so.6(CXXABI_1.3)
-libstdc++.so.6(CXXABI_1.3.5)
 libstdc++.so.6(GLIBCXX_3.4)
 libstdc++.so.6(GLIBCXX_3.4.11)
-libstdc++.so.6(GLIBCXX_3.4.14)
-libstdc++.so.6(GLIBCXX_3.4.15)
-libstdc++.so.6(GLIBCXX_3.4.18)
 libstdc++.so.6(GLIBCXX_3.4.20)
 libstdc++.so.6(GLIBCXX_3.4.21)
-libstdc++.so.6(GLIBCXX_3.4.22)
 libstdc++.so.6(GLIBCXX_3.4.26)
 libstdc++.so.6(GLIBCXX_3.4.29)
 libstdc++.so.6(GLIBCXX_3.4.9)
-libxcb-shm.so.0
-libxcb.so.1
-libXcomposite.so.1
-libXcursor.so.1
-libXdamage.so.1
-libXext.so.6
-libXfixes.so.3
-libXi.so.6
-libXrender.so.1
-libXt.so.6
-libxul.so
-libxul.so(xul84)
-libX11.so.6
-libX11-xcb.so.1
 libz.so.1
-libz.so.1(ZLIB_1.2.0)
-libz.so.1(ZLIB_1.2.3.4)
-libz.so.1(ZLIB_1.2.9)
 mozilla-filesystem
 nspr >= 4.21
-nss >= 3.59
+nss >= 3.60
 p11-kit-trust
 rpmlib(BuiltinLuaScripts) <= 4.2.2-1
 rpmlib(CompressedFileNames) <= 3.0.4-1



(Using i686 because that arch succeeded already.)

Comment 14 Kalev Lember 2021-01-28 13:35:27 UTC
I looked a bit into this and come up with https://src.fedoraproject.org/rpms/firefox/pull-request/27 that should hopefully make the filtering a bit smarter.

Comment 15 Ben Cotton 2021-02-09 18:28:58 UTC
It looks like the PR was merged and the fix is included in recent builds. Can we close this bug or is additional work required?

Comment 16 Miro Hrončok 2021-02-09 18:33:02 UTC
I think this is fixed. Thanks, Kalev.

Comment 17 Kalev Lember 2021-02-09 20:10:18 UTC
No problem!

Comment 18 Fedora Update System 2022-10-05 12:46:43 UTC
FEDORA-2022-f0988ea008 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f0988ea008

Comment 19 Fedora Update System 2022-10-05 12:56:34 UTC
FEDORA-2022-f0988ea008 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.