Debian Bug report logs - #786909
chromium: unconditionally downloads binary blob

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: chromium: unconditionally downloads binary blob

Date: Wed, 27 May 2015 01:23:38 +0900

Package: chromium
Version: 43.0.2357.65-1
Severity: serious
Tags: security upstream
Justification: Policy 2.1.2
Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435

Dear Maintainer,

After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts downloading
"Chrome Hotword Shared Module" extension, which contains a binary without
source code. There seems no opt-out config.

$ chromium --temp-profile &
$ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
$ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages chromium depends on:
ii  libasound2           1.0.28-1
ii  libatk1.0-0          2.16.0-2
ii  libc6                2.19-18
ii  libcairo2            1.14.2-2
ii  libcups2             1.7.5-11
ii  libdbus-1-3          1.8.18-1
ii  libexpat1            2.1.0-6+b3
ii  libfontconfig1       2.11.0-6.3
ii  libfreetype6         2.5.2-4
ii  libgdk-pixbuf2.0-0   2.31.4-1
ii  libglib2.0-0         2.44.1-1
ii  libgnome-keyring0    3.12.0-1+b1
ii  libgtk2.0-0          2.24.25-3
ii  libharfbuzz0b        0.9.40-3
ii  libjpeg62-turbo      1:1.4.0-7
ii  libnspr4             2:4.10.8-1
ii  libnss3              2:3.19-1
ii  libpango-1.0-0       1.36.8-3
ii  libpangocairo-1.0-0  1.36.8-3
ii  libpci3              1:3.2.1-3
ii  libspeechd2          0.8-7
ii  libspeex1            1.2~rc1.2-1
ii  libsrtp0             1.4.5~20130609~dfsg-1.1
ii  libstdc++6           5.1.1-7
ii  libx11-6             2:1.6.3-1
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1+b1
ii  libxdamage1          1:1.1.4-2+b1
ii  libxext6             2:1.3.3-1
ii  libxfixes3           1:5.0.1-2+b2
ii  libxi6               2:1.7.4-1+b2
ii  libxml2              2.9.1+dfsg1-4
ii  libxrandr2           2:1.4.2-1+b1
ii  libxrender1          1:0.9.8-1+b1
ii  libxslt1.1           1.1.28-2+b2
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.2-1+b1
ii  x11-utils            7.7+3
ii  xdg-utils            1.1.0~rc1+git20111210-7.4

chromium recommends no packages.

Versions of packages chromium suggests:
ii  chromium-l10n  43.0.2357.65-1

-- no debconf information

Message #12 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>, 786909@bugs.debian.org

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Wed, 27 May 2015 12:52:34 +0200

[Message part 1 (text/plain, inline)]

On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote:
> Package: chromium
> Version: 43.0.2357.65-1
> Severity: serious
> Tags: security upstream
> Justification: Policy 2.1.2
> Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435
> 
> Dear Maintainer,
> 
> After upgrading chromium to 43, I noticed that when it is running and
> immediately after the machine is on-line it silently starts downloading
> "Chrome Hotword Shared Module" extension, which contains a binary without
> source code. There seems no opt-out config.
> 
> $ chromium --temp-profile &
> $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped

Even worse, that extension:

- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.

That's definitely not the stuff we'd like installed by default, without
the user knowing (even if it's supposedly not installed).

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>

Cc: 786909@bugs.debian.org

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Wed, 27 May 2015 12:56:29 +0200

[Message part 1 (text/plain, inline)]

On mer., 2015-05-27 at 12:52 +0200, Yves-Alexis Perez wrote:
> On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote:
> > Package: chromium
> > Version: 43.0.2357.65-1
> > Severity: serious
> > Tags: security upstream
> > Justification: Policy 2.1.2
> > Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435
> > 
> > Dear Maintainer,
> > 
> > After upgrading chromium to 43, I noticed that when it is running and
> > immediately after the machine is on-line it silently starts downloading
> > "Chrome Hotword Shared Module" extension, which contains a binary without
> > source code. There seems no opt-out config.
> > 
> > $ chromium --temp-profile &
> > $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> > $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped
> 
> Even worse, that extension:
> 
> - doesn't appear in the extension list;
> - is apparently used to provide an “ok google” voice activation stuff.
> 
> That's definitely not the stuff we'd like installed by default, without
> the user knowing (even if it's supposedly not installed).
> 
chrome://voicesearch returns:

About Voice Search

Chromium	43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid)
OS	Linux
NaCl Enabled	No
Microphone	No
Audio Capture Allowed	Yes
Current Language	en-US
Hotword Previous Language	en-US
Hotword Search Enabled	No
Always-on Hotword Search Enabled	No
Hotword Audio Logging Enabled	No
Field trial	
Start Page State	No Start Page Service
Extension Id	nbpagnldghgfoolbancepceaanlmhfmd
Extension Version	0.0.1.4
Extension Path	/usr/lib/chromium/resources/hotword
Extension State	ENABLED
Shared Module Id	lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version	0.3.0.5
Shared Module Path	/tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0
Shared Module State	ENABLED
Shared Module Platforms	x86-64_

The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.

Regards
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>, 786909@bugs.debian.org

Subject: Re: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Date: Wed, 27 May 2015 13:23:15 +0200

[Message part 1 (text/plain, inline)]

 ❦ 27 mai 2015 12:56 +0200, Yves-Alexis Perez <corsac@debian.org> :

> Chromium	43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid)
> OS	Linux
> NaCl Enabled	No
> Microphone	No
> Audio Capture Allowed	Yes
> Current Language	en-US
> Hotword Previous Language	en-US
> Hotword Search Enabled	No
> Always-on Hotword Search Enabled	No
> Hotword Audio Logging Enabled	No
> Field trial	
> Start Page State	No Start Page Service
> Extension Id	nbpagnldghgfoolbancepceaanlmhfmd
> Extension Version	0.0.1.4
> Extension Path	/usr/lib/chromium/resources/hotword
> Extension State	ENABLED
> Shared Module Id	lccekmodgklaepjeofjdjpbminllajkg
> Shared Module Version	0.3.0.5
> Shared Module Path	/tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0
> Shared Module State	ENABLED
> Shared Module Platforms	x86-64_
>
> The fact that Audio Capture Allowed is set to yes, and that both the
> extension and the shared module are marked as “enabled” are definitely
> bothering me.

Same here. I did delete the extension path but somehow Chromium seems to
think it's still here (I have the same output as you except "Shared
Module Platforms"). You can check if it is running using the task
manager: from various bug reports, it is not hidden here. You can also
disable it in chrome://settings in the "Search" section: "Enable Ok
Google to start a voice search". Various bug reports exist to say that
it may not prevent the extension from running.

If it is not possible to disable it by default and make it appear in
chrome://extensions, it would be better to not ship at all this
extension (only the shared module seems to be downloaded, the remaining
of the code seems to be still here).
-- 
Use self-identifying input.  Allow defaults.  Echo both on output.
            - The Elements of Programming Style (Kernighan & Plauger)

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Vincent Bernat <bernat@debian.org>

Cc: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>, 786909@bugs.debian.org

Subject: Re: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Date: Wed, 27 May 2015 13:25:32 +0200

[Message part 1 (text/plain, inline)]

On mer., 2015-05-27 at 13:23 +0200, Vincent Bernat wrote:
> Same here. I did delete the extension path but somehow Chromium seems to
> think it's still here (I have the same output as you except "Shared
> Module Platforms"). You can check if it is running using the task
> manager: from various bug reports, it is not hidden here. You can also
> disable it in chrome://settings in the "Search" section: "Enable Ok
> Google to start a voice search". Various bug reports exist to say that
> it may not prevent the extension from running.
> 
> If it is not possible to disable it by default and make it appear in
> chrome://extensions, it would be better to not ship at all this
> extension (only the shared module seems to be downloaded, the remaining
> of the code seems to be still here).

Note that the binary blob is executed throught native client, which is
not enabled by default, so I /think/ you need explicit action from the
user (although if you enable NaCl for something else, then you might
enable stuff you actually don't want).

Having /home noexec won't help, since it's not run directly by the
system but by chromium.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 786909@bugs.debian.org, Vincent Bernat <bernat@debian.org>

Subject: Re: Bug#786909: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Date: Thu, 28 May 2015 21:37:13 -0400

[Message part 1 (text/plain, inline)]

control: tag -1 confirmed, help

On Wed, May 27, 2015 at 7:25 AM, Yves-Alexis Perez wrote:
> Note that the binary blob is executed throught native client, which is
> not enabled by default, so I /think/ you need explicit action from the
> user (although if you enable NaCl for something else, then you might
> enable stuff you actually don't want).

I made a quick attempt at getting hotword disabled, but wasn't effective.

I won't have time to dig into the details for a while, so I'm
attaching the failed attempt to maybe inspire some other ideas.

Best wishes,
Mike

[hotword-fail.patch (text/x-patch, attachment)]

Message #39 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 786909@bugs.debian.org, Vincent Bernat <bernat@debian.org>

Subject: Re: Bug#786909: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Date: Wed, 10 Jun 2015 21:36:05 +0200

[Message part 1 (text/plain, inline)]

On jeu., 2015-05-28 at 21:37 -0400, Michael Gilbert wrote:
> control: tag -1 confirmed, help
> 
> On Wed, May 27, 2015 at 7:25 AM, Yves-Alexis Perez wrote:
> > Note that the binary blob is executed throught native client, which is
> > not enabled by default, so I /think/ you need explicit action from the
> > user (although if you enable NaCl for something else, then you might
> > enable stuff you actually don't want).
> 
> I made a quick attempt at getting hotword disabled, but wasn't effective.
> 
> I won't have time to dig into the details for a while, so I'm
> attaching the failed attempt to maybe inspire some other ideas.
> 
Hey Mike,

it's apparently fixed upstream
(https://code.google.com/p/chromium/issues/detail?id=491435). Not sure
if it's in a released version, but it might be possible to backport the
patch in between.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 786909-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 786909-close@bugs.debian.org

Subject: Bug#786909: fixed in chromium-browser 43.0.2357.81-1

Date: Mon, 15 Jun 2015 10:24:08 +0000

Source: chromium-browser
Source-Version: 43.0.2357.81-1

We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 786909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated chromium-browser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2015 04:04:34 +0000
Source: chromium-browser
Binary: chromium chromium-dbg chromium-l10n chromedriver
Architecture: source all
Version: 43.0.2357.81-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 chromedriver - web browser - WebDriver support
 chromium   - web browser
 chromium-dbg - web browser - debugging symbols
 chromium-l10n - web browser - language packs
Closes: 786490 786909
Changes:
 chromium-browser (43.0.2357.81-1) unstable; urgency=medium
 .
   * New upstream release fixing missing icon (closes: #786490).
   * Disable hotword (closes: #786909).
   * Remove some sourceless files.
Checksums-Sha1:
 8b7b77ed98b0ad75e4cdbf3f89e059291709bfb7 3925 chromium-browser_43.0.2357.81-1.dsc
 180e1587dc9ef1ffb1c0e4a6f7b05030a67e0ac9 327866732 chromium-browser_43.0.2357.81.orig.tar.xz
 2c289baa5dc2f12ba76e1204c25184b1f35f1cb2 178500 chromium-browser_43.0.2357.81-1.debian.tar.xz
 215fbe09c8510a3063b1ea71517d3e341f0a8806 3166448 chromium-l10n_43.0.2357.81-1_all.deb
Checksums-Sha256:
 a2bfe1b9feb8715af26c9e4202faf0e9c7a319914f0f39a4f6fdfa85c3bf97f7 3925 chromium-browser_43.0.2357.81-1.dsc
 360df7b5dfe61293a058c23b4fcbcf277fe74869cf95a6fac1023a5658d86d5a 327866732 chromium-browser_43.0.2357.81.orig.tar.xz
 7dc4f9ca79593376bf172d408f21990ccb24fd3423b8b61c327eeed93042a350 178500 chromium-browser_43.0.2357.81-1.debian.tar.xz
 e392d1f533a88518a255a35e509c0c5eda3e7014439b0d4ef5d93252d2c40d9f 3166448 chromium-l10n_43.0.2357.81-1_all.deb
Files:
 35b281bd0fe9a78afa738a6f6a6f2832 3925 web optional chromium-browser_43.0.2357.81-1.dsc
 981a017a3d4c3e54acf97dea35b1935f 327866732 web optional chromium-browser_43.0.2357.81.orig.tar.xz
 c9e73eba95b3c1381f6d66a1028f4c33 178500 web optional chromium-browser_43.0.2357.81-1.debian.tar.xz
 909d0810f43b2cb372ae762ce020adac 3166448 localization optional chromium-l10n_43.0.2357.81-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJVfnuOAAoJELjWss0C1vRzN8of/irbOxtb3pCRw7dQV4uht04j
6P91SVxKSHHgkp5NvZhX6p5XvIxdDoaj05nrhNmD0JNkc81D+q2RnDNdfjw7d/Lp
cYBoWBnAt4bMLCrmeJRXaNQgmWDbUI0N6SrLxK6Lph/L8hI/i+2VuWWDkM47K8li
bvmaSndw9BdI5F+Jj1BEuridWxxttNRvrwZXJT9EfceRH1wYnBOwBnGisv/Zt68M
e5Es3m6q8TBMbcNZb0TmofOE5MHmGnu6TXnYL+ck5mBq3iAKjNvTLsnP/V8NCqYQ
GnckvLTwj0Ko7nwqD5y7FNUG1216y05zbvbvYSaJgj1mC/6Q0N4WCw/hwZkNwiYw
5ywx4JIH4f5jpxcAIp/Cem5wa8wgPRVV/tK+CSmZ8DszgfMfqwod+QDrr2qzMz9u
ev5dD5AQknnqvxVbkhbpDLhgyw/9hgQue5O4vubIKCZ7XStfybYlY8tfypjBqQ6Y
9Fj/3P6/R9GbAjwYOOTadhk5ZBbcs0dFTO9HzDgNBi+JFvSKmWq1OL7GAWoh2lGV
TIGIOsCyclsBnf9kEAgu7HtjjQXechcVPt1/kqapPw/7EEBHluDSFq4JJC57S9HJ
Y+YxpMo0eQmqgYNbT6QdXx9l0awuXhkx3IhLqUCRqO/61TEBsf9/8JP65dMFJISu
dC4BlepEtyhdoiseqPfIK7vIp01m8gVO9b5bNd4Wj7w+/IxxftUInYG++n80+nYF
6eEqjoyme/ESTMz8fB/KTIchaUL/jIPt119Wxsa+lKMIkIpU5BfHPFshw1OXTvXF
hjMEGztP+cwxHvDT6l0f5O8ZVL2bvaz+yWbULS5d19YuyJBGNWzMxhqukCjYkFvY
GGbBb8YSRog6XLIa70NsbsnSgI0b6Jb2b318mi3GoRAwwr6tkP+MkrLfowTiRkQN
VCue4yMvPVuSIkdqAEFZ2Qnur8mx8E+P5xdScTCW1Akp+e/gdFPFz22oOnvoGhfU
mqTWLueXENyYeUBMKXvX3Pehgo8mqul0waV/++rSbgrpE0y+CEXBiHbBhE6woWx7
1+fUrfCPVB2Zi8i2cjTG+4qsKoqgx/gqtu6duZ2P4zF+uVd6ljiIzbPSa0FC5NJ1
gw8L65ZL8GfugThetx6QnUQyarW6ijYaZXbCbAQoW4IjkABMrpIpTQ9+IoM1F6lB
oZ/hHRHFvfNnA4FfUFbrkPOXRsi9xAVn6/BZWV6ZhOQQA3bt35HSZMZEACodCrK+
Yaqi8uUdz1zQEhB+xIEWE6erBtC1AoU+MYuWPpNWnJ3TxlY54xDPvS+HPl6cSQvN
cgjfP6OW1c/xJQPPJJ4hpbGjhQ3EHWjyY2sxIL3uJAomUDUcIx942aTSmCLexAA=
=t0x5
-----END PGP SIGNATURE-----

Message #51 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 786909@bugs.debian.org

Subject: Re: chromium: unconditionally downloads binary blob

Date: Tue, 16 Jun 2015 05:16:44 +0200

[Message part 1 (text/plain, inline)]

Hi.


Shouldn't we see a DSA following this incident?

Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.

Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.


And to be quite honest, I seriously consider the good faith of an such
upstream which does these kinds of things and wonder whether it can be
considered trustworthy enough to be part of Debian or whether it should
be banned from it.
More or less silently bundling proprietary code with open source
software (especially but not only when enabled per default) can already
be considered quite bad behaviour.

But basically secretly downloading it leads to the question of possible
malicious intent (and everyone knows that Google&Co. do voluntarily
and/or forcibly cooperate with NSA and friends).
And I guess no one can prove that this blob didn't contain any rootkit,
and even if - the rootkit'ed version may have been just distributed to
certain people.
The downloading makes it more or less impossible for the admin/user and
especially for our maintainers to notice what's happening here
(otherwise they'd need audit every line of code for any such
occasions).


And even if the blob wasn't evil: while I haven't looked at the code, I
wouldn't even be surprised if the downloading itself is done
insecurely.


Worse, chromium isn't the only such rootkit-downloader,... this happens
- to my taste - far to often in recent times,.. e.g. FF which secretly
downloaded the OpenH264 blob.


Now that specific incident may be solved (at least for now),... but no
appropriate notification of users is made, so theoretically&practically
arbitrary users may have had their systems compromised now, and they
won't even notice.

:/


Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #56 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Christoph Anton Mitterer <calestyo@scientia.net>, 786909@bugs.debian.org

Cc: oss-security@lists.openwall.com

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Tue, 16 Jun 2015 00:49:31 -0400

On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote:
> Shouldn't we see a DSA following this incident?
>
> Since no one really know which binaries have been downloaded there and
> what they actually do, and since it cannot be excluded that it was
> actually executed, such systems are basically to be considered
> compromised.
>
> Quite a deal of people choose open source just to prevent that - get
> untrustworthy / unverifiable code run on their systems - failed.
>
>
> And to be quite honest, I seriously consider the good faith of an such
> upstream which does these kinds of things and wonder whether it can be
> considered trustworthy enough to be part of Debian or whether it should
> be banned from it.
> More or less silently bundling proprietary code with open source
> software (especially but not only when enabled per default) can already
> be considered quite bad behaviour.
>
> But basically secretly downloading it leads to the question of possible
> malicious intent (and everyone knows that Google&Co. do voluntarily
> and/or forcibly cooperate with NSA and friends).
> And I guess no one can prove that this blob didn't contain any rootkit,
> and even if - the rootkit'ed version may have been just distributed to
> certain people.
> The downloading makes it more or less impossible for the admin/user and
> especially for our maintainers to notice what's happening here
> (otherwise they'd need audit every line of code for any such
> occasions).
>
>
> And even if the blob wasn't evil: while I haven't looked at the code, I
> wouldn't even be surprised if the downloading itself is done
> insecurely.
>
>
> Worse, chromium isn't the only such rootkit-downloader,... this happens
> - to my taste - far to often in recent times,.. e.g. FF which secretly
> downloaded the OpenH264 blob.

Barring the obtusely incorrect rootkit miscategorization, oss-sec is a
far better venue for discussion since Debian is not the only
distribution that includes chromium 43 .

Best wishes,
Mike

Message #61 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: Michael Gilbert <mgilbert@debian.org>, 786909@bugs.debian.org

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Tue, 16 Jun 2015 15:15:06 +0200

[Message part 1 (text/plain, inline)]

On Tue, 2015-06-16 at 00:49 -0400, Michael Gilbert wrote:
> Barring the obtusely incorrect rootkit miscategorization

Well, as I've said,.. no one can really tell what it is, since it's a
blob,... and even if one would assume that someone could correctly
reverse engineer it, or reproducibly build it from public sources,
there's absolutely no guarantee that malicious software might have been
just distributed to selected people.


> oss-sec is a
> far better venue for discussion since Debian is not the only
> distribution that includes chromium 43 .

I don't see how that would practically ever change something at the
Debian level; this seems rather like simply pushing away and unpleasant
issue.
And just because all other distros ship software which injects possibly
malicious blobs, we don't have to do the same.


Anyway, I haven't said that banning such software from Debian would be
the only solution... but at least these incidents come far too frequent
recently, so apparently something needs to be done at Debian level to
pro-actively prevent future cases/compromises like this.


And there's still no single sign of properly visible announcements to
user what might have happened here. :(


Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #66 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: 786909@bugs.debian.org

Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Thu, 18 Jun 2015 23:42:51 +0100

[Message part 1 (text/plain, inline)]

Hi,

Upstream have said:
https://code.google.com/p/chromium/issues/detail?id=491435#c10
> This is not "opt-in default". If you do not explicitly opt in (using
> the "Enable Ok Google" setting in chrome://settings), then this module
> will not run.

That suggests to me that security of users was not put at risk, unless
they enabled that optional feature.  It was likely 'only' a privacy
concern and Debian policy violation.

May I ask boldly, is NaCl a legitimate feature of a Debian package in
'main'?  I'm reminded of the FSF's John Sullivan speaking at DebConf14
about the DFSG iceweasel browser offering to install non-free software.
AIUI NaCl's only purpose is to execute compiled, most likely non-free
code?  (Whereas minified non-free JavaScript is objectionable to some,
this seems an order of magnitude worse).

I'm not implying chromium belongs in contrib or non-free - there is
already the non-free Chrome as an option there - but rather, would the
DFSG chromium browser be 'more' free if it disabled NaCl?

I also propose more QA within Debian to find applications phoning home,
which could have been detected in this case within something like the
autopkgtest framework and simply opening a page on a local webserver.

Sorry, if you feel this is off-topic for the bug log, please take it to
an appropriate list but preferably keep me in Cc: if you do.

Christoph Anton Mitterer wrote:
> And there's still no single sign of properly visible announcements to
> user what might have happened here. :(

The bug made it to Hacker News, so that has been accomplished now
to some extent.  Thanks Chris for speaking up about this.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Message #71 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: 786909@bugs.debian.org

Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Fri, 19 Jun 2015 00:33:51 +0100

[Message part 1 (text/plain, inline)]

Steven Chamberlain wrote:
> would the
> DFSG chromium browser be 'more' free if it disabled NaCl?

Actually, in the build log I see disable_nacl=1

I'm confused that hotword-x86-64.nexe is "a NaCl module" [0], even
though Debian's chromium is built with NaCl 'disabled'?

Does this feature actually work at all, even if a user ticks
"Enable OK Google" in chrome://settings;  is someone able to test that?

[0]: https://code.google.com/p/chromium/issues/detail?id=491435#c10

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Message #76 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Steven Chamberlain <steven@pyro.eu.org>

Cc: 786909@bugs.debian.org, Christoph Anton Mitterer <calestyo@scientia.net>

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Thu, 18 Jun 2015 19:47:39 -0400

On Thu, Jun 18, 2015 at 7:33 PM, Steven Chamberlain wrote:
> Steven Chamberlain wrote:
>> would the
>> DFSG chromium browser be 'more' free if it disabled NaCl?
>
> Actually, in the build log I see disable_nacl=1
>
> I'm confused that hotword-x86-64.nexe is "a NaCl module" [0], even
> though Debian's chromium is built with NaCl 'disabled'?

Yes, nacl is intentionally disabled in the Debian packages, but that
itself doesn't have anything to do with the ability of the browser to
download files.

> Does this feature actually work at all, even if a user ticks
> "Enable OK Google" in chrome://settings;  is someone able to test that?

No, it does not work.  Obviously nacl applications cannot execute
without a nacl interpreter.

Best wishes,
Mike

Message #81 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Christoph Anton Mitterer <calestyo@scientia.net>

Cc: 786909@bugs.debian.org, oss-security@lists.openwall.com

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Thu, 18 Jun 2015 20:19:02 -0400

Since this made it to LWN [0] and Y Combinator [1] with an incredible
amount of misinformation, let's attempt a (hopefully) non-hyped
conversation about this, which unfortunately didn't happen a few days
ago.

On Tue, Jun 16, 2015 at 9:15 AM, Christoph Anton Mitterer wrote:
> On Tue, 2015-06-16 at 00:49 -0400, Michael Gilbert wrote:
>> Barring the obtusely incorrect rootkit miscategorization
>
> Well, as I've said,.. no one can really tell what it is, since it's a
> blob,... and even if one would assume that someone could correctly
> reverse engineer it, or reproducibly build it from public sources,
> there's absolutely no guarantee that malicious software might have been
> just distributed to selected people.

Except that the actual contents of the downloaded files in many ways
do not actually matter.  Those files are nacl executables, which are
sandboxed in any nacl-enabled chromium, so barring a sandbox escape
included in the files, this is functionally the same as visiting any
nacl website (less the fact that hotword automatically gets microphone
permission, which itself is worth independent critique).

Additionally, the Debian packages are intentionally built with nacl
disabled (in fact not built at all).  So, at least on Debian, even if
the downloaded files were in fact malicious, without a nacl
interpreter present, there is absolutely no way to trigger the
badness.

>> oss-sec is a
>> far better venue for discussion since Debian is not the only
>> distribution that includes chromium 43 .
>
> I don't see how that would practically ever change something at the
> Debian level; this seems rather like simply pushing away and unpleasant
> issue.

Maybe now it's clear that a meaningful conversation at the time would
have preempted the ensuing misinformation campaign.

> And just because all other distros ship software which injects possibly
> malicious blobs, we don't have to do the same.

I simply do not follow the logic leading to this conclusion.  How does
engaging in discussion lead to any specific problem being ignored
exactly?

Anyway, if some incredibly basic homework had been done, you could
have convinced yourself of the non-issue nature of this problem,
rather than engaging in unfounded speculation.

> Anyway, I haven't said that banning such software from Debian would be
> the only solution... but at least these incidents come far too frequent
> recently, so apparently something needs to be done at Debian level to
> pro-actively prevent future cases/compromises like this.

That is exactly what Debian unstable is for, and in many ways it
worked as intended, except for the special snowflake that is chromium.
Since major chromium versions get uploaded to both unstable and stable
to fix security issues, problems introduced into unstable also
unfortunately get introduced to stable.

> And there's still no single sign of properly visible announcements to
> user what might have happened here. :(

Well, it is out there now [0,1], unfortunately with a huge amount of
misinformation.

Anyway the Debian security tracker is tracking this [2].  As stated
there, it will be fixed along with the next incoming round of chromium
security issues.  It is absolutely not worth fixing on its own.

Best wishes,
Mike

[0] https://lwn.net/Articles/648392
[1] https://news.ycombinator.com/item?id=9724409
[2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526

Message #86 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: Steven Chamberlain <steven@pyro.eu.org>, 786909@bugs.debian.org

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Fri, 19 Jun 2015 02:23:18 +0200

[Message part 1 (text/plain, inline)]

On Thu, 2015-06-18 at 23:42 +0100, Steven Chamberlain wrote:
> Upstream have said:
> https://code.google.com/p/chromium/issues/detail?id=491435#c10
> > This is not "opt-in default". If you do not explicitly opt in 
> > (using
> > the "Enable Ok Google" setting in chrome://settings), then this 
> > module
> > will not run.
> 
> That suggests to me that security of users was not put at risk, 
> unless
> they enabled that optional feature.  It was likely 'only' a privacy
> concern and Debian policy violation.

I don't think it really matters what upstream claims here, unless
things can be clearly proven by code:
It's very well known that all the big players (Google, Mozilla, etc.)
either voluntarily or forcibly cooperate with organisations like the
NSA, which in turn are notoriously known for trying to attack and hack
into any system, legally or not.

Especially the fact that they don't simply distribute the blob as part
of their bundle but download it, makes it IMHO highly suspicious (yeah,
of course as with Mozilla there's the good excuse of "patent reasons"),
as this could enable an attacker to selectively distribute good/bad
versions of the blob to certain users, thereby making it basically
impossible to ever detect this.



> May I ask boldly, is NaCl a legitimate feature of a Debian package in
> 'main'?  I'm reminded of the FSF's John Sullivan speaking at 
> DebConf14
> about the DFSG iceweasel browser offering to install non-free 
> software.
> AIUI NaCl's only purpose is to execute compiled, most likely non-free
> code?  (Whereas minified non-free JavaScript is objectionable to 
> some,
> this seems an order of magnitude worse).
Browsers generally have really become a security disease... :-/


> I also propose more QA within Debian to find applications phoning 
> home,
> which could have been detected in this case within something like the
> autopkgtest framework and simply opening a page on a local webserver.
"phoning home" and (down)loading + executing (possibly malicious) blobs
are IMHO two different things.
The former is just a privacy issue (which may or may not be a security
issue as well)... and unfortunately we have already so many packages
doing this (especially many cases where this behaviour is all but
obvious), that I don't see any chances to really solve these privacy
issues without a concentrated effort; and actually, in most cases where
I've already reported such issues I experienced modest to strong
resistance by the respective maintainers and/or upstream.


> Sorry, if you feel this is off-topic for the bug log, please take it 
> to
> an appropriate list but preferably keep me in Cc: if you do.
I've already thought about CCing d-d, but to be honest,... I don't
expect that anything would come out from a broader discussion...
security seems to be only tertiary priority in Debian, at least in
several fields (and no, I explicitly do not refer to the Security Team
here).


> The bug made it to Hacker News, so that has been accomplished now
> to some extent.
Well and I've noticed it also mentioned on the cryptography mailing
list and some openbsd lists... and yet...

- still no DSA (or something like that)
- still no concentrated effort at the Debian level to pro-actively work
against such sources that include or more or less secretly download
blobs (I guess it should be obvious that this cannot be the
responsibility of one single person like Michael, and that my criticism
isn't targeted towards him)
- and sadly, as it seems, further, very silently handled cases:
  chromium-browser (43.0.2357.124-1) unstable; urgency=medium
  ...
   * Remove more sourceless files.


Having this popped up at some news sites is basically useless if no
measures are taken.


> Thanks Chris for speaking up about this.
Well it wasn't me who noticed this particular incident of a compromise,
thanks go to Yoshino Yoshihito


Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #91 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Christoph Anton Mitterer <calestyo@scientia.net>, 786909@bugs.debian.org

Cc: Steven Chamberlain <steven@pyro.eu.org>, debian developers <debian-devel@lists.debian.org>

Subject: Please stop (was: Bug#786909: chromium: unconditionally downloads binary blob)

Date: Thu, 18 Jun 2015 20:36:54 -0400

On Thu, Jun 18, 2015 at 8:23 PM, Christoph Anton Mitterer wrote:

> - still no DSA (or something like that)

See previous message.

> - still no concentrated effort at the Debian level to pro-actively work
> against such sources that include or more or less secretly download
> blobs

If you have an itch, please by all means go scratch it.  You will get
absolutely nowhere continuing to tell people that they need to drop
everything to scratch your particular itches.  No one gets to tell
anyone else how they should spend their Debian time.  That is an
incredibly obtrusive affront to personal freedom and self
actualization.  Please stop.

Best wishes,
Mike

Message #96 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 786909@bugs.debian.org, Christoph Anton Mitterer <calestyo@scientia.net>

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Fri, 19 Jun 2015 01:38:33 +0100

[Message part 1 (text/plain, inline)]

Michael Gilbert wrote:
> Yes, nacl is intentionally disabled in the Debian packages, [...]
> [...]
> No, it does not work.  Obviously nacl applications cannot execute
> without a nacl interpreter.

Thanks!  That's quite reassuring for Debian users at least.

Christoph Anton Mitterer wrote:
> I don't think it really matters what upstream claims here,

Right, we shouldn't just take their word for it.

From what I can tell, the file download was configured by way of a
module ID listed as an "import" here:
https://sources.debian.net/src/chromium-browser/43.0.2357.124-1/chrome/browser/resources/hotword/manifest.json/#L82
(and didn't exist before Chromium 43, JFTR).

(I don't yet understand how the upstream commit stopped the module being
downloaded, but rather appears to stop it from being invoked?)
https://codereview.chromium.org/1160243004/diff/120001/chrome/browser/search/hotword_service.cc

I scanned through the other manifest.json and found one other
occurrence which is:
https://sources.debian.net/src/chromium-browser/43.0.2357.124-1/ui/file_manager/video_player/manifest.json/?hl=60#L60

Could someone please check if that plugin is enabled?  (Seems
Mike just committed to packaging Git a way to make hidden extensions
visible now).

There is some scary code in
https://sources.debian.net/src/chromium-browser/43.0.2357.124-1/chrome/browser/chromeos/extensions/file_manager/private_api_misc.cc
relating to "https://www.googleapis.com/auth/chromewebstore" and
talking about "silent installation".  It relates to Cast API and
hopefully is unused in Debian builds (I don't see this file in the
Debian package build logs).

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Message #101 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 786909@bugs.debian.org, oss-security@lists.openwall.com

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Fri, 19 Jun 2015 02:49:25 +0200

[Message part 1 (text/plain, inline)]

On Thu, 2015-06-18 at 20:19 -0400, Michael Gilbert wrote:
> Except that the actual contents of the downloaded files in many ways
> do not actually matter.  Those files are nacl executables, which are
> sandboxed in any nacl-enabled chromium, so barring a sandbox escape
> included in the files, this is functionally the same as visiting any
> nacl website (less the fact that hotword automatically gets 
> microphone
> permission, which itself is worth independent critique).
I never really understood why browser need to be more and more like
complete operating systems, taking control over hardware which is
simply not their belonging...
If people want to voice/video conferencing, then they should need to
start some locally installed software for just that purpose.

But maybe I'm just too old-fashioned and don't want to have everything
run on the web or in the cloud. :-(


> Additionally, the Debian packages are intentionally built with nacl
> disabled (in fact not built at all).  So, at least on Debian, even if
> the downloaded files were in fact malicious, without a nacl
> interpreter present, there is absolutely no way to trigger the
> badness.
Definitely good news...
But my primary point was more that this should simply not happen...
cause in another case, we might not have had that safety of having nacl
not even available.
As I've mentioned, we've had the same issue already with Firefox which
downloaded OpenH246 and which (AFAIR) was actually loaded.

In principle, all code which is not manually
downloaded/compiled/executed by the user should enter a Debian box
*only* via the package management system.


> Maybe now it's clear that a meaningful conversation at the time would
> have preempted the ensuing misinformation campaign.
Well it wasn't me who posted this news to several other places,...


> I simply do not follow the logic leading to this conclusion.  How
> does
> engaging in discussion lead to any specific problem being ignored
> exactly?
Well, discussing things at oss-security doesn't have any direct effect
on Debian, right?

Discussing/reporting things directly at upstream is mostly just a waste
of time, at least when it comes about "meta" security issues; just look
at the Mozilla bugtracker for issues reported by me.

And unfortunately, the same applies largely to Debian itself. You may
remember several discussions I've ignited on d-d about such higher
level security issues,... like the "downloader packages", or the far
too high validity times of Release files.


> Anyway, if some incredibly basic homework had been done, you could
> have convinced yourself of the non-issue nature of this problem,
> rather than engaging in unfounded speculation.
I think practically it's extremely time consuming to really confirm
whether such code was loaded or not, especially when one is not
familiar with the code base, which I'm not in the case of Chromium.

And even if that code was just downloaded (but not executed) I still
think it's far from ideal.
configure-options may accidentally change, as may the download code
itself - simply not having any such functionalities in the code is
probably safer than having it just disabled and/or being simply a bit
lucky as we apparently were in this case.


> That is exactly what Debian unstable is for
Phew,... realistically, many people use sid for their normal desktop
systems...


> Well, it is out there now [0,1], unfortunately with a huge amount of
> misinformation.
My apologies, if you feel that this would fall into my
responsibility... as this wasn't my intention (otherwise I'd have CCed
it to d-d).
Personally I think that you as maintainer(s) should feel the least
responsible for this,... it's rather upstream who should need to
reconsider "some things"; and if they got a bit attention now, than
this may not be the biggest harm.


As said before, my main point is the question what we can do to prevent
such cases in the future.
This time, nothing might have gotten executed,... and the code (likely)
wouldn't have been malicious.
Next time it may look different. 


Best wishes,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #106 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: Michael Gilbert <mgilbert@debian.org>, 786909@bugs.debian.org

Cc: Steven Chamberlain <steven@pyro.eu.org>, debian developers <debian-devel@lists.debian.org>

Subject: Re: Please stop (was: Bug#786909: chromium: unconditionally downloads binary blob)

Date: Fri, 19 Jun 2015 02:57:04 +0200

[Message part 1 (text/plain, inline)]

On Thu, 2015-06-18 at 20:36 -0400, Michael Gilbert wrote:
> See previous message.
I've had read that only afterwards, as well as this message.


> You will get
> absolutely nowhere continuing to tell people that they need to drop
> everything to scratch your particular itches.
I don't think I've asked you to drop everything.


> No one gets to tell
> anyone else how they should spend their Debian time.  That is an
> incredibly obtrusive affront to personal freedom and self
> actualization.
I haven't said that you personally would be required to do anything,
have I?

Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #111 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Franzl <office@michaelfranzl.com>

To: 786909@bugs.debian.org

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Sun, 21 Jun 2015 21:47:48 +0200

On Thu, 18 Jun 2015 20:19:02 -0400 Michael Gilbert <mgilbert@debian.org> 
wrote:
> Anyway the Debian security tracker is tracking this [2].

> [2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526

This link is dead / says "Not found". Could you post the correct link?

Thanks

Message #116 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Marc <marc@linkitdesign.com>

To: 786909@bugs.debian.org

Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Date: Sun, 21 Jun 2015 22:39:16 +0100

On Sun, 21 Jun 2015 21:47:48 +0200 Michael Franzl
<office@michaelfranzl.com> wrote:
> On Thu, 18 Jun 2015 20:19:02 -0400 Michael Gilbert <mgilbert@debian.org> 
> wrote:
> > Anyway the Debian security tracker is tracking this [2].
> 
> > [2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526
> 
> This link is dead / says "Not found". Could you post the correct link?
> 
> Thanks
> 
> 
I think this is the one:
https://security-tracker.debian.org/tracker/TEMP-0786909-A21526

Message #123 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: 786909@bugs.debian.org

Subject: Unconditional hotword download: Workaround for Jessie

Date: Tue, 30 Jun 2015 12:58:55 +0200

Hi,

the following symlink seems to prevent the download of the hotword
binary blob in Debian 8 Jessie where this issue still exists:

lrwxrwxrwx 1 abe abe 9 Jun 30 12:42 .config/chromium/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg -> /dev/null

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #128 received at 786909-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 786909-close@bugs.debian.org

Subject: Bug#786909: fixed in chromium-browser 44.0.2403.89-1~deb8u1

Date: Fri, 24 Jul 2015 16:47:32 +0000

Source: chromium-browser
Source-Version: 44.0.2403.89-1~deb8u1

We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 786909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated chromium-browser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Jul 2015 02:58:38 +0000
Source: chromium-browser
Binary: chromium chromium-dbg chromium-l10n chromium-inspector chromedriver
Architecture: source amd64 all
Version: 44.0.2403.89-1~deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 chromedriver - web browser - WebDriver support
 chromium   - web browser
 chromium-dbg - web browser - debugging symbols
 chromium-inspector - web browser - page inspection support
 chromium-l10n - web browser - language packs
Closes: 786909
Changes:
 chromium-browser (44.0.2403.89-1~deb8u1) jessie-security; urgency=high
 .
   * New upstream security release:
     - CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous.
     - CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
     - CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous.
     - CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to
       Mike Ruddy.
     - CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen.
     - CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.
     - CVE-2015-1272: Use-after-free related to unexpected GPU process
       termination. Credit to Chamal de Silva.
     - CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.
     - CVE-2015-1274: Settings allowed executable files to run immediately after
       download. Credit to  andrewm.bpi.
     - CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte).
     - CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.
     - CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.
     - CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.
     - CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.
     - CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.
     - CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.
     - CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.
     - CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa
       Sidhpurwala.
     - CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen.
     - CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.
     - CVE-2015-1286: UXSS in blink. Credit to anonymous.
     - CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.
     - CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to
       Mike Ruddy.
     - CVE-2015-1289: Various fixes from internal audits, fuzzing and other
       initiatives.
     - Hotword extension disabled by default (closes: #786909).
Checksums-Sha1:
 615d34925c8d802a1bf88cfd53eed66047ba5780 4060 chromium-browser_44.0.2403.89-1~deb8u1.dsc
 cf3eb6f3c7499dc1bcfd7a2019e0ab70b250bcd3 296959120 chromium-browser_44.0.2403.89.orig.tar.xz
 9397db8445254c84ba9c88ae18d61e4804978746 178840 chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz
 729d5692b62b8ee07290ca47fe4e345773507573 38272362 chromium_44.0.2403.89-1~deb8u1_amd64.deb
 0a10cf10befbf0f9953450bae485cacfe62ac5dc 619651636 chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb
 6ee275383f64faa86825c845f91dc9638c422166 3162932 chromium-l10n_44.0.2403.89-1~deb8u1_all.deb
 6a5d3219f85ceff4b72941f95384ecac1096a57a 913656 chromium-inspector_44.0.2403.89-1~deb8u1_all.deb
 c292260a87b7478d8b2af041380cd1b1369af555 2155678 chromedriver_44.0.2403.89-1~deb8u1_amd64.deb
Checksums-Sha256:
 c42f376a3348c59089e21f9a5e1864676fc74f93dff22c9c9a8003f2ee22dacf 4060 chromium-browser_44.0.2403.89-1~deb8u1.dsc
 e2f494deaad414445241ef196aa1e49f52c70a221c698da1d36b35982db64b7b 296959120 chromium-browser_44.0.2403.89.orig.tar.xz
 26a610e900d122e7998e85e0c999d9d58fefac023772460e6e7cd4547d0959d6 178840 chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz
 fdd1333b96e7bb9d0ce8b0ca47d8f5abf443f07ffbac3b88bf19c14232844f96 38272362 chromium_44.0.2403.89-1~deb8u1_amd64.deb
 c0b3bf4492d21e18dae0ede6234919b2da9ef42b35b81b008d9dfe7bd311924b 619651636 chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb
 8de636e7d5a41c1ff4ded4cb4235b75db3cc1b8ee4422bb8a56a2d7874350067 3162932 chromium-l10n_44.0.2403.89-1~deb8u1_all.deb
 b7a680d8108749ac14ab16674a084153abc9f1573445b375b0b74c0bdd9ebb46 913656 chromium-inspector_44.0.2403.89-1~deb8u1_all.deb
 086956830d8d320140a7fe2282cf5e98d9912438039265445dd87d6b79000cf2 2155678 chromedriver_44.0.2403.89-1~deb8u1_amd64.deb
Files:
 fe0db55fd1d61b79c1355859eaf98b5a 4060 web optional chromium-browser_44.0.2403.89-1~deb8u1.dsc
 69a473b7276dbed7045c05600c24a01c 296959120 web optional chromium-browser_44.0.2403.89.orig.tar.xz
 8415bdb735af3261c303b2b794ec2fa3 178840 web optional chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz
 280325dcc0d9140e60ab11d2b5dc6c9a 38272362 web optional chromium_44.0.2403.89-1~deb8u1_amd64.deb
 d3c437eb657f4cc7f2d325299d18faec 619651636 debug extra chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb
 af9a26ecbb4ecf0fdbd2c617c6160085 3162932 localization optional chromium-l10n_44.0.2403.89-1~deb8u1_all.deb
 112f08b62ba3cec2bedd1b5921981672 913656 web optional chromium-inspector_44.0.2403.89-1~deb8u1_all.deb
 dc3ce3a828add58759d47f3bb94addb6 2155678 web optional chromedriver_44.0.2403.89-1~deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJVrxrRAAoJELjWss0C1vRzZS4f/2x1m62BH88RAXZKXMdaNA/C
eLZxyKRwk8+yD5EDBVGoOViIOoSpr4m2e7PuYBTuVQasY3iHhnX2lLaQ2DRGHFaa
ABSgvLPz2Lucr9H/+3jpsQWs9NIgNDQhA9uHf/EAEb3VVsOAj0NPmXeP5WKUsOKu
CdsF7vFwNcbau78Lcy7tP/tdTVJLqDeydivg6tzqHI7KU32XAJktrtIdl2lA84T1
TeivE4rxXY82kmgDIvmB1uEzcF0kFKP4Dz83f8vmOHaM/LQ9zKZcYuhjqv/HMQmI
Fcz7NeLscuLL3TlXmFp6pCCuPpwAavP7x4gsuXPaDvkMYMdpwkkE4WU2SOFF2B1J
qK/gW0WYeZYzCiAbJtyohCeiOqcKiFCwrk5h63IzMK2ZTcejurDyWvbeJbfMH1i7
k2UBVniGPFBre2w0wCsRo8SzlYNIeKpU3EAg52tYLlzRPo21Y38/RYfKMW+kKC/p
seYpLwbKodeohvqi2+Waux0Tfgvyr6NISkCO5RLrf5P0dI9/X2KnfnOpG1ZorPHl
gqd7HBXFQpBG5jN7tFM3Uclcja4uttzubM3n6TcSCk3KYSx9tNRs5xqgi9ZzalVc
obSYk5ZmMV4UvTX5rv9iCXhrze0wdIom+DKj7doiAs9BhO+uGrJblIo/QPt8w1E5
HVW5m3nYU5ZPlc+DG/8mxV7oIhuTESq1cwEHFJm0v8Jda+TDr6O7mgs+mkzG56wE
ESWxd8OFn0gbf3GAfHtW2hfXoZOUxQqGI2a8lGKvTqGwUkZBeqrQaOgo+aNNILHb
w4qx/Tv+BgtOHUw4JU/NGVm19knpzqMfRuqMT5SLP90cBKqnYP2Wu/wu/adj+I6J
EMlFh51EysOYO8kcRObzKSx472w42NNavSZ0yAq/J2JNZh9FNfQE9F17j/uCvL+Q
979/P67gZQaWgUqs9SU14jrv2fovYjnhX+CzMPk9YrpM6JDZm5QumhGmAMEQAplm
Vz6uHXaifP5uAgOvuqVPa11XVCOjA9LoGWyphc/pCdcBXIstApZMWRxB2s1XhSZo
zPC+2oTdiyKAkvfSzosdWdRKB824VvdTFP/kwP9Jiw62X7XgIKyiTYAOR9t54lIF
f5PAOX5tzLqIqbCxlRToFV3sumlm1hW1ZgIXdAf5k02NgCNWFufoWgu/5ua4m0Qx
dtxf+ErXopw5bngHPVxZHweBk66+CBU1DOrgLYujQyhg5469GU/0wf0NSYkWD2iV
ZsaNewIgrzlPhH/0A99o5oXRHZSpluMjywIvIGOd05rSyFqCGNWEANf0G88lke5q
XnKB8Q3QjM78Ivv5sGutmy788O8l8CBmDApibtKF45hJZGiM145e0yvAW7CEsjU=
=r3T/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.