[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

YOSHINO Yoshihito yy.y.ja.jp at gmail.com
Tue May 26 16:23:38 UTC 2015 

Package: chromium
Version: 43.0.2357.65-1
Severity: serious
Tags: security upstream
Justification: Policy 2.1.2
Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435

Dear Maintainer,

After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts downloading
"Chrome Hotword Shared Module" extension, which contains a binary without
source code. There seems no opt-out config.

$ chromium --temp-profile &
$ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
$ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages chromium depends on:
ii  libasound2           1.0.28-1
ii  libatk1.0-0          2.16.0-2
ii  libc6                2.19-18
ii  libcairo2            1.14.2-2
ii  libcups2             1.7.5-11
ii  libdbus-1-3          1.8.18-1
ii  libexpat1            2.1.0-6+b3
ii  libfontconfig1       2.11.0-6.3
ii  libfreetype6         2.5.2-4
ii  libgdk-pixbuf2.0-0   2.31.4-1
ii  libglib2.0-0         2.44.1-1
ii  libgnome-keyring0    3.12.0-1+b1
ii  libgtk2.0-0          2.24.25-3
ii  libharfbuzz0b        0.9.40-3
ii  libjpeg62-turbo      1:1.4.0-7
ii  libnspr4             2:4.10.8-1
ii  libnss3              2:3.19-1
ii  libpango-1.0-0       1.36.8-3
ii  libpangocairo-1.0-0  1.36.8-3
ii  libpci3              1:3.2.1-3
ii  libspeechd2          0.8-7
ii  libspeex1            1.2~rc1.2-1
ii  libsrtp0             1.4.5~20130609~dfsg-1.1
ii  libstdc++6           5.1.1-7
ii  libx11-6             2:1.6.3-1
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1+b1
ii  libxdamage1          1:1.1.4-2+b1
ii  libxext6             2:1.3.3-1
ii  libxfixes3           1:5.0.1-2+b2
ii  libxi6               2:1.7.4-1+b2
ii  libxml2              2.9.1+dfsg1-4
ii  libxrandr2           2:1.4.2-1+b1
ii  libxrender1          1:0.9.8-1+b1
ii  libxslt1.1           1.1.28-2+b2
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.2-1+b1
ii  x11-utils            7.7+3
ii  xdg-utils            1.1.0~rc1+git20111210-7.4

chromium recommends no packages.

Versions of packages chromium suggests:
ii  chromium-l10n  43.0.2357.65-1

-- no debconf information

More information about the Pkg-chromium-maint mailing list