[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Yves-Alexis Perez corsac at debian.org
Wed May 27 10:52:34 UTC 2015 

On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote:
> Package: chromium
> Version: 43.0.2357.65-1
> Severity: serious
> Tags: security upstream
> Justification: Policy 2.1.2
> Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435
> 
> Dear Maintainer,
> 
> After upgrading chromium to 43, I noticed that when it is running and
> immediately after the machine is on-line it silently starts downloading
> "Chrome Hotword Shared Module" extension, which contains a binary without
> source code. There seems no opt-out config.
> 
> $ chromium --temp-profile &
> $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped

Even worse, that extension:

- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.

That's definitely not the stuff we'd like installed by default, without
the user knowing (even if it's supposedly not installed).

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150527/bf755810/attachment.sig>

More information about the Pkg-chromium-maint mailing list