[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob

Wed May 27 10:56:29 UTC 2015

On mer., 2015-05-27 at 12:52 +0200, Yves-Alexis Perez wrote:
> On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote:
> > Package: chromium
> > Version: 43.0.2357.65-1
> > Severity: serious
> > Tags: security upstream
> > Justification: Policy 2.1.2
> > Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435
> > 
> > Dear Maintainer,
> > 
> > After upgrading chromium to 43, I noticed that when it is running and
> > immediately after the machine is on-line it silently starts downloading
> > "Chrome Hotword Shared Module" extension, which contains a binary without
> > source code. There seems no opt-out config.
> > 
> > $ chromium --temp-profile &
> > $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> > $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped
> 
> Even worse, that extension:
> 
> - doesn't appear in the extension list;
> - is apparently used to provide an “ok google” voice activation stuff.
> 
> That's definitely not the stuff we'd like installed by default, without
> the user knowing (even if it's supposedly not installed).
> 
chrome://voicesearch returns:

About Voice Search

Chromium	43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid)
OS	Linux
NaCl Enabled	No
Microphone	No
Audio Capture Allowed	Yes
Current Language	en-US
Hotword Previous Language	en-US
Hotword Search Enabled	No
Always-on Hotword Search Enabled	No
Hotword Audio Logging Enabled	No
Field trial	
Start Page State	No Start Page Service
Extension Id	nbpagnldghgfoolbancepceaanlmhfmd
Extension Version	0.0.1.4
Extension Path	/usr/lib/chromium/resources/hotword
Extension State	ENABLED
Shared Module Id	lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version	0.3.0.5
Shared Module Path	/tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0
Shared Module State	ENABLED
Shared Module Platforms	x86-64_

The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.

Regards
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150527/5ada6e46/attachment.sig>