[Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob
Yves-Alexis Perez
corsac at debian.org
Wed May 27 10:56:29 UTC 2015
On mer., 2015-05-27 at 12:52 +0200, Yves-Alexis Perez wrote:
> On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote:
> > Package: chromium
> > Version: 43.0.2357.65-1
> > Severity: serious
> > Tags: security upstream
> > Justification: Policy 2.1.2
> > Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435
> >
> > Dear Maintainer,
> >
> > After upgrading chromium to 43, I noticed that when it is running and
> > immediately after the machine is on-line it silently starts downloading
> > "Chrome Hotword Shared Module" extension, which contains a binary without
> > source code. There seems no opt-out config.
> >
> > $ chromium --temp-profile &
> > $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> > $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
> > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped
>
> Even worse, that extension:
>
> - doesn't appear in the extension list;
> - is apparently used to provide an “ok google” voice activation stuff.
>
> That's definitely not the stuff we'd like installed by default, without
> the user knowing (even if it's supposedly not installed).
>
chrome://voicesearch returns:
About Voice Search
Chromium 43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid)
OS Linux
NaCl Enabled No
Microphone No
Audio Capture Allowed Yes
Current Language en-US
Hotword Previous Language en-US
Hotword Search Enabled No
Always-on Hotword Search Enabled No
Hotword Audio Logging Enabled No
Field trial
Start Page State No Start Page Service
Extension Id nbpagnldghgfoolbancepceaanlmhfmd
Extension Version 0.0.1.4
Extension Path /usr/lib/chromium/resources/hotword
Extension State ENABLED
Shared Module Id lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version 0.3.0.5
Shared Module Path /tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0
Shared Module State ENABLED
Shared Module Platforms x86-64_
The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.
Regards
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150527/5ada6e46/attachment.sig>
More information about the Pkg-chromium-maint
mailing list