[Pkg-chromium-maint] Bug#882698: Chromium 62/63 media router cast segfaults browser, possible security implications

[wei hong]

Package: chromium
Version: 62.0.3202.89-1~deb9u1
Severity: grave
Tags: security, buster

Although --media-router=0 is the default, Chromium now randomly crashes, but did not crash in release 61. Only setting media-router to "2" in the Chromium "Local State" file fixes the issue temporarily, but still with random crashes. Something is really broken in the media router or cast functionality after updating to chromium 62/63. Not sure why, but perhaps some maintainers or users have seen similar issues? This appears to have broken between the update from 61 to 62.

>From /etc/chromium.d/default-flags:
# Disable the builtin media router (bug #833477)
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --media-router=0"

$ chromium
Received signal 11 SEGV_MAPERR 000000000010
#0 0x55aa4d3d6f56 <unknown>
#1 0x55aa4bfa3a58 <unknown>
#2 0x55aa4d3d72dc <unknown>
#3 0x7fa33249d0c0 <unknown>
#4 0x55aa4c8c85ba <unknown>
#5 0x55aa4c8c943d <unknown>
#6 0x55aa4c8c9a4d <unknown>
#7 0x55aa4c8c9bb5 <unknown>
#8 0x55aa4d43af19 <unknown>
#9 0x55aa4d3d8136 <unknown>
#10 0x55aa4d3f7318 <unknown>
#11 0x55aa4d3f7a1f <unknown>
#12 0x55aa4d3f86c6 <unknown>
#13 0x55aa4d3fa822 <unknown>
#14 0x55aa4d41fffb <unknown>
#15 0x55aa4d43fd58 <unknown>
#16 0x55aa4d43ae10 <unknown>
#17 0x7fa332493494 start_thread
#18 0x7fa326e2dabf clone
  r8: 0000000000000001  r9: 000055aa5017290c r10: 000055aa50172910 r11: 00007fa326eaee20
 r12: 0000000000000008 r13: 00007fa2e8b1cdf0 r14: 00007fa2e8b1d000 r15: 0000000000000000
  di: 0000000000000000  si: 00007fa2e8b1cdf0  bp: 00007fa2e8b1cf10  bx: 0000000000000008
  dx: 0000000000000004  ax: 0000222ad12c4300  cx: 0000000000000000  sp: 00007fa2e8b1cd90
  ip: 000055aa4c8c85ba efl: 0000000000010206 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000010
[end of stack trace]
Calling _exit(1). Core file will not be generated.

To get chromium to launch without crashing, use:
$ sed -i 's/load-media-router-component-extension at ./load-media-router-component-extension at 2/' ~/.config/chromium/Local\ State

This should disable the media router extension and allow you to run chromium again without it immediately crashing.
Either the media router should be fixed since this is a blocking bug, or media router should be removed. From past experience, the media router or casting functionality has been semi broken or only half working for some time. It appears to work sometimes, but not others, or crashes during use. As it stands now, perhaps permanently removing the functionality is best until it is rigorously tested for quality and security issues. This issue may even be exploitable due to the segmentation fault parameters that might be controllable over the network to attack the media router component.