Your message dated Fri, 24 Jul 2015 16:47:32 +0000
with message-id <[email protected]>
and subject line Bug#786909: fixed in chromium-browser 44.0.2403.89-1~deb8u1
has caused the Debian Bug report #786909,
regarding chromium: unconditionally downloads binary blob
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
786909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chromium
Version: 43.0.2357.65-1
Severity: serious
Tags: security upstream
Justification: Policy 2.1.2
Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435
Dear Maintainer,
After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts downloading
"Chrome Hotword Shared Module" extension, which contains a binary without
source code. There seems no opt-out config.
$ chromium --temp-profile &
$ find
/tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
$ file
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe
/tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe:
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,
BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages chromium depends on:
ii libasound2 1.0.28-1
ii libatk1.0-0 2.16.0-2
ii libc6 2.19-18
ii libcairo2 1.14.2-2
ii libcups2 1.7.5-11
ii libdbus-1-3 1.8.18-1
ii libexpat1 2.1.0-6+b3
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgdk-pixbuf2.0-0 2.31.4-1
ii libglib2.0-0 2.44.1-1
ii libgnome-keyring0 3.12.0-1+b1
ii libgtk2.0-0 2.24.25-3
ii libharfbuzz0b 0.9.40-3
ii libjpeg62-turbo 1:1.4.0-7
ii libnspr4 2:4.10.8-1
ii libnss3 2:3.19-1
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpci3 1:3.2.1-3
ii libspeechd2 0.8-7
ii libspeex1 1.2~rc1.2-1
ii libsrtp0 1.4.5~20130609~dfsg-1.1
ii libstdc++6 5.1.1-7
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxcursor1 1:1.1.14-1+b1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxi6 2:1.7.4-1+b2
ii libxml2 2.9.1+dfsg1-4
ii libxrandr2 2:1.4.2-1+b1
ii libxrender1 1:0.9.8-1+b1
ii libxslt1.1 1.1.28-2+b2
ii libxss1 1:1.2.2-1
ii libxtst6 2:1.2.2-1+b1
ii x11-utils 7.7+3
ii xdg-utils 1.1.0~rc1+git20111210-7.4
chromium recommends no packages.
Versions of packages chromium suggests:
ii chromium-l10n 43.0.2357.65-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: chromium-browser
Source-Version: 44.0.2403.89-1~deb8u1
We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <[email protected]> (supplier of updated chromium-browser
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Jul 2015 02:58:38 +0000
Source: chromium-browser
Binary: chromium chromium-dbg chromium-l10n chromium-inspector chromedriver
Architecture: source amd64 all
Version: 44.0.2403.89-1~deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Chromium Maintainers
<[email protected]>
Changed-By: Michael Gilbert <[email protected]>
Description:
chromedriver - web browser - WebDriver support
chromium - web browser
chromium-dbg - web browser - debugging symbols
chromium-inspector - web browser - page inspection support
chromium-l10n - web browser - language packs
Closes: 786909
Changes:
chromium-browser (44.0.2403.89-1~deb8u1) jessie-security; urgency=high
.
* New upstream security release:
- CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous.
- CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous.
- CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to
Mike Ruddy.
- CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen.
- CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.
- CVE-2015-1272: Use-after-free related to unexpected GPU process
termination. Credit to Chamal de Silva.
- CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.
- CVE-2015-1274: Settings allowed executable files to run immediately after
download. Credit to andrewm.bpi.
- CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte).
- CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.
- CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.
- CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.
- CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.
- CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.
- CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.
- CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.
- CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa
Sidhpurwala.
- CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen.
- CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.
- CVE-2015-1286: UXSS in blink. Credit to anonymous.
- CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.
- CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to
Mike Ruddy.
- CVE-2015-1289: Various fixes from internal audits, fuzzing and other
initiatives.
- Hotword extension disabled by default (closes: #786909).
Checksums-Sha1:
615d34925c8d802a1bf88cfd53eed66047ba5780 4060
chromium-browser_44.0.2403.89-1~deb8u1.dsc
cf3eb6f3c7499dc1bcfd7a2019e0ab70b250bcd3 296959120
chromium-browser_44.0.2403.89.orig.tar.xz
9397db8445254c84ba9c88ae18d61e4804978746 178840
chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz
729d5692b62b8ee07290ca47fe4e345773507573 38272362
chromium_44.0.2403.89-1~deb8u1_amd64.deb
0a10cf10befbf0f9953450bae485cacfe62ac5dc 619651636
chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb
6ee275383f64faa86825c845f91dc9638c422166 3162932
chromium-l10n_44.0.2403.89-1~deb8u1_all.deb
6a5d3219f85ceff4b72941f95384ecac1096a57a 913656
chromium-inspector_44.0.2403.89-1~deb8u1_all.deb
c292260a87b7478d8b2af041380cd1b1369af555 2155678
chromedriver_44.0.2403.89-1~deb8u1_amd64.deb
Checksums-Sha256:
c42f376a3348c59089e21f9a5e1864676fc74f93dff22c9c9a8003f2ee22dacf 4060
chromium-browser_44.0.2403.89-1~deb8u1.dsc
e2f494deaad414445241ef196aa1e49f52c70a221c698da1d36b35982db64b7b 296959120
chromium-browser_44.0.2403.89.orig.tar.xz
26a610e900d122e7998e85e0c999d9d58fefac023772460e6e7cd4547d0959d6 178840
chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz
fdd1333b96e7bb9d0ce8b0ca47d8f5abf443f07ffbac3b88bf19c14232844f96 38272362
chromium_44.0.2403.89-1~deb8u1_amd64.deb
c0b3bf4492d21e18dae0ede6234919b2da9ef42b35b81b008d9dfe7bd311924b 619651636
chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb
8de636e7d5a41c1ff4ded4cb4235b75db3cc1b8ee4422bb8a56a2d7874350067 3162932
chromium-l10n_44.0.2403.89-1~deb8u1_all.deb
b7a680d8108749ac14ab16674a084153abc9f1573445b375b0b74c0bdd9ebb46 913656
chromium-inspector_44.0.2403.89-1~deb8u1_all.deb
086956830d8d320140a7fe2282cf5e98d9912438039265445dd87d6b79000cf2 2155678
chromedriver_44.0.2403.89-1~deb8u1_amd64.deb
Files:
fe0db55fd1d61b79c1355859eaf98b5a 4060 web optional
chromium-browser_44.0.2403.89-1~deb8u1.dsc
69a473b7276dbed7045c05600c24a01c 296959120 web optional
chromium-browser_44.0.2403.89.orig.tar.xz
8415bdb735af3261c303b2b794ec2fa3 178840 web optional
chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz
280325dcc0d9140e60ab11d2b5dc6c9a 38272362 web optional
chromium_44.0.2403.89-1~deb8u1_amd64.deb
d3c437eb657f4cc7f2d325299d18faec 619651636 debug extra
chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb
af9a26ecbb4ecf0fdbd2c617c6160085 3162932 localization optional
chromium-l10n_44.0.2403.89-1~deb8u1_all.deb
112f08b62ba3cec2bedd1b5921981672 913656 web optional
chromium-inspector_44.0.2403.89-1~deb8u1_all.deb
dc3ce3a828add58759d47f3bb94addb6 2155678 web optional
chromedriver_44.0.2403.89-1~deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJVrxrRAAoJELjWss0C1vRzZS4f/2x1m62BH88RAXZKXMdaNA/C
eLZxyKRwk8+yD5EDBVGoOViIOoSpr4m2e7PuYBTuVQasY3iHhnX2lLaQ2DRGHFaa
ABSgvLPz2Lucr9H/+3jpsQWs9NIgNDQhA9uHf/EAEb3VVsOAj0NPmXeP5WKUsOKu
CdsF7vFwNcbau78Lcy7tP/tdTVJLqDeydivg6tzqHI7KU32XAJktrtIdl2lA84T1
TeivE4rxXY82kmgDIvmB1uEzcF0kFKP4Dz83f8vmOHaM/LQ9zKZcYuhjqv/HMQmI
Fcz7NeLscuLL3TlXmFp6pCCuPpwAavP7x4gsuXPaDvkMYMdpwkkE4WU2SOFF2B1J
qK/gW0WYeZYzCiAbJtyohCeiOqcKiFCwrk5h63IzMK2ZTcejurDyWvbeJbfMH1i7
k2UBVniGPFBre2w0wCsRo8SzlYNIeKpU3EAg52tYLlzRPo21Y38/RYfKMW+kKC/p
seYpLwbKodeohvqi2+Waux0Tfgvyr6NISkCO5RLrf5P0dI9/X2KnfnOpG1ZorPHl
gqd7HBXFQpBG5jN7tFM3Uclcja4uttzubM3n6TcSCk3KYSx9tNRs5xqgi9ZzalVc
obSYk5ZmMV4UvTX5rv9iCXhrze0wdIom+DKj7doiAs9BhO+uGrJblIo/QPt8w1E5
HVW5m3nYU5ZPlc+DG/8mxV7oIhuTESq1cwEHFJm0v8Jda+TDr6O7mgs+mkzG56wE
ESWxd8OFn0gbf3GAfHtW2hfXoZOUxQqGI2a8lGKvTqGwUkZBeqrQaOgo+aNNILHb
w4qx/Tv+BgtOHUw4JU/NGVm19knpzqMfRuqMT5SLP90cBKqnYP2Wu/wu/adj+I6J
EMlFh51EysOYO8kcRObzKSx472w42NNavSZ0yAq/J2JNZh9FNfQE9F17j/uCvL+Q
979/P67gZQaWgUqs9SU14jrv2fovYjnhX+CzMPk9YrpM6JDZm5QumhGmAMEQAplm
Vz6uHXaifP5uAgOvuqVPa11XVCOjA9LoGWyphc/pCdcBXIstApZMWRxB2s1XhSZo
zPC+2oTdiyKAkvfSzosdWdRKB824VvdTFP/kwP9Jiw62X7XgIKyiTYAOR9t54lIF
f5PAOX5tzLqIqbCxlRToFV3sumlm1hW1ZgIXdAf5k02NgCNWFufoWgu/5ua4m0Qx
dtxf+ErXopw5bngHPVxZHweBk66+CBU1DOrgLYujQyhg5469GU/0wf0NSYkWD2iV
ZsaNewIgrzlPhH/0A99o5oXRHZSpluMjywIvIGOd05rSyFqCGNWEANf0G88lke5q
XnKB8Q3QjM78Ivv5sGutmy788O8l8CBmDApibtKF45hJZGiM145e0yvAW7CEsjU=
=r3T/
-----END PGP SIGNATURE-----
--- End Message ---
