Package: chromium Version: 26.0.1410.43-1 Severity: normal Dear Maintainer,
Chromium creates POSIX shared memory segments with permissions that allow any user on the system to read them. I don't know whether there's anything sensitive in those segments; sadly I don't know how to find out (I don't have the time to investigate the source code at this time). Here are some examples, from different users running Chromium on my system: $ l /dev/shm/org.chromium.Chromium.shmem.* -rw-r--r-- 1 chrismail chrismail 260 2013-05-13 01:25 /dev/shm/org.chromium.Chromium.shmem.8F157083E4C5D118692ECEA3F8925C501A0C9558._service_shmem -rw-r--r-- 1 chrisgithub chrisgithub 260 2013-05-20 04:03 /dev/shm/org.chromium.Chromium.shmem.88EB5F605BFD05F29C82F039DADD47B63D8BCA38._service_shmem -rw-rw-r-- 1 chrissbx chrissbx 260 2013-05-21 03:55 /dev/shm/org.chromium.Chromium.shmem.A6EE7475E44E356681B9DAB490DFAC5558C57F47._service_shmem (It might be creating the segments using something like shm_open (somename, someflags, 0666) which is modified by the the umask in use, which might lead to the differences in group permissions shown; although chrissbx usually has umask 0022, which kinda contradicts this idea; not sure how comes.) -- System Information: Debian Release: 7.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'stable'), (500, 'oldstable') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages chromium depends on: ii chromium-inspector 26.0.1410.43-1 ii gconf-service 3.2.5-1+build1 ii libasound2 1.0.25-4 ii libatk1.0-0 2.4.0-2 ii libbz2-1.0 1.0.6-4 ii libc6 2.13-38 ii libcairo2 1.12.2-3 ii libcups2 1.5.3-5 ii libdbus-1-3 1.6.8-1 ii libevent-2.0-5 2.0.19-stable-3 ii libexpat1 2.1.0-1 ii libflac8 1.2.1-6 ii libfontconfig1 2.9.0-7.1 ii libfreetype6 2.4.9-1.1 ii libgcc1 1:4.7.2-5 ii libgconf-2-4 3.2.5-1+build1 ii libgcrypt11 1.5.0-5 ii libgdk-pixbuf2.0-0 2.26.1-1 ii libglib2.0-0 2.33.12+really2.32.4-5 ii libgnome-keyring0 3.4.1-1 ii libgtk2.0-0 2.24.10-2 ii libjpeg8 8d-1 ii libnspr4 2:4.9.2-1 ii libnss3 2:3.14.3-1 ii libnss3-1d 2:3.14.3-1 ii libpango1.0-0 1.30.0-1 ii libpulse0 2.0-6.1 ii libspeechd2 0.7.1-6.2 ii libspeex1 1.2~rc1-7 ii libstdc++6 4.7.2-5 ii libudev0 175-7.2 ii libx11-6 2:1.5.0-1 ii libxcomposite1 1:0.4.3-2 ii libxdamage1 1:1.1.3-2 ii libxext6 2:1.3.1-2 ii libxfixes3 1:5.0-4 ii libxml2 2.8.0+dfsg1-7+nmu1 ii libxrandr2 2:1.3.2-2 ii libxrender1 1:0.9.7-1 ii libxslt1.1 1.1.26-14.1 ii libxss1 1:1.2.2-1 ii xdg-utils 1.1.0~rc1+git20111210-6 chromium recommends no packages. Versions of packages chromium suggests: pn chromium-l10n <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org