On mer., 2015-05-27 at 12:52 +0200, Yves-Alexis Perez wrote: > On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote: > > Package: chromium > > Version: 43.0.2357.65-1 > > Severity: serious > > Tags: security upstream > > Justification: Policy 2.1.2 > > Control: forwarded -1 > > https://code.google.com/p/chromium/issues/detail?id=491435 > > > > Dear Maintainer, > > > > After upgrading chromium to 43, I noticed that when it is running and > > immediately after the machine is on-line it silently starts downloading > > "Chrome Hotword Shared Module" extension, which contains a binary without > > source code. There seems no opt-out config. > > > > $ chromium --temp-profile & > > $ find > > /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe > > $ file > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: > > ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, > > BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped > > Even worse, that extension: > > - doesn't appear in the extension list; > - is apparently used to provide an “ok google” voice activation stuff. > > That's definitely not the stuff we'd like installed by default, without > the user knowing (even if it's supposedly not installed). > chrome://voicesearch returns:
About Voice Search Chromium 43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid) OS Linux NaCl Enabled No Microphone No Audio Capture Allowed Yes Current Language en-US Hotword Previous Language en-US Hotword Search Enabled No Always-on Hotword Search Enabled No Hotword Audio Logging Enabled No Field trial Start Page State No Start Page Service Extension Id nbpagnldghgfoolbancepceaanlmhfmd Extension Version 0.0.1.4 Extension Path /usr/lib/chromium/resources/hotword Extension State ENABLED Shared Module Id lccekmodgklaepjeofjdjpbminllajkg Shared Module Version 0.3.0.5 Shared Module Path /tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0 Shared Module State ENABLED Shared Module Platforms x86-64_ The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me. Regards -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part