Bug#1032020: [pkg-apparmor] Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Hi, Thanks for clearing it up. I might just take time and find that faulty profile if it ever existed. Thanks for clearing everything up. Cheers On Wed, Mar 1, 2023, 09:48 intrigeri wrote: > Control: tag -1 + unreproducible > Control: severity -1 minor > > Hi, > > Guillaume B. (2023-02-28): > > Installing fresh sid profiles with both previously stated packages > (version > > 3.0.8-3 and 1.35 respectively), I have not seen that specific mistake > made. > > > > It may have come from a loose AppArmor profile but, just to be sure, no > > such open "/** r," found in latest sid-provided > > apparmor-profiles/apparmor-profiles-extra Chromium AppArmor profile. > > I've looked at the Git history of the relevant apparmor* packages and > found no trace of them having ever distributed a Chromium profile > with a "/** r," rule. > > > dpkg-query: no path found matching pattern > /etc/apparmor.d/usr.bin.chromium > > This shows that no Debian package is currently maintaining that file. > > Frankly, I have no idea how this rule landed on your filesystem, but > I really don't see how this problem could have been directly caused by > a Debian package or upgrade. > > Cheers, > -- > intrigeri >
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Start quote -> " You mean Debian maintenance team, right? If you pulled in an Ubuntu apparmor package, that's a different story (and we should close this bug). If you're using Debian's apparmor-profiles package, then the bug and fix should go there. Although, if you're pulling in an Ubuntu package to get some kind of apparmor protection that Debian doesn't have, you also might want to open a wishlist bug on the Debian package asking for the feature so you don't have to mix-and-match packages across different distributions." /// I am, honestly, as confused as you. I've had profiles from the apparmor-profiles and apparmor-profiles-extra packages for a long time. This time around, though, I did not have either packages installed all the while having active apparmor.d profiles. Installing fresh sid profiles with both previously stated packages (version 3.0.8-3 and 1.35 respectively), I have not seen that specific mistake made. It may have come from a loose AppArmor profile but, just to be sure, no such open "/** r," found in latest sid-provided apparmor-profiles/apparmor-profiles-extra Chromium AppArmor profile. Cheers On Mon, Feb 27, 2023, 20:45 Andres Salomon wrote: > Control: reassign -1 apparmor-profiles > > > > On Mon, Feb 27 2023 at 08:15:37 PM +0100, Guillaume B. > wrote: > > Hi, > > > > It seems that the previous emails in our exchange got nuked out my > > account so apologies for not being able to reply using the usual > > channels. > > > > The command 'find /etc/apparmor* -name "*hromium*" | xargs dpkg -S' > > returns the following -> "dpkg-query: no path found matching pattern > > /etc/apparmor.d/usr.bin.chromium > > lightdm: /etc/apparmor.d/abstractions/lightdm_chromium-browser" > > > > /// > > > > I'm using AppArmor profiles found in the "apparmor-profiles" package. > > Having recently updated from stable, I was able to keep the profiles > > without the package being installed; i.e., the update couldn't have > > come from an apparmor-profile package update. > > > Ah, okay, that makes more sense. Reassigning to the apparmor-profiles > package, then. > > > > > > Dealing with the issue, I have not made a backup of the updated > > Chromium AppArmor profile but simply did some file comparison and > > reverted to a previous profile, nuking the updated profile in the > > copying process. > > > > The "updated" AppArmor profile was dated either january or february > > of this year and had been modified by an Ubuntu email. > > > > TLDR; There was an update to the Chromium AppArmor profile, not sure > > how, but it happened. > > > > I might just take it up with the Ubuntu Chromium AppArmor profile > > maintenance team, in which case, sorry to have wasted your time. > > > > Regards > > > > You mean Debian maintenance team, right? If you pulled in an Ubuntu > apparmor package, that's a different story (and we should close this > bug). If you're using Debian's apparmor-profiles package, then the bug > and fix should go there. Although, if you're pulling in an Ubuntu > package to get some kind of apparmor protection that Debian doesn't > have, you also might want to open a wishlist bug on the Debian package > asking for the feature so you don't have to mix-and-match packages > across different distributions. > > > >
Bug#1032020: chromium: Missing character after Chromium AppArmor profile update opens up unrestricted system browsing.
Hi Andres, Will take care of it tonight. Regards On Sun, Feb 26, 2023, 22:58 Andres Salomon wrote: > Hi, > > I'm a bit confused by this bug report, as chromium doesn't include any > apparmor profiles. > > Please run the following commands to hopefully figure out what package > is actually providing the profile: > > find /etc/apparmor* -name "*hromium*" | xargs dpkg -S > > Thanks, > Andres > > On Sun, Feb 26 2023 at 05:48:38 PM +0100, Will B. > wrote: > > Package: chromium > > Version: 110.0.5481.177-1 > > Severity: important > > Tags: upstream > > X-Debbugs-Cc: ksu...@gmail.com > > > > Dear Maintainer, > > > > Before I begin, the Chromium AppArmor profile in Sid was updated > > after apt-get > > update && apt-get upgrade. > > Please redirect to relevant authority if Chromium reportbug is not > > the right > > source. > > > >/// > > > > * What led up to the situation? -> Chromium AppArmor profile update > > after apt- > > get update && apt-get upgrade. > > * What exactly did you do (or not do) that was effective (or > > ineffective)? -> > > fixed the issue by adding a missing "/" to the profile. > > * What was the outcome of this action? -> The Chromium AppArmor > > profile > > restricted access as it should have done. > > * What outcome did you expect instead? -> None, fix fixed it. > > > > /// > > > > Hi, > > > > After a Chromium Sid update in which the AppArmor profile was updated > > (last > > date -> 02/07/2023), > > a missing "/" opened up browsing to the whole system i.e. -> "/** r," > > instead > > of "/**/ r,". > > Switching to the "enclosed" stars symbol fixes the issue. > > > > Regards > > > > > > -- System Information: > > Debian Release: bookworm/sid > > APT prefers testing > > APT policy: (990, 'testing'), (50, 'unstable') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 6.1.0-3-amd64 (SMP w/12 CPU threads; PREEMPT) > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > > LANGUAGE=en_US:en > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > Versions of packages chromium depends on: > > ii chromium-common > > 110.0.5481.177-1 > > ii libasound2 1.2.8-1+b1 > > ii libatk-bridge2.0-0 2.46.0-5 > > ii libatk1.0-0 2.46.0-5 > > ii libatomic1 12.2.0-14 > > ii libatspi2.0-02.46.0-5 > > ii libbrotli1 1.0.9-2+b6 > > ii libc62.36-8 > > ii libcairo21.16.0-7 > > ii libcups2 2.4.2-1+b2 > > ii libdbus-1-3 1.14.6-1 > > ii libdouble-conversion33.2.1-1 > > ii libdrm2 2.4.114-1 > > ii libevent-2.1-7 > > 2.1.12-stable-5+b1 > > ii libexpat12.5.0-1 > > ii libflac121.4.2+ds-2 > > ii libfontconfig1 2.14.1-4 > > ii libfreetype6 2.12.1+dfsg-4 > > ii libgbm1 22.3.3-1 > > ii libgcc-s112.2.0-14 > > ii libglib2.0-0 2.74.5-1 > > ii libgtk-3-0 3.24.36-4 > > ii libjpeg62-turbo 1:2.1.5-2 > > ii libjsoncpp25 1.9.5-4 > > ii liblcms2-2 2.14-1+b1 > > ii libminizip1 1.1-8+b1 > > ii libnspr4 2:4.35-1 > > ii libnss3 2:3.87.1-1 > > ii libopenjp2-7 2.5.0-1+b1 > > ii libopus0 1.3.1-3 > > ii libpango-1.0-0 1.50.12+ds-1 > > ii libpng16-16 1.6.39-2 > > ii libpulse0 > > 16.1+dfsg1-2+b1 > > ii libre2-9 > > 20220601+dfsg-1+b1 > > ii libsnappy1v5 1.1.9-2 > > ii libstdc++6 12.2.0-14 > > ii libwebp7 1.2.4-0.1 > > ii libwebpdemux21.2.4-0.1 > > ii libwebpmux3 1.2.4-0.1 > > ii libwoff1 1.0.2-2 > > ii libx11-6 2:1.8.3-3 > > ii libxcb1
Bug#817252: Objet
Package: firefox firefox has crashed when i was going to youtube... root@pc:/home/sylvia# which firefox /usr/bin/firefox root@pc:/home/sylvia# type firefox firefox est /usr/bin/firefox root@pc:/home/sylvia# dpkg --search /usr/bin/firefox détournement par iceweasel depuis : /usr/bin/firefox détournement par iceweasel en : /usr/bin/firefox.real iceweasel: /usr/bin/firefox root@pc:/home/sylvia# dpkg --list firefox Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder | État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé/W=attend-traitement-déclenchements |/ Err?=(aucune)/besoin Réinstallation (État,Err: majuscule=mauvais) ||/ Nom Version Architecture Description +++-==---= un firefox (aucune description n'est disponi root@pc:/home/sylvia# dpkg --status firefox dpkg-query: le paquet « firefox » n'est pas installé et aucune information n'est disponible Utilisez dpkg --info (= dpkg-deb --info) pour examiner les fichiers archives, et dpkg --contents (= dpkg-deb --contents) pour afficher leur contenu. Here is the message i got from the terminal (lxterminal) when i was using iceweasel that has been launched from the terminal : sylvia@pc:~$ firefox (process:1718): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed console.error: [CustomizableUI] Custom widget with id loop-button does not return a valid node console.error: [CustomizableUI] Custom widget with id loop-button does not return a valid node Vector smash protection is enabled. Failed to open VDPAU backend libvdpau_nvidia.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou dossier de ce type libva info: VA-API version 0.36.0 libva info: va_getDriverName() returns -1 libva error: va_getDriverName() failed with unknown libva error,driver_name=(null) libva info: VA-API version 0.36.0 libva info: va_getDriverName() returns -1 libva error: va_getDriverName() failed with unknown libva error,driver_name=(null) [NPAPI 1788] ###!!! ABORT: Aborting on channel error.: file /tmp/buildd/iceweasel-38.6.1esr/ipc/glue/MessageChannel.cpp, line 1584 [NPAPI 1788] ###!!! ABORT: Aborting on channel error.: file /tmp/buildd/iceweasel-38.6.1esr/ipc/glue/MessageChannel.cpp, line 1584 Erreur de segmentation sylvia@pc:~$ firefox (process:1718): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed consoleerror: [CustomizableUI] Custom widget with id loop-button does not return a valid node console.error: [CustomizableUI] Custom widget with id loop-button does not return a valid node Vector smash protection is enabled. Failed to open VDPAU backend libvdpau_nvidia.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou dossier de ce type libva info: VA-API version 0.36.0 libva info: va_getDriverName() returns -1 libva error: va_getDriverName() failed with unknown libva error,driver_name=(null) libva info: VA-API version 0.36.0 libva info: va_getDriverName() returns -1 libva error: va_getDriverName() failed with unknown libva error,driver_name=(null) [NPAPI 1788] ###!!! ABORT: Aborting on channel error.: file /tmp/buildd/iceweasel-38.6.1esr/ipc/glue/MessageChannel.cpp, line 1584 [NPAPI 1788] ###!!! ABORT: Aborting on channel error.: file /tmp/buildd/iceweasel-38.6.1esr/ipc/glue/MessageChannel.cpp, line 1584 Erreur de segmentation sylvia@pc:~$
