Debian Bug report logs - #786909

chromium: unconditionally downloads binary blob

Reported by: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> Date: Tue, 26 May 2015 16:24:19 UTC Severity: serious Tags: confirmed, fixed-upstream, help, security, upstream Found in versions chromium-browser/43.0.2357.65-1, chromium-browser/43.0.2357.65-1~deb8u1 Fixed in versions chromium-browser/43.0.2357.81-1, chromium-browser/44.0.2403.89-1~deb8u1 Done: Michael Gilbert <mgilbert@debian.org> Bug is archived. No further changes may be made. Forwarded to https://code.google.com/p/chromium/issues/detail?id=491435

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Tue, 26 May 2015 16:24:24 GMT) (full text, mbox, link).

Acknowledgement sent to YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> :

New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Tue, 26 May 2015 16:24:24 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: chromium: unconditionally downloads binary blob Date: Wed, 27 May 2015 01:23:38 +0900

Package: chromium Version: 43.0.2357.65-1 Severity: serious Tags: security upstream Justification: Policy 2.1.2 Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435 Dear Maintainer, After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading "Chrome Hotword Shared Module" extension, which contains a binary without source code. There seems no opt-out config. $ chromium --temp-profile & $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages chromium depends on: ii libasound2 1.0.28-1 ii libatk1.0-0 2.16.0-2 ii libc6 2.19-18 ii libcairo2 1.14.2-2 ii libcups2 1.7.5-11 ii libdbus-1-3 1.8.18-1 ii libexpat1 2.1.0-6+b3 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-4 ii libgdk-pixbuf2.0-0 2.31.4-1 ii libglib2.0-0 2.44.1-1 ii libgnome-keyring0 3.12.0-1+b1 ii libgtk2.0-0 2.24.25-3 ii libharfbuzz0b 0.9.40-3 ii libjpeg62-turbo 1:1.4.0-7 ii libnspr4 2:4.10.8-1 ii libnss3 2:3.19-1 ii libpango-1.0-0 1.36.8-3 ii libpangocairo-1.0-0 1.36.8-3 ii libpci3 1:3.2.1-3 ii libspeechd2 0.8-7 ii libspeex1 1.2~rc1.2-1 ii libsrtp0 1.4.5~20130609~dfsg-1.1 ii libstdc++6 5.1.1-7 ii libx11-6 2:1.6.3-1 ii libxcomposite1 1:0.4.4-1 ii libxcursor1 1:1.1.14-1+b1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes3 1:5.0.1-2+b2 ii libxi6 2:1.7.4-1+b2 ii libxml2 2.9.1+dfsg1-4 ii libxrandr2 2:1.4.2-1+b1 ii libxrender1 1:0.9.8-1+b1 ii libxslt1.1 1.1.28-2+b2 ii libxss1 1:1.2.2-1 ii libxtst6 2:1.2.2-1+b1 ii x11-utils 7.7+3 ii xdg-utils 1.1.0~rc1+git20111210-7.4 chromium recommends no packages. Versions of packages chromium suggests: ii chromium-l10n 43.0.2357.65-1 -- no debconf information

Set Bug forwarded-to-address to 'https://code.google.com/p/chromium/issues/detail?id=491435'. Request was from YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> to submit@bugs.debian.org . (Tue, 26 May 2015 16:24:24 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Wed, 27 May 2015 10:54:09 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Wed, 27 May 2015 10:54:09 GMT) (full text, mbox, link).

Message #12 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org> To: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>, 786909@bugs.debian.org Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Wed, 27 May 2015 12:52:34 +0200

On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote: > Package: chromium > Version: 43.0.2357.65-1 > Severity: serious > Tags: security upstream > Justification: Policy 2.1.2 > Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435 > > Dear Maintainer, > > After upgrading chromium to 43, I noticed that when it is running and > immediately after the machine is on-line it silently starts downloading > "Chrome Hotword Shared Module" extension, which contains a binary without > source code. There seems no opt-out config. > > $ chromium --temp-profile & > $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe > $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped Even worse, that extension: - doesn't appear in the extension list; - is apparently used to provide an “ok google” voice activation stuff. That's definitely not the stuff we'd like installed by default, without the user knowing (even if it's supposedly not installed). Regards, -- Yves-Alexis

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Wed, 27 May 2015 11:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Wed, 27 May 2015 11:00:05 GMT) (full text, mbox, link).

Message #17 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org> To: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> Cc: 786909@bugs.debian.org Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Wed, 27 May 2015 12:56:29 +0200

On mer., 2015-05-27 at 12:52 +0200, Yves-Alexis Perez wrote: > On mer., 2015-05-27 at 01:23 +0900, YOSHINO Yoshihito wrote: > > Package: chromium > > Version: 43.0.2357.65-1 > > Severity: serious > > Tags: security upstream > > Justification: Policy 2.1.2 > > Control: forwarded -1 https://code.google.com/p/chromium/issues/detail?id=491435 > > > > Dear Maintainer, > > > > After upgrading chromium to 43, I noticed that when it is running and > > immediately after the machine is on-line it silently starts downloading > > "Chrome Hotword Shared Module" extension, which contains a binary without > > source code. There seems no opt-out config. > > > > $ chromium --temp-profile & > > $ find /tmp/tmp.*/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/ > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword.data > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe > > $ file /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe > > /tmp/tmp.YClr3VfmnS/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_ja/hotword-x86-64.nexe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=24d25d55886dca48921031d6928b0a34f5659830, stripped > > Even worse, that extension: > > - doesn't appear in the extension list; > - is apparently used to provide an “ok google” voice activation stuff. > > That's definitely not the stuff we'd like installed by default, without > the user knowing (even if it's supposedly not installed). > chrome://voicesearch returns: About Voice Search Chromium 43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid) OS Linux NaCl Enabled No Microphone No Audio Capture Allowed Yes Current Language en-US Hotword Previous Language en-US Hotword Search Enabled No Always-on Hotword Search Enabled No Hotword Audio Logging Enabled No Field trial Start Page State No Start Page Service Extension Id nbpagnldghgfoolbancepceaanlmhfmd Extension Version 0.0.1.4 Extension Path /usr/lib/chromium/resources/hotword Extension State ENABLED Shared Module Id lccekmodgklaepjeofjdjpbminllajkg Shared Module Version 0.3.0.5 Shared Module Path /tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0 Shared Module State ENABLED Shared Module Platforms x86-64_ The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me. Regards -- Yves-Alexis

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Wed, 27 May 2015 11:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Bernat <bernat@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Wed, 27 May 2015 11:27:05 GMT) (full text, mbox, link).

Message #22 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org> To: Yves-Alexis Perez <corsac@debian.org> Cc: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>, 786909@bugs.debian.org Subject: Re: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob Date: Wed, 27 May 2015 13:23:15 +0200

❦ 27 mai 2015 12:56 +0200, Yves-Alexis Perez <corsac@debian.org> : > Chromium 43.0.2357.65 (Built on Debian stretch/sid, running on Debian stretch/sid) > OS Linux > NaCl Enabled No > Microphone No > Audio Capture Allowed Yes > Current Language en-US > Hotword Previous Language en-US > Hotword Search Enabled No > Always-on Hotword Search Enabled No > Hotword Audio Logging Enabled No > Field trial > Start Page State No Start Page Service > Extension Id nbpagnldghgfoolbancepceaanlmhfmd > Extension Version 0.0.1.4 > Extension Path /usr/lib/chromium/resources/hotword > Extension State ENABLED > Shared Module Id lccekmodgklaepjeofjdjpbminllajkg > Shared Module Version 0.3.0.5 > Shared Module Path /tmp/tmp.Qz1UgqPUid/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0 > Shared Module State ENABLED > Shared Module Platforms x86-64_ > > The fact that Audio Capture Allowed is set to yes, and that both the > extension and the shared module are marked as “enabled” are definitely > bothering me. Same here. I did delete the extension path but somehow Chromium seems to think it's still here (I have the same output as you except "Shared Module Platforms"). You can check if it is running using the task manager: from various bug reports, it is not hidden here. You can also disable it in chrome://settings in the "Search" section: "Enable Ok Google to start a voice search". Various bug reports exist to say that it may not prevent the extension from running. If it is not possible to disable it by default and make it appear in chrome://extensions, it would be better to not ship at all this extension (only the shared module seems to be downloaded, the remaining of the code seems to be still here). -- Use self-identifying input. Allow defaults. Echo both on output. - The Elements of Programming Style (Kernighan & Plauger)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Wed, 27 May 2015 11:27:08 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Wed, 27 May 2015 11:27:08 GMT) (full text, mbox, link).

Message #27 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org> To: Vincent Bernat <bernat@debian.org> Cc: YOSHINO Yoshihito <yy.y.ja.jp@gmail.com>, 786909@bugs.debian.org Subject: Re: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob Date: Wed, 27 May 2015 13:25:32 +0200

On mer., 2015-05-27 at 13:23 +0200, Vincent Bernat wrote: > Same here. I did delete the extension path but somehow Chromium seems to > think it's still here (I have the same output as you except "Shared > Module Platforms"). You can check if it is running using the task > manager: from various bug reports, it is not hidden here. You can also > disable it in chrome://settings in the "Search" section: "Enable Ok > Google to start a voice search". Various bug reports exist to say that > it may not prevent the extension from running. > > If it is not possible to disable it by default and make it appear in > chrome://extensions, it would be better to not ship at all this > extension (only the shared module seems to be downloaded, the remaining > of the code seems to be still here). Note that the binary blob is executed throught native client, which is not enabled by default, so I /think/ you need explicit action from the user (although if you enable NaCl for something else, then you might enable stuff you actually don't want). Having /home noexec won't help, since it's not run directly by the system but by chromium. Regards, -- Yves-Alexis

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 29 May 2015 01:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 29 May 2015 01:39:07 GMT) (full text, mbox, link).

Message #32 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: Yves-Alexis Perez <corsac@debian.org>, 786909@bugs.debian.org, Vincent Bernat <bernat@debian.org> Subject: Re: Bug#786909: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob Date: Thu, 28 May 2015 21:37:13 -0400

control: tag -1 confirmed, help On Wed, May 27, 2015 at 7:25 AM, Yves-Alexis Perez wrote: > Note that the binary blob is executed throught native client, which is > not enabled by default, so I /think/ you need explicit action from the > user (although if you enable NaCl for something else, then you might > enable stuff you actually don't want). I made a quick attempt at getting hotword disabled, but wasn't effective. I won't have time to dig into the details for a while, so I'm attaching the failed attempt to maybe inspire some other ideas. Best wishes, Mike

Added tag(s) help and confirmed. Request was from Michael Gilbert <mgilbert@debian.org> to 786909-submit@bugs.debian.org . (Fri, 29 May 2015 01:39:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Wed, 10 Jun 2015 19:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Wed, 10 Jun 2015 19:39:03 GMT) (full text, mbox, link).

Message #39 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org> To: Michael Gilbert <mgilbert@debian.org> Cc: 786909@bugs.debian.org, Vincent Bernat <bernat@debian.org> Subject: Re: Bug#786909: [Pkg-chromium-maint] Bug#786909: chromium: unconditionally downloads binary blob Date: Wed, 10 Jun 2015 21:36:05 +0200

On jeu., 2015-05-28 at 21:37 -0400, Michael Gilbert wrote: > control: tag -1 confirmed, help > > On Wed, May 27, 2015 at 7:25 AM, Yves-Alexis Perez wrote: > > Note that the binary blob is executed throught native client, which is > > not enabled by default, so I /think/ you need explicit action from the > > user (although if you enable NaCl for something else, then you might > > enable stuff you actually don't want). > > I made a quick attempt at getting hotword disabled, but wasn't effective. > > I won't have time to dig into the details for a while, so I'm > attaching the failed attempt to maybe inspire some other ideas. > Hey Mike, it's apparently fixed upstream (https://code.google.com/p/chromium/issues/detail?id=491435). Not sure if it's in a released version, but it might be possible to backport the patch in between. Regards, -- Yves-Alexis

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org . (Thu, 11 Jun 2015 19:24:40 GMT) (full text, mbox, link).

Reply sent to Michael Gilbert <mgilbert@debian.org> :

You have taken responsibility. (Mon, 15 Jun 2015 10:27:09 GMT) (full text, mbox, link).

Notification sent to YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> :

Bug acknowledged by developer. (Mon, 15 Jun 2015 10:27:09 GMT) (full text, mbox, link).

Message #46 received at 786909-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: 786909-close@bugs.debian.org Subject: Bug#786909: fixed in chromium-browser 43.0.2357.81-1 Date: Mon, 15 Jun 2015 10:24:08 +0000

Source: chromium-browser Source-Version: 43.0.2357.81-1 We believe that the bug you reported is fixed in the latest version of chromium-browser, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 786909@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert <mgilbert@debian.org> (supplier of updated chromium-browser package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Jun 2015 04:04:34 +0000 Source: chromium-browser Binary: chromium chromium-dbg chromium-l10n chromedriver Architecture: source all Version: 43.0.2357.81-1 Distribution: unstable Urgency: medium Maintainer: Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> Changed-By: Michael Gilbert <mgilbert@debian.org> Description: chromedriver - web browser - WebDriver support chromium - web browser chromium-dbg - web browser - debugging symbols chromium-l10n - web browser - language packs Closes: 786490 786909 Changes: chromium-browser (43.0.2357.81-1) unstable; urgency=medium . * New upstream release fixing missing icon (closes: #786490). * Disable hotword (closes: #786909). * Remove some sourceless files. Checksums-Sha1: 8b7b77ed98b0ad75e4cdbf3f89e059291709bfb7 3925 chromium-browser_43.0.2357.81-1.dsc 180e1587dc9ef1ffb1c0e4a6f7b05030a67e0ac9 327866732 chromium-browser_43.0.2357.81.orig.tar.xz 2c289baa5dc2f12ba76e1204c25184b1f35f1cb2 178500 chromium-browser_43.0.2357.81-1.debian.tar.xz 215fbe09c8510a3063b1ea71517d3e341f0a8806 3166448 chromium-l10n_43.0.2357.81-1_all.deb Checksums-Sha256: a2bfe1b9feb8715af26c9e4202faf0e9c7a319914f0f39a4f6fdfa85c3bf97f7 3925 chromium-browser_43.0.2357.81-1.dsc 360df7b5dfe61293a058c23b4fcbcf277fe74869cf95a6fac1023a5658d86d5a 327866732 chromium-browser_43.0.2357.81.orig.tar.xz 7dc4f9ca79593376bf172d408f21990ccb24fd3423b8b61c327eeed93042a350 178500 chromium-browser_43.0.2357.81-1.debian.tar.xz e392d1f533a88518a255a35e509c0c5eda3e7014439b0d4ef5d93252d2c40d9f 3166448 chromium-l10n_43.0.2357.81-1_all.deb Files: 35b281bd0fe9a78afa738a6f6a6f2832 3925 web optional chromium-browser_43.0.2357.81-1.dsc 981a017a3d4c3e54acf97dea35b1935f 327866732 web optional chromium-browser_43.0.2357.81.orig.tar.xz c9e73eba95b3c1381f6d66a1028f4c33 178500 web optional chromium-browser_43.0.2357.81-1.debian.tar.xz 909d0810f43b2cb372ae762ce020adac 3166448 localization optional chromium-l10n_43.0.2357.81-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJVfnuOAAoJELjWss0C1vRzN8of/irbOxtb3pCRw7dQV4uht04j 6P91SVxKSHHgkp5NvZhX6p5XvIxdDoaj05nrhNmD0JNkc81D+q2RnDNdfjw7d/Lp cYBoWBnAt4bMLCrmeJRXaNQgmWDbUI0N6SrLxK6Lph/L8hI/i+2VuWWDkM47K8li bvmaSndw9BdI5F+Jj1BEuridWxxttNRvrwZXJT9EfceRH1wYnBOwBnGisv/Zt68M e5Es3m6q8TBMbcNZb0TmofOE5MHmGnu6TXnYL+ck5mBq3iAKjNvTLsnP/V8NCqYQ GnckvLTwj0Ko7nwqD5y7FNUG1216y05zbvbvYSaJgj1mC/6Q0N4WCw/hwZkNwiYw 5ywx4JIH4f5jpxcAIp/Cem5wa8wgPRVV/tK+CSmZ8DszgfMfqwod+QDrr2qzMz9u ev5dD5AQknnqvxVbkhbpDLhgyw/9hgQue5O4vubIKCZ7XStfybYlY8tfypjBqQ6Y 9Fj/3P6/R9GbAjwYOOTadhk5ZBbcs0dFTO9HzDgNBi+JFvSKmWq1OL7GAWoh2lGV TIGIOsCyclsBnf9kEAgu7HtjjQXechcVPt1/kqapPw/7EEBHluDSFq4JJC57S9HJ Y+YxpMo0eQmqgYNbT6QdXx9l0awuXhkx3IhLqUCRqO/61TEBsf9/8JP65dMFJISu dC4BlepEtyhdoiseqPfIK7vIp01m8gVO9b5bNd4Wj7w+/IxxftUInYG++n80+nYF 6eEqjoyme/ESTMz8fB/KTIchaUL/jIPt119Wxsa+lKMIkIpU5BfHPFshw1OXTvXF hjMEGztP+cwxHvDT6l0f5O8ZVL2bvaz+yWbULS5d19YuyJBGNWzMxhqukCjYkFvY GGbBb8YSRog6XLIa70NsbsnSgI0b6Jb2b318mi3GoRAwwr6tkP+MkrLfowTiRkQN VCue4yMvPVuSIkdqAEFZ2Qnur8mx8E+P5xdScTCW1Akp+e/gdFPFz22oOnvoGhfU mqTWLueXENyYeUBMKXvX3Pehgo8mqul0waV/++rSbgrpE0y+CEXBiHbBhE6woWx7 1+fUrfCPVB2Zi8i2cjTG+4qsKoqgx/gqtu6duZ2P4zF+uVd6ljiIzbPSa0FC5NJ1 gw8L65ZL8GfugThetx6QnUQyarW6ijYaZXbCbAQoW4IjkABMrpIpTQ9+IoM1F6lB oZ/hHRHFvfNnA4FfUFbrkPOXRsi9xAVn6/BZWV6ZhOQQA3bt35HSZMZEACodCrK+ Yaqi8uUdz1zQEhB+xIEWE6erBtC1AoU+MYuWPpNWnJ3TxlY54xDPvS+HPl6cSQvN cgjfP6OW1c/xJQPPJJ4hpbGjhQ3EHWjyY2sxIL3uJAomUDUcIx942aTSmCLexAA= =t0x5 -----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Tue, 16 Jun 2015 03:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Tue, 16 Jun 2015 03:21:03 GMT) (full text, mbox, link).

Message #51 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net> To: 786909@bugs.debian.org Subject: Re: chromium: unconditionally downloads binary blob Date: Tue, 16 Jun 2015 05:16:44 +0200

Hi. Shouldn't we see a DSA following this incident? Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised. Quite a deal of people choose open source just to prevent that - get untrustworthy / unverifiable code run on their systems - failed. And to be quite honest, I seriously consider the good faith of an such upstream which does these kinds of things and wonder whether it can be considered trustworthy enough to be part of Debian or whether it should be banned from it. More or less silently bundling proprietary code with open source software (especially but not only when enabled per default) can already be considered quite bad behaviour. But basically secretly downloading it leads to the question of possible malicious intent (and everyone knows that Google&Co. do voluntarily and/or forcibly cooperate with NSA and friends). And I guess no one can prove that this blob didn't contain any rootkit, and even if - the rootkit'ed version may have been just distributed to certain people. The downloading makes it more or less impossible for the admin/user and especially for our maintainers to notice what's happening here (otherwise they'd need audit every line of code for any such occasions). And even if the blob wasn't evil: while I haven't looked at the code, I wouldn't even be surprised if the downloading itself is done insecurely. Worse, chromium isn't the only such rootkit-downloader,... this happens - to my taste - far to often in recent times,.. e.g. FF which secretly downloaded the OpenH264 blob. Now that specific incident may be solved (at least for now),... but no appropriate notification of users is made, so theoretically&practically arbitrary users may have had their systems compromised now, and they won't even notice. :/ Chris.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Tue, 16 Jun 2015 04:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Tue, 16 Jun 2015 04:51:04 GMT) (full text, mbox, link).

Message #56 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: Christoph Anton Mitterer <calestyo@scientia.net>, 786909@bugs.debian.org Cc: oss-security@lists.openwall.com Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Tue, 16 Jun 2015 00:49:31 -0400

On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote: > Shouldn't we see a DSA following this incident? > > Since no one really know which binaries have been downloaded there and > what they actually do, and since it cannot be excluded that it was > actually executed, such systems are basically to be considered > compromised. > > Quite a deal of people choose open source just to prevent that - get > untrustworthy / unverifiable code run on their systems - failed. > > > And to be quite honest, I seriously consider the good faith of an such > upstream which does these kinds of things and wonder whether it can be > considered trustworthy enough to be part of Debian or whether it should > be banned from it. > More or less silently bundling proprietary code with open source > software (especially but not only when enabled per default) can already > be considered quite bad behaviour. > > But basically secretly downloading it leads to the question of possible > malicious intent (and everyone knows that Google&Co. do voluntarily > and/or forcibly cooperate with NSA and friends). > And I guess no one can prove that this blob didn't contain any rootkit, > and even if - the rootkit'ed version may have been just distributed to > certain people. > The downloading makes it more or less impossible for the admin/user and > especially for our maintainers to notice what's happening here > (otherwise they'd need audit every line of code for any such > occasions). > > > And even if the blob wasn't evil: while I haven't looked at the code, I > wouldn't even be surprised if the downloading itself is done > insecurely. > > > Worse, chromium isn't the only such rootkit-downloader,... this happens > - to my taste - far to often in recent times,.. e.g. FF which secretly > downloaded the OpenH264 blob. Barring the obtusely incorrect rootkit miscategorization, oss-sec is a far better venue for discussion since Debian is not the only distribution that includes chromium 43 . Best wishes, Mike

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Tue, 16 Jun 2015 13:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Tue, 16 Jun 2015 13:18:03 GMT) (full text, mbox, link).

Message #61 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net> To: Michael Gilbert <mgilbert@debian.org>, 786909@bugs.debian.org Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Tue, 16 Jun 2015 15:15:06 +0200

On Tue, 2015-06-16 at 00:49 -0400, Michael Gilbert wrote: > Barring the obtusely incorrect rootkit miscategorization Well, as I've said,.. no one can really tell what it is, since it's a blob,... and even if one would assume that someone could correctly reverse engineer it, or reproducibly build it from public sources, there's absolutely no guarantee that malicious software might have been just distributed to selected people. > oss-sec is a > far better venue for discussion since Debian is not the only > distribution that includes chromium 43 . I don't see how that would practically ever change something at the Debian level; this seems rather like simply pushing away and unpleasant issue. And just because all other distros ship software which injects possibly malicious blobs, we don't have to do the same. Anyway, I haven't said that banning such software from Debian would be the only solution... but at least these incidents come far too frequent recently, so apparently something needs to be done at Debian level to pro-actively prevent future cases/compromises like this. And there's still no single sign of properly visible announcements to user what might have happened here. :( Chris.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Thu, 18 Jun 2015 22:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Thu, 18 Jun 2015 22:45:04 GMT) (full text, mbox, link).

Message #66 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org> To: 786909@bugs.debian.org Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Michael Gilbert <mgilbert@debian.org> Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Thu, 18 Jun 2015 23:42:51 +0100

Hi, Upstream have said: https://code.google.com/p/chromium/issues/detail?id=491435#c10 > This is not "opt-in default". If you do not explicitly opt in (using > the "Enable Ok Google" setting in chrome://settings), then this module > will not run. That suggests to me that security of users was not put at risk, unless they enabled that optional feature. It was likely 'only' a privacy concern and Debian policy violation. May I ask boldly, is NaCl a legitimate feature of a Debian package in 'main'? I'm reminded of the FSF's John Sullivan speaking at DebConf14 about the DFSG iceweasel browser offering to install non-free software. AIUI NaCl's only purpose is to execute compiled, most likely non-free code? (Whereas minified non-free JavaScript is objectionable to some, this seems an order of magnitude worse). I'm not implying chromium belongs in contrib or non-free - there is already the non-free Chrome as an option there - but rather, would the DFSG chromium browser be 'more' free if it disabled NaCl? I also propose more QA within Debian to find applications phoning home, which could have been detected in this case within something like the autopkgtest framework and simply opening a page on a local webserver. Sorry, if you feel this is off-topic for the bug log, please take it to an appropriate list but preferably keep me in Cc: if you do. Christoph Anton Mitterer wrote: > And there's still no single sign of properly visible announcements to > user what might have happened here. :( The bug made it to Hacker News, so that has been accomplished now to some extent. Thanks Chris for speaking up about this. Regards, -- Steven Chamberlain steven@pyro.eu.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Thu, 18 Jun 2015 23:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Thu, 18 Jun 2015 23:36:04 GMT) (full text, mbox, link).

Message #71 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org> To: 786909@bugs.debian.org Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Michael Gilbert <mgilbert@debian.org> Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Fri, 19 Jun 2015 00:33:51 +0100

Steven Chamberlain wrote: > would the > DFSG chromium browser be 'more' free if it disabled NaCl? Actually, in the build log I see disable_nacl=1 I'm confused that hotword-x86-64.nexe is "a NaCl module" [0], even though Debian's chromium is built with NaCl 'disabled'? Does this feature actually work at all, even if a user ticks "Enable OK Google" in chrome://settings; is someone able to test that? [0]: https://code.google.com/p/chromium/issues/detail?id=491435#c10 Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Thu, 18 Jun 2015 23:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Thu, 18 Jun 2015 23:51:03 GMT) (full text, mbox, link).

Message #76 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: Steven Chamberlain <steven@pyro.eu.org> Cc: 786909@bugs.debian.org, Christoph Anton Mitterer <calestyo@scientia.net> Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Thu, 18 Jun 2015 19:47:39 -0400

On Thu, Jun 18, 2015 at 7:33 PM, Steven Chamberlain wrote: > Steven Chamberlain wrote: >> would the >> DFSG chromium browser be 'more' free if it disabled NaCl? > > Actually, in the build log I see disable_nacl=1 > > I'm confused that hotword-x86-64.nexe is "a NaCl module" [0], even > though Debian's chromium is built with NaCl 'disabled'? Yes, nacl is intentionally disabled in the Debian packages, but that itself doesn't have anything to do with the ability of the browser to download files. > Does this feature actually work at all, even if a user ticks > "Enable OK Google" in chrome://settings; is someone able to test that? No, it does not work. Obviously nacl applications cannot execute without a nacl interpreter. Best wishes, Mike

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 19 Jun 2015 00:21:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 19 Jun 2015 00:21:07 GMT) (full text, mbox, link).

Message #81 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: Christoph Anton Mitterer <calestyo@scientia.net> Cc: 786909@bugs.debian.org, oss-security@lists.openwall.com Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Thu, 18 Jun 2015 20:19:02 -0400

Since this made it to LWN [0] and Y Combinator [1] with an incredible amount of misinformation, let's attempt a (hopefully) non-hyped conversation about this, which unfortunately didn't happen a few days ago. On Tue, Jun 16, 2015 at 9:15 AM, Christoph Anton Mitterer wrote: > On Tue, 2015-06-16 at 00:49 -0400, Michael Gilbert wrote: >> Barring the obtusely incorrect rootkit miscategorization > > Well, as I've said,.. no one can really tell what it is, since it's a > blob,... and even if one would assume that someone could correctly > reverse engineer it, or reproducibly build it from public sources, > there's absolutely no guarantee that malicious software might have been > just distributed to selected people. Except that the actual contents of the downloaded files in many ways do not actually matter. Those files are nacl executables, which are sandboxed in any nacl-enabled chromium, so barring a sandbox escape included in the files, this is functionally the same as visiting any nacl website (less the fact that hotword automatically gets microphone permission, which itself is worth independent critique). Additionally, the Debian packages are intentionally built with nacl disabled (in fact not built at all). So, at least on Debian, even if the downloaded files were in fact malicious, without a nacl interpreter present, there is absolutely no way to trigger the badness. >> oss-sec is a >> far better venue for discussion since Debian is not the only >> distribution that includes chromium 43 . > > I don't see how that would practically ever change something at the > Debian level; this seems rather like simply pushing away and unpleasant > issue. Maybe now it's clear that a meaningful conversation at the time would have preempted the ensuing misinformation campaign. > And just because all other distros ship software which injects possibly > malicious blobs, we don't have to do the same. I simply do not follow the logic leading to this conclusion. How does engaging in discussion lead to any specific problem being ignored exactly? Anyway, if some incredibly basic homework had been done, you could have convinced yourself of the non-issue nature of this problem, rather than engaging in unfounded speculation. > Anyway, I haven't said that banning such software from Debian would be > the only solution... but at least these incidents come far too frequent > recently, so apparently something needs to be done at Debian level to > pro-actively prevent future cases/compromises like this. That is exactly what Debian unstable is for, and in many ways it worked as intended, except for the special snowflake that is chromium. Since major chromium versions get uploaded to both unstable and stable to fix security issues, problems introduced into unstable also unfortunately get introduced to stable. > And there's still no single sign of properly visible announcements to > user what might have happened here. :( Well, it is out there now [0,1], unfortunately with a huge amount of misinformation. Anyway the Debian security tracker is tracking this [2]. As stated there, it will be fixed along with the next incoming round of chromium security issues. It is absolutely not worth fixing on its own. Best wishes, Mike [0] https://lwn.net/Articles/648392 [1] https://news.ycombinator.com/item?id=9724409 [2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 19 Jun 2015 00:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 19 Jun 2015 00:27:04 GMT) (full text, mbox, link).

Message #86 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net> To: Steven Chamberlain <steven@pyro.eu.org>, 786909@bugs.debian.org Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Fri, 19 Jun 2015 02:23:18 +0200

On Thu, 2015-06-18 at 23:42 +0100, Steven Chamberlain wrote: > Upstream have said: > https://code.google.com/p/chromium/issues/detail?id=491435#c10 > > This is not "opt-in default". If you do not explicitly opt in > > (using > > the "Enable Ok Google" setting in chrome://settings), then this > > module > > will not run. > > That suggests to me that security of users was not put at risk, > unless > they enabled that optional feature. It was likely 'only' a privacy > concern and Debian policy violation. I don't think it really matters what upstream claims here, unless things can be clearly proven by code: It's very well known that all the big players (Google, Mozilla, etc.) either voluntarily or forcibly cooperate with organisations like the NSA, which in turn are notoriously known for trying to attack and hack into any system, legally or not. Especially the fact that they don't simply distribute the blob as part of their bundle but download it, makes it IMHO highly suspicious (yeah, of course as with Mozilla there's the good excuse of "patent reasons"), as this could enable an attacker to selectively distribute good/bad versions of the blob to certain users, thereby making it basically impossible to ever detect this. > May I ask boldly, is NaCl a legitimate feature of a Debian package in > 'main'? I'm reminded of the FSF's John Sullivan speaking at > DebConf14 > about the DFSG iceweasel browser offering to install non-free > software. > AIUI NaCl's only purpose is to execute compiled, most likely non-free > code? (Whereas minified non-free JavaScript is objectionable to > some, > this seems an order of magnitude worse). Browsers generally have really become a security disease... :-/ > I also propose more QA within Debian to find applications phoning > home, > which could have been detected in this case within something like the > autopkgtest framework and simply opening a page on a local webserver. "phoning home" and (down)loading + executing (possibly malicious) blobs are IMHO two different things. The former is just a privacy issue (which may or may not be a security issue as well)... and unfortunately we have already so many packages doing this (especially many cases where this behaviour is all but obvious), that I don't see any chances to really solve these privacy issues without a concentrated effort; and actually, in most cases where I've already reported such issues I experienced modest to strong resistance by the respective maintainers and/or upstream. > Sorry, if you feel this is off-topic for the bug log, please take it > to > an appropriate list but preferably keep me in Cc: if you do. I've already thought about CCing d-d, but to be honest,... I don't expect that anything would come out from a broader discussion... security seems to be only tertiary priority in Debian, at least in several fields (and no, I explicitly do not refer to the Security Team here). > The bug made it to Hacker News, so that has been accomplished now > to some extent. Well and I've noticed it also mentioned on the cryptography mailing list and some openbsd lists... and yet... - still no DSA (or something like that) - still no concentrated effort at the Debian level to pro-actively work against such sources that include or more or less secretly download blobs (I guess it should be obvious that this cannot be the responsibility of one single person like Michael, and that my criticism isn't targeted towards him) - and sadly, as it seems, further, very silently handled cases: chromium-browser (43.0.2357.124-1) unstable; urgency=medium ... * Remove more sourceless files. Having this popped up at some news sites is basically useless if no measures are taken. > Thanks Chris for speaking up about this. Well it wasn't me who noticed this particular incident of a compromise, thanks go to Yoshino Yoshihito Cheers, Chris.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 19 Jun 2015 00:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 19 Jun 2015 00:39:04 GMT) (full text, mbox, link).

Message #91 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: Christoph Anton Mitterer <calestyo@scientia.net>, 786909@bugs.debian.org Cc: Steven Chamberlain <steven@pyro.eu.org>, debian developers <debian-devel@lists.debian.org> Subject: Please stop (was: Bug#786909: chromium: unconditionally downloads binary blob) Date: Thu, 18 Jun 2015 20:36:54 -0400

On Thu, Jun 18, 2015 at 8:23 PM, Christoph Anton Mitterer wrote: > - still no DSA (or something like that) See previous message. > - still no concentrated effort at the Debian level to pro-actively work > against such sources that include or more or less secretly download > blobs If you have an itch, please by all means go scratch it. You will get absolutely nowhere continuing to tell people that they need to drop everything to scratch your particular itches. No one gets to tell anyone else how they should spend their Debian time. That is an incredibly obtrusive affront to personal freedom and self actualization. Please stop. Best wishes, Mike

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 19 Jun 2015 00:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 19 Jun 2015 00:42:03 GMT) (full text, mbox, link).

Message #96 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org> To: Michael Gilbert <mgilbert@debian.org> Cc: 786909@bugs.debian.org, Christoph Anton Mitterer <calestyo@scientia.net> Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Fri, 19 Jun 2015 01:38:33 +0100

Michael Gilbert wrote: > Yes, nacl is intentionally disabled in the Debian packages, [...] > [...] > No, it does not work. Obviously nacl applications cannot execute > without a nacl interpreter. Thanks! That's quite reassuring for Debian users at least. Christoph Anton Mitterer wrote: > I don't think it really matters what upstream claims here, Right, we shouldn't just take their word for it. From what I can tell, the file download was configured by way of a module ID listed as an "import" here: https://sources.debian.net/src/chromium-browser/43.0.2357.124-1/chrome/browser/resources/hotword/manifest.json/#L82 (and didn't exist before Chromium 43, JFTR). (I don't yet understand how the upstream commit stopped the module being downloaded, but rather appears to stop it from being invoked?) https://codereview.chromium.org/1160243004/diff/120001/chrome/browser/search/hotword_service.cc I scanned through the other manifest.json and found one other occurrence which is: https://sources.debian.net/src/chromium-browser/43.0.2357.124-1/ui/file_manager/video_player/manifest.json/?hl=60#L60 Could someone please check if that plugin is enabled? (Seems Mike just committed to packaging Git a way to make hidden extensions visible now). There is some scary code in https://sources.debian.net/src/chromium-browser/43.0.2357.124-1/chrome/browser/chromeos/extensions/file_manager/private_api_misc.cc relating to "https://www.googleapis.com/auth/chromewebstore" and talking about "silent installation". It relates to Cast API and hopefully is unused in Debian builds (I don't see this file in the Debian package build logs). Regards, -- Steven Chamberlain steven@pyro.eu.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 19 Jun 2015 00:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 19 Jun 2015 00:51:04 GMT) (full text, mbox, link).

Message #101 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net> To: Michael Gilbert <mgilbert@debian.org> Cc: 786909@bugs.debian.org, oss-security@lists.openwall.com Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Fri, 19 Jun 2015 02:49:25 +0200

On Thu, 2015-06-18 at 20:19 -0400, Michael Gilbert wrote: > Except that the actual contents of the downloaded files in many ways > do not actually matter. Those files are nacl executables, which are > sandboxed in any nacl-enabled chromium, so barring a sandbox escape > included in the files, this is functionally the same as visiting any > nacl website (less the fact that hotword automatically gets > microphone > permission, which itself is worth independent critique). I never really understood why browser need to be more and more like complete operating systems, taking control over hardware which is simply not their belonging... If people want to voice/video conferencing, then they should need to start some locally installed software for just that purpose. But maybe I'm just too old-fashioned and don't want to have everything run on the web or in the cloud. :-( > Additionally, the Debian packages are intentionally built with nacl > disabled (in fact not built at all). So, at least on Debian, even if > the downloaded files were in fact malicious, without a nacl > interpreter present, there is absolutely no way to trigger the > badness. Definitely good news... But my primary point was more that this should simply not happen... cause in another case, we might not have had that safety of having nacl not even available. As I've mentioned, we've had the same issue already with Firefox which downloaded OpenH246 and which (AFAIR) was actually loaded. In principle, all code which is not manually downloaded/compiled/executed by the user should enter a Debian box *only* via the package management system. > Maybe now it's clear that a meaningful conversation at the time would > have preempted the ensuing misinformation campaign. Well it wasn't me who posted this news to several other places,... > I simply do not follow the logic leading to this conclusion. How > does > engaging in discussion lead to any specific problem being ignored > exactly? Well, discussing things at oss-security doesn't have any direct effect on Debian, right? Discussing/reporting things directly at upstream is mostly just a waste of time, at least when it comes about "meta" security issues; just look at the Mozilla bugtracker for issues reported by me. And unfortunately, the same applies largely to Debian itself. You may remember several discussions I've ignited on d-d about such higher level security issues,... like the "downloader packages", or the far too high validity times of Release files. > Anyway, if some incredibly basic homework had been done, you could > have convinced yourself of the non-issue nature of this problem, > rather than engaging in unfounded speculation. I think practically it's extremely time consuming to really confirm whether such code was loaded or not, especially when one is not familiar with the code base, which I'm not in the case of Chromium. And even if that code was just downloaded (but not executed) I still think it's far from ideal. configure-options may accidentally change, as may the download code itself - simply not having any such functionalities in the code is probably safer than having it just disabled and/or being simply a bit lucky as we apparently were in this case. > That is exactly what Debian unstable is for Phew,... realistically, many people use sid for their normal desktop systems... > Well, it is out there now [0,1], unfortunately with a huge amount of > misinformation. My apologies, if you feel that this would fall into my responsibility... as this wasn't my intention (otherwise I'd have CCed it to d-d). Personally I think that you as maintainer(s) should feel the least responsible for this,... it's rather upstream who should need to reconsider "some things"; and if they got a bit attention now, than this may not be the biggest harm. As said before, my main point is the question what we can do to prevent such cases in the future. This time, nothing might have gotten executed,... and the code (likely) wouldn't have been malicious. Next time it may look different. Best wishes, Chris.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Fri, 19 Jun 2015 01:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Fri, 19 Jun 2015 01:00:04 GMT) (full text, mbox, link).

Message #106 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net> To: Michael Gilbert <mgilbert@debian.org>, 786909@bugs.debian.org Cc: Steven Chamberlain <steven@pyro.eu.org>, debian developers <debian-devel@lists.debian.org> Subject: Re: Please stop (was: Bug#786909: chromium: unconditionally downloads binary blob) Date: Fri, 19 Jun 2015 02:57:04 +0200

On Thu, 2015-06-18 at 20:36 -0400, Michael Gilbert wrote: > See previous message. I've had read that only afterwards, as well as this message. > You will get > absolutely nowhere continuing to tell people that they need to drop > everything to scratch your particular itches. I don't think I've asked you to drop everything. > No one gets to tell > anyone else how they should spend their Debian time. That is an > incredibly obtrusive affront to personal freedom and self > actualization. I haven't said that you personally would be required to do anything, have I? Cheers, Chris.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Sun, 21 Jun 2015 20:12:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Franzl <office@michaelfranzl.com> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Sun, 21 Jun 2015 20:12:07 GMT) (full text, mbox, link).

Message #111 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Michael Franzl <office@michaelfranzl.com> To: 786909@bugs.debian.org Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Sun, 21 Jun 2015 21:47:48 +0200

On Thu, 18 Jun 2015 20:19:02 -0400 Michael Gilbert <mgilbert@debian.org> wrote: > Anyway the Debian security tracker is tracking this [2]. > [2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526 This link is dead / says "Not found". Could you post the correct link? Thanks

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Sun, 21 Jun 2015 21:48:05 GMT) (full text, mbox, link).

Acknowledgement sent to Marc <marc@linkitdesign.com> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Sun, 21 Jun 2015 21:48:05 GMT) (full text, mbox, link).

Message #116 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Marc <marc@linkitdesign.com> To: 786909@bugs.debian.org Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Date: Sun, 21 Jun 2015 22:39:16 +0100

On Sun, 21 Jun 2015 21:47:48 +0200 Michael Franzl <office@michaelfranzl.com> wrote: > On Thu, 18 Jun 2015 20:19:02 -0400 Michael Gilbert <mgilbert@debian.org> > wrote: > > Anyway the Debian security tracker is tracking this [2]. > > > [2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526 > > This link is dead / says "Not found". Could you post the correct link? > > Thanks > > I think this is the one: https://security-tracker.debian.org/tracker/TEMP-0786909-A21526

Marked as found in versions chromium-browser/43.0.2357.65-1~deb8u1. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org . (Tue, 30 Jun 2015 10:38:45 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> :

Bug#786909 ; Package chromium . (Tue, 30 Jun 2015 11:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org> :

Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> . (Tue, 30 Jun 2015 11:03:04 GMT) (full text, mbox, link).

Message #123 received at 786909@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org> To: 786909@bugs.debian.org Subject: Unconditional hotword download: Workaround for Jessie Date: Tue, 30 Jun 2015 12:58:55 +0200

Hi, the following symlink seems to prevent the download of the hotword binary blob in Debian 8 Jessie where this issue still exists: lrwxrwxrwx 1 abe abe 9 Jun 30 12:42 .config/chromium/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg -> /dev/null Regards, Axel -- ,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE

Reply sent to Michael Gilbert <mgilbert@debian.org> :

You have taken responsibility. (Fri, 24 Jul 2015 16:51:04 GMT) (full text, mbox, link).

Notification sent to YOSHINO Yoshihito <yy.y.ja.jp@gmail.com> :

Bug acknowledged by developer. (Fri, 24 Jul 2015 16:51:04 GMT) (full text, mbox, link).

Message #128 received at 786909-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org> To: 786909-close@bugs.debian.org Subject: Bug#786909: fixed in chromium-browser 44.0.2403.89-1~deb8u1 Date: Fri, 24 Jul 2015 16:47:32 +0000

Source: chromium-browser Source-Version: 44.0.2403.89-1~deb8u1 We believe that the bug you reported is fixed in the latest version of chromium-browser, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 786909@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert <mgilbert@debian.org> (supplier of updated chromium-browser package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Jul 2015 02:58:38 +0000 Source: chromium-browser Binary: chromium chromium-dbg chromium-l10n chromium-inspector chromedriver Architecture: source amd64 all Version: 44.0.2403.89-1~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org> Changed-By: Michael Gilbert <mgilbert@debian.org> Description: chromedriver - web browser - WebDriver support chromium - web browser chromium-dbg - web browser - debugging symbols chromium-inspector - web browser - page inspection support chromium-l10n - web browser - language packs Closes: 786909 Changes: chromium-browser (44.0.2403.89-1~deb8u1) jessie-security; urgency=high . * New upstream security release: - CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. - CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous. - CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy. - CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen. - CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. - CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva. - CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. - CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi. - CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte). - CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne. - CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined. - CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva. - CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon. - CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer. - CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa. - CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva. - CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa Sidhpurwala. - CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen. - CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes. - CVE-2015-1286: UXSS in blink. Credit to anonymous. - CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor. - CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to Mike Ruddy. - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives. - Hotword extension disabled by default (closes: #786909). Checksums-Sha1: 615d34925c8d802a1bf88cfd53eed66047ba5780 4060 chromium-browser_44.0.2403.89-1~deb8u1.dsc cf3eb6f3c7499dc1bcfd7a2019e0ab70b250bcd3 296959120 chromium-browser_44.0.2403.89.orig.tar.xz 9397db8445254c84ba9c88ae18d61e4804978746 178840 chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz 729d5692b62b8ee07290ca47fe4e345773507573 38272362 chromium_44.0.2403.89-1~deb8u1_amd64.deb 0a10cf10befbf0f9953450bae485cacfe62ac5dc 619651636 chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb 6ee275383f64faa86825c845f91dc9638c422166 3162932 chromium-l10n_44.0.2403.89-1~deb8u1_all.deb 6a5d3219f85ceff4b72941f95384ecac1096a57a 913656 chromium-inspector_44.0.2403.89-1~deb8u1_all.deb c292260a87b7478d8b2af041380cd1b1369af555 2155678 chromedriver_44.0.2403.89-1~deb8u1_amd64.deb Checksums-Sha256: c42f376a3348c59089e21f9a5e1864676fc74f93dff22c9c9a8003f2ee22dacf 4060 chromium-browser_44.0.2403.89-1~deb8u1.dsc e2f494deaad414445241ef196aa1e49f52c70a221c698da1d36b35982db64b7b 296959120 chromium-browser_44.0.2403.89.orig.tar.xz 26a610e900d122e7998e85e0c999d9d58fefac023772460e6e7cd4547d0959d6 178840 chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz fdd1333b96e7bb9d0ce8b0ca47d8f5abf443f07ffbac3b88bf19c14232844f96 38272362 chromium_44.0.2403.89-1~deb8u1_amd64.deb c0b3bf4492d21e18dae0ede6234919b2da9ef42b35b81b008d9dfe7bd311924b 619651636 chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb 8de636e7d5a41c1ff4ded4cb4235b75db3cc1b8ee4422bb8a56a2d7874350067 3162932 chromium-l10n_44.0.2403.89-1~deb8u1_all.deb b7a680d8108749ac14ab16674a084153abc9f1573445b375b0b74c0bdd9ebb46 913656 chromium-inspector_44.0.2403.89-1~deb8u1_all.deb 086956830d8d320140a7fe2282cf5e98d9912438039265445dd87d6b79000cf2 2155678 chromedriver_44.0.2403.89-1~deb8u1_amd64.deb Files: fe0db55fd1d61b79c1355859eaf98b5a 4060 web optional chromium-browser_44.0.2403.89-1~deb8u1.dsc 69a473b7276dbed7045c05600c24a01c 296959120 web optional chromium-browser_44.0.2403.89.orig.tar.xz 8415bdb735af3261c303b2b794ec2fa3 178840 web optional chromium-browser_44.0.2403.89-1~deb8u1.debian.tar.xz 280325dcc0d9140e60ab11d2b5dc6c9a 38272362 web optional chromium_44.0.2403.89-1~deb8u1_amd64.deb d3c437eb657f4cc7f2d325299d18faec 619651636 debug extra chromium-dbg_44.0.2403.89-1~deb8u1_amd64.deb af9a26ecbb4ecf0fdbd2c617c6160085 3162932 localization optional chromium-l10n_44.0.2403.89-1~deb8u1_all.deb 112f08b62ba3cec2bedd1b5921981672 913656 web optional chromium-inspector_44.0.2403.89-1~deb8u1_all.deb dc3ce3a828add58759d47f3bb94addb6 2155678 web optional chromedriver_44.0.2403.89-1~deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJVrxrRAAoJELjWss0C1vRzZS4f/2x1m62BH88RAXZKXMdaNA/C eLZxyKRwk8+yD5EDBVGoOViIOoSpr4m2e7PuYBTuVQasY3iHhnX2lLaQ2DRGHFaa ABSgvLPz2Lucr9H/+3jpsQWs9NIgNDQhA9uHf/EAEb3VVsOAj0NPmXeP5WKUsOKu CdsF7vFwNcbau78Lcy7tP/tdTVJLqDeydivg6tzqHI7KU32XAJktrtIdl2lA84T1 TeivE4rxXY82kmgDIvmB1uEzcF0kFKP4Dz83f8vmOHaM/LQ9zKZcYuhjqv/HMQmI Fcz7NeLscuLL3TlXmFp6pCCuPpwAavP7x4gsuXPaDvkMYMdpwkkE4WU2SOFF2B1J qK/gW0WYeZYzCiAbJtyohCeiOqcKiFCwrk5h63IzMK2ZTcejurDyWvbeJbfMH1i7 k2UBVniGPFBre2w0wCsRo8SzlYNIeKpU3EAg52tYLlzRPo21Y38/RYfKMW+kKC/p seYpLwbKodeohvqi2+Waux0Tfgvyr6NISkCO5RLrf5P0dI9/X2KnfnOpG1ZorPHl gqd7HBXFQpBG5jN7tFM3Uclcja4uttzubM3n6TcSCk3KYSx9tNRs5xqgi9ZzalVc obSYk5ZmMV4UvTX5rv9iCXhrze0wdIom+DKj7doiAs9BhO+uGrJblIo/QPt8w1E5 HVW5m3nYU5ZPlc+DG/8mxV7oIhuTESq1cwEHFJm0v8Jda+TDr6O7mgs+mkzG56wE ESWxd8OFn0gbf3GAfHtW2hfXoZOUxQqGI2a8lGKvTqGwUkZBeqrQaOgo+aNNILHb w4qx/Tv+BgtOHUw4JU/NGVm19knpzqMfRuqMT5SLP90cBKqnYP2Wu/wu/adj+I6J EMlFh51EysOYO8kcRObzKSx472w42NNavSZ0yAq/J2JNZh9FNfQE9F17j/uCvL+Q 979/P67gZQaWgUqs9SU14jrv2fovYjnhX+CzMPk9YrpM6JDZm5QumhGmAMEQAplm Vz6uHXaifP5uAgOvuqVPa11XVCOjA9LoGWyphc/pCdcBXIstApZMWRxB2s1XhSZo zPC+2oTdiyKAkvfSzosdWdRKB824VvdTFP/kwP9Jiw62X7XgIKyiTYAOR9t54lIF f5PAOX5tzLqIqbCxlRToFV3sumlm1hW1ZgIXdAf5k02NgCNWFufoWgu/5ua4m0Qx dtxf+ErXopw5bngHPVxZHweBk66+CBU1DOrgLYujQyhg5469GU/0wf0NSYkWD2iV ZsaNewIgrzlPhH/0A99o5oXRHZSpluMjywIvIGOd05rSyFqCGNWEANf0G88lke5q XnKB8Q3QjM78Ivv5sGutmy788O8l8CBmDApibtKF45hJZGiM145e0yvAW7CEsjU= =r3T/ -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Sun, 06 Sep 2015 07:26:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.