Ubuntu
apparmor package

path for policy files changed

Bug #1374222 reported by Jamin W. Collins
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
chromium-browser (Ubuntu)
Fix Released
Undecided
Chad Miller

Bug Description

Between package version: 37.0.2062.94-0ubuntu0.12.04.1~pkg909
and package version: 37.0.2062.120-0ubuntu0.12.04.1~pkg917

The path checked by Ubuntu's chromium-browser package for policy files has changed. This results in administrator mandated settings not being applied, which should be considered a security vulnerability.

In previous versions of the package, policy files were read from: /etc/chromium-browser/policies
In the new version of the package, it is reading policy files from: /etc/chromium/policies

The new package version has dropped the following line from its debian/rules file:
    sed -i 's,/etc/chromium/policies,/etc/chromium-browser/policies,' \
        $(DEB_TAR_SRCDIR)/chrome/common/chrome_paths.cc

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks like we may need to adjust apparmor policy lines too. I wonder what motivated the path change.

information type: Private Security → Public Security
Revision history for this message
Jamin W. Collins (jcollins) wrote :

It's not called out specifically in the change log. The existing entries in the change log are very concerning for the 12.04 LTS update:

chromium-browser (37.0.2062.120-0ubuntu0.12.04.1~pkg917) precise-security; urgency=medium

  * Release to stage

chromium-browser (37.0.2062.120-0ubuntu1) UNRELEASED; urgency=low

  * Upstream release 37.0.2062.120:
    - CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.
    - CVE-2014-3179: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Simplify and rearrange.
  * debian/rules, debian/known_gyp_flags: Keep better track of known GYP flags,
    so we can fail when something changes unexpectedly.
  * debian/rules: Fix up patch-translations rule.

Why are changes being made to debian/rules to "Simplify and rearrange" in an LTS update? That's just inviting problems like this. In looking at a side-by-side diff (via meld), it appears that the removal of this line may have been of victim of the referenced rearranging. I attempted to find the packaging source repository, but the one referenced in LP appears to be out dated and did not see a reference to the current one (if there is a public one).

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Browsers are special. We certainly don't have the resources to fix only security issues found in the browsers as we do with most other packages. We package what upstream produces and this is far from the first thing they've moved: the name of the sandbox executable has changed three or four times since I've been paying attention and I wouldn't be surprised if they change it again in the future. Overall, the benefits of shipping recent browsers with recent features and recent fixes works out for the best but it doesn't fit the traditional LTS mold well.

Revision history for this message
Jamin W. Collins (jcollins) wrote :

Are the debian/rules changes from upstream? Near as I can tell, upstream does not have a debian directory in its source tree:

https://chromium.googlesource.com/chromium/src.git/+/37.0.2062.120

Or are you referring to a different upstream?

Revision history for this message
Chad Miller (cmiller) wrote :

The policy directory should have been preserved, but it changed in upstream without me noticing. It's fixed in the packaging branch in response to bug#1373802 . It will return to /etc/chromium-browser/policies at next version.

Changed in apparmor (Ubuntu):
status: New → Invalid
Changed in chromium-browser (Ubuntu):
status: New → Fix Committed
assignee: nobody → Chad Miller (cmiller)
Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.