CHROMIUM_USER_FLAGS environment variable is ignored

Bug #1381644 reported by Kyle Brenneman on 2014-10-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Chad Miller

Bug Description

The script that starts Chromium has a section that's supposed to check whether the environment variable CHROMIUM_USER_FLAGS is defined, as if so, use it rather than CHROMIUM_FLAGS.

However, the script checks if the length of the string (not the variable) "CHROMIUM_USER_FLAGS" is zero, which of course is always false. As a result, it never uses CHROMIUM_USER_FLAGS at all.

I've attached a patch file that fixes the problem.

Steps to reproduce:
1) Set the environment variable CHROMIUM_USER_FLAGS to a non-empty string. Something like:
export CHROMIUM_USER_FLAGS="--password-store=gnome"
2) Run /usr/bin/chromium-browser
3) Look at the process's command line from ps to see if the options in CHROMIUM_USER_FLAGS are included.

Expected behavior: The flags from CHROMIUM_USER_FLAGS are added to the command line, and the flags from CHROMIUM_FLAGS are not.

Observed behavior: The flags from CHROMIUM_FLAGS are used, and the flags from CHROMIUM_USER_FLAGS are ignored.

Kyle Brenneman (kyle-brenneman) wrote :
Chad Miller (cmiller) on 2014-10-15
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
Chad Miller (cmiller) on 2014-10-15
Changed in chromium-browser (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
Chad Miller (cmiller) wrote :

I'm fixing in 14.10 U only. It's too dangerous to change in 14.04 T and 12.04 P.

The attachment "chromium-user-flags-fix.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package chromium-browser - 38.0.2125.111-0ubuntu0.14.10.1.1103

---------------
chromium-browser (38.0.2125.111-0ubuntu0.14.10.1.1103) utopic-security; urgency=medium

  * Upstream release 38.0.2125.111.
  * Upstream release 38.0.2125.104.
  * Upstream release 38.0.2125.101: (LP: #1310163)
    - CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and
      IPC bugs that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3189: Out-of-bounds read in PDFium.
    - CVE-2014-3190: Use-after-free in Events.
    - CVE-2014-3191: Use-after-free in Rendering.
    - CVE-2014-3192: Use-after-free in DOM.
    - CVE-2014-3193: Type confusion in Session Management.
    - CVE-2014-3194: Use-after-free in Web Workers.
    - CVE-2014-3195: Information Leak in V8.
    - CVE-2014-3196: Permissions bypass in Windows Sandbox.
    - CVE-2014-3197: Information Leak in XSS Auditor.
    - CVE-2014-3198: Out-of-bounds read in PDFium.
    - CVE-2014-3199: Release Assert in V8 bindings.
    - CVE-2014-3200: Various fixes from internal audits, fuzzing and other
      initiatives (Chrome 38).
  * debian/rules: Prefer GCC 4.8 when compiling. 4.9 remains buggy.
  * Make the verification step in clean make more compare-able output.
  * debian/patches/configuration-directory.patch: Account for new location of
    policies directory in /etc . Change back. (LP: #1373802)
  * debian/patches/lp-translations-paths: Map old third_party filenames to
    new name after processor compiles.
  * debian/rules: Fix patch-translations rule, workflow.
  * debian/patches/macro-templates-not-match: Anonymous struct isn't sizable.
  * debian/chromium-browser.sh.in: Fix broken logic of CHROMIUM_USER_FLAGS,
    which has never worked. (LP: #1381644)
  * debian/patches/disable-sse: Disable more SSE #includes.
  * debian/rules: Omit unnecessary files from packaging.
  * debian/chromium-browser.sh.in: Fix variable name bug and suggest
    ~/.chromium-browser.init file over hamfisted CHROMIUM_USER_FLAGS.
  * debian/patches/5-desktop-integration-settings.patch: Adapt to new settings
    APIs.

chromium-browser (37.0.2062.120-0ubuntu1) utopic; urgency=low

  * Upstream release 37.0.2062.120:
    - CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.
    - CVE-2014-3179: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Simplify and rearrange.
  * debian/rules, debian/known_gyp_flags: Keep better track of known GYP flags,
    so we can fail when something changes unexpectedly.
  * debian/rules: Fix up patch-translations rule.

chromium-browser (37.0.2062.94-0ubuntu1) utopic; urgency=low

  * Upstream release 37.0.2062.94.
    - CVE-2014-3165: Use-after-free in Blink websockets.
    - CVE-2014-3176, CVE-2014-3177: A combination of bugs in V8, IPC, sync, and
      extensions that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3168: Use-after-free in SVG.
    - CVE-2014-3169: Use-after-free in DOM.
    - CVE-2014-3170: Extension permission dialog spoofing.
    - CVE-2014-3171: Use-after-free in bindings.
    - CVE-2014-3172: Issue related to extension debugging.
 ...

Read more...

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers