launcher script runs Python 2 despite checking for /usr/bin/python3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| chromium-browser (Ubuntu) |
Medium
|
Unassigned |
Bug Description
debian/
if test -x /usr/bin/python3 -a -f "/usr/lib/
if echo "$CHROMIUM_FLAGS" |grep -E -- "--ppapi-
ver=$(python -c 'import json,sys; print(json.
CHROMIUM_
fi
fi
Notice that it checks for the existence of "/usr/bin/python3" but then runs "python", ie Python 2.7.
CVE References
Will Thompson (wjt) wrote : | #1 |
Will Thompson (wjt) wrote : | #2 |
Changed in chromium-browser (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
The attachment "0001-Check-
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]
tags: | added: patch |
Olivier Tilloy (osomon) wrote : | #4 |
Maybe a dumb question… After removing Python 2.7 entirely, wouldn't "/usr/bin/python" point to python3 by default anyway?
Will Thompson (wjt) wrote : Re: [Bug 1772448] Re: launcher script runs Python 2 despite checking for /usr/bin/python3 | #5 |
https:/
Will Thompson (wjt) wrote : | #6 |
That is:
'python' is in $PATH => it is Python 2
By my reading, it follows that if there is no Python 2, 'python' shouldn't be in $PATH at all, according to that PEP.
Olivier Tilloy (osomon) wrote : | #7 |
That makes sense, thanks for confirming.
Python3 should probably be made a runtime dependency of chromium-browser, then.
Olivier Tilloy (osomon) wrote : | #8 |
The shell script checks for the existence of /usr/bin/python3, so it will fail gracefully if python3 is not installed. Not sure what the intent of that was (python3 not widely available at the time this was written, maybe?), but for now let's keep the test and not add an explicit runtime dependency. I think it can be safely assumed that python3 will be installed anyway on most modern distributions.
Changed in chromium-browser (Ubuntu): | |
status: | Confirmed → Fix Committed |
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package chromium-browser - 68.0.3440.
---------------
chromium-browser (68.0.3440.
* Upstream release: 68.0.3440.75
- CVE-2018-6153: Stack buffer overflow in Skia.
- CVE-2018-6154: Heap buffer overflow in WebGL.
- CVE-2018-6155: Use after free in WebRTC.
- CVE-2018-6156: Heap buffer overflow in WebRTC.
- CVE-2018-6157: Type confusion in WebRTC.
- CVE-2018-6158: Use after free in Blink.
- CVE-2018-6159: Same origin policy bypass in ServiceWorker.
- CVE-2018-6160: URL spoof in Chrome on iOS.
- CVE-2018-6161: Same origin policy bypass in WebAudio.
- CVE-2018-6162: Heap buffer overflow in WebGL.
- CVE-2018-6163: URL spoof in Omnibox.
- CVE-2018-6164: Same origin policy bypass in ServiceWorker.
- CVE-2018-6165: URL spoof in Omnibox.
- CVE-2018-6166: URL spoof in Omnibox.
- CVE-2018-6167: URL spoof in Omnibox.
- CVE-2018-6168: CORS bypass in Blink.
- CVE-2018-6169: Permissions bypass in extension installation.
- CVE-2018-6170: Type confusion in PDFium.
- CVE-2018-6171: Use after free in WebBluetooth.
- CVE-2018-6172: URL spoof in Omnibox.
- CVE-2018-6173: URL spoof in Omnibox.
- CVE-2018-6174: Integer overflow in SwiftShader.
- CVE-2018-6175: URL spoof in Omnibox.
- CVE-2018-6176: Local user privilege escalation in Extensions.
- CVE-2018-6177: Cross origin information leak in Blink.
- CVE-2018-6178: UI spoof in Extensions.
- CVE-2018-6179: Local file information leak in Extensions.
- CVE-2018-6044: Request privilege escalation in Extensions.
- CVE-2018-4117: Cross origin information leak in Blink.
* debian/rules:
- remove enable_webrtc build flag
- make ninja less verbose to reduce build log size
* debian/
(LP: #1772448)
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
* debian/
-- Olivier Tilloy <email address hidden> Wed, 25 Jul 2018 09:22:28 +0200
Changed in chromium-browser (Ubuntu): | |
status: | Fix Committed → Fix Released |
I noticed this in the course of Endless OS removing Python 2.7 entirely. We don't ship /usr/lib/ adobe-flashplug in/manifest. json, and I couldn't find a copy to fully verify this patch, but I tested with a non-ASCII JSON file (the obvious way that 2.7 -> 3.x would break) and it seems to work fine.