launcher script runs Python 2 despite checking for /usr/bin/python3

Bug #1772448 reported by Will Thompson on 2018-05-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Medium
Unassigned

Bug Description

debian/chromium-browser.sh.in contains this snippet:

if test -x /usr/bin/python3 -a -f "/usr/lib/adobe-flashplugin/manifest.json"; then
 if echo "$CHROMIUM_FLAGS" |grep -E -- "--ppapi-flash-version=( |\$)"; then
  ver=$(python -c 'import json,sys; print(json.load(open("/usr/lib/adobe-flashplugin/manifest.json"))["version"]);')
  CHROMIUM_FLAGS=${CHROMIUM_FLAGS/--ppapi-flash-version=/--ppapi-flash-version="${ver}" }
 fi
fi

Notice that it checks for the existence of "/usr/bin/python3" but then runs "python", ie Python 2.7.

Will Thompson (wjt) wrote :

I noticed this in the course of Endless OS removing Python 2.7 entirely. We don't ship /usr/lib/adobe-flashplugin/manifest.json, and I couldn't find a copy to fully verify this patch, but I tested with a non-ASCII JSON file (the obvious way that 2.7 -> 3.x would break) and it seems to work fine.

Olivier Tilloy (osomon) on 2018-05-30
Changed in chromium-browser (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium

The attachment "0001-Check-flashplugin-manifest-with-Python-3.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Olivier Tilloy (osomon) wrote :

Maybe a dumb question… After removing Python 2.7 entirely, wouldn't "/usr/bin/python" point to python3 by default anyway?

https://www.python.org/dev/peps/pep-0394/ says “for the time being, all distributions should ensure that python, if installed, refers to the same target as python2, unless the user deliberately overrides this or a virtual environment is active”. That's the case in Endless where /usr/bin/python simply doesn't exist any more.

Will Thompson (wjt) wrote :

That is:

  'python' is in $PATH => it is Python 2

By my reading, it follows that if there is no Python 2, 'python' shouldn't be in $PATH at all, according to that PEP.

Olivier Tilloy (osomon) wrote :

That makes sense, thanks for confirming.
Python3 should probably be made a runtime dependency of chromium-browser, then.

Olivier Tilloy (osomon) wrote :

The shell script checks for the existence of /usr/bin/python3, so it will fail gracefully if python3 is not installed. Not sure what the intent of that was (python3 not widely available at the time this was written, maybe?), but for now let's keep the test and not add an explicit runtime dependency. I think it can be safely assumed that python3 will be installed anyway on most modern distributions.

Olivier Tilloy (osomon) on 2018-06-05
Changed in chromium-browser (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 68.0.3440.75-0ubuntu1

---------------
chromium-browser (68.0.3440.75-0ubuntu1) cosmic; urgency=medium

  * Upstream release: 68.0.3440.75
    - CVE-2018-6153: Stack buffer overflow in Skia.
    - CVE-2018-6154: Heap buffer overflow in WebGL.
    - CVE-2018-6155: Use after free in WebRTC.
    - CVE-2018-6156: Heap buffer overflow in WebRTC.
    - CVE-2018-6157: Type confusion in WebRTC.
    - CVE-2018-6158: Use after free in Blink.
    - CVE-2018-6159: Same origin policy bypass in ServiceWorker.
    - CVE-2018-6160: URL spoof in Chrome on iOS.
    - CVE-2018-6161: Same origin policy bypass in WebAudio.
    - CVE-2018-6162: Heap buffer overflow in WebGL.
    - CVE-2018-6163: URL spoof in Omnibox.
    - CVE-2018-6164: Same origin policy bypass in ServiceWorker.
    - CVE-2018-6165: URL spoof in Omnibox.
    - CVE-2018-6166: URL spoof in Omnibox.
    - CVE-2018-6167: URL spoof in Omnibox.
    - CVE-2018-6168: CORS bypass in Blink.
    - CVE-2018-6169: Permissions bypass in extension installation.
    - CVE-2018-6170: Type confusion in PDFium.
    - CVE-2018-6171: Use after free in WebBluetooth.
    - CVE-2018-6172: URL spoof in Omnibox.
    - CVE-2018-6173: URL spoof in Omnibox.
    - CVE-2018-6174: Integer overflow in SwiftShader.
    - CVE-2018-6175: URL spoof in Omnibox.
    - CVE-2018-6176: Local user privilege escalation in Extensions.
    - CVE-2018-6177: Cross origin information leak in Blink.
    - CVE-2018-6178: UI spoof in Extensions.
    - CVE-2018-6179: Local file information leak in Extensions.
    - CVE-2018-6044: Request privilege escalation in Extensions.
    - CVE-2018-4117: Cross origin information leak in Blink.
  * debian/rules:
    - remove enable_webrtc build flag
    - make ninja less verbose to reduce build log size
  * debian/chromium-browser.sh.in: parse flashplugin manifest with Python 3
    (LP: #1772448)
  * debian/patches/add-missing-base-namespace.patch: added
  * debian/patches/chromium_useragent.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/enable-chromecast-by-default.patch: refreshed
  * debian/patches/fix-crashpad-linux-compat.patch: removed, no longer needed
  * debian/patches/fix-extra-arflags.patch: updated
  * debian/patches/fix-ffmpeg-ia32-build.patch: updated
  * debian/patches/last-commit-position: refreshed
  * debian/patches/revert-clang-nostdlib++.patch: removed, no longer needed
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: updated
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/known_gn_gen_args-*: remove enable_webrtc build flag

 -- Olivier Tilloy <email address hidden> Wed, 25 Jul 2018 09:22:28 +0200

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers