Ubuntu
chromium-browser package

launcher script runs Python 2 despite checking for /usr/bin/python3

Bug #1772448 reported by Will Thompson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

debian/chromium-browser.sh.in contains this snippet:

if test -x /usr/bin/python3 -a -f "/usr/lib/adobe-flashplugin/manifest.json"; then
 if echo "$CHROMIUM_FLAGS" |grep -E -- "--ppapi-flash-version=( |\$)"; then
  ver=$(python -c 'import json,sys; print(json.load(open("/usr/lib/adobe-flashplugin/manifest.json"))["version"]);')
  CHROMIUM_FLAGS=${CHROMIUM_FLAGS/--ppapi-flash-version=/--ppapi-flash-version="${ver}" }
 fi
fi

Notice that it checks for the existence of "/usr/bin/python3" but then runs "python", ie Python 2.7.

Tags: patch
Revision history for this message
Will Thompson (wjt) wrote :
Revision history for this message
Will Thompson (wjt) wrote :

I noticed this in the course of Endless OS removing Python 2.7 entirely. We don't ship /usr/lib/adobe-flashplugin/manifest.json, and I couldn't find a copy to fully verify this patch, but I tested with a non-ASCII JSON file (the obvious way that 2.7 -> 3.x would break) and it seems to work fine.

Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Check-flashplugin-manifest-with-Python-3.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Olivier Tilloy (osomon) wrote :

Maybe a dumb question… After removing Python 2.7 entirely, wouldn't "/usr/bin/python" point to python3 by default anyway?

Revision history for this message
Will Thompson (wjt) wrote : Re: [Bug 1772448] Re: launcher script runs Python 2 despite checking for /usr/bin/python3

https://www.python.org/dev/peps/pep-0394/ says “for the time being, all distributions should ensure that python, if installed, refers to the same target as python2, unless the user deliberately overrides this or a virtual environment is active”. That's the case in Endless where /usr/bin/python simply doesn't exist any more.

Revision history for this message
Will Thompson (wjt) wrote :

That is:

  'python' is in $PATH => it is Python 2

By my reading, it follows that if there is no Python 2, 'python' shouldn't be in $PATH at all, according to that PEP.

Revision history for this message
Olivier Tilloy (osomon) wrote :

That makes sense, thanks for confirming.
Python3 should probably be made a runtime dependency of chromium-browser, then.

Revision history for this message
Olivier Tilloy (osomon) wrote :

The shell script checks for the existence of /usr/bin/python3, so it will fail gracefully if python3 is not installed. Not sure what the intent of that was (python3 not widely available at the time this was written, maybe?), but for now let's keep the test and not add an explicit runtime dependency. I think it can be safely assumed that python3 will be installed anyway on most modern distributions.

Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 68.0.3440.75-0ubuntu1

---------------
chromium-browser (68.0.3440.75-0ubuntu1) cosmic; urgency=medium

  * Upstream release: 68.0.3440.75
    - CVE-2018-6153: Stack buffer overflow in Skia.
    - CVE-2018-6154: Heap buffer overflow in WebGL.
    - CVE-2018-6155: Use after free in WebRTC.
    - CVE-2018-6156: Heap buffer overflow in WebRTC.
    - CVE-2018-6157: Type confusion in WebRTC.
    - CVE-2018-6158: Use after free in Blink.
    - CVE-2018-6159: Same origin policy bypass in ServiceWorker.
    - CVE-2018-6160: URL spoof in Chrome on iOS.
    - CVE-2018-6161: Same origin policy bypass in WebAudio.
    - CVE-2018-6162: Heap buffer overflow in WebGL.
    - CVE-2018-6163: URL spoof in Omnibox.
    - CVE-2018-6164: Same origin policy bypass in ServiceWorker.
    - CVE-2018-6165: URL spoof in Omnibox.
    - CVE-2018-6166: URL spoof in Omnibox.
    - CVE-2018-6167: URL spoof in Omnibox.
    - CVE-2018-6168: CORS bypass in Blink.
    - CVE-2018-6169: Permissions bypass in extension installation.
    - CVE-2018-6170: Type confusion in PDFium.
    - CVE-2018-6171: Use after free in WebBluetooth.
    - CVE-2018-6172: URL spoof in Omnibox.
    - CVE-2018-6173: URL spoof in Omnibox.
    - CVE-2018-6174: Integer overflow in SwiftShader.
    - CVE-2018-6175: URL spoof in Omnibox.
    - CVE-2018-6176: Local user privilege escalation in Extensions.
    - CVE-2018-6177: Cross origin information leak in Blink.
    - CVE-2018-6178: UI spoof in Extensions.
    - CVE-2018-6179: Local file information leak in Extensions.
    - CVE-2018-6044: Request privilege escalation in Extensions.
    - CVE-2018-4117: Cross origin information leak in Blink.
  * debian/rules:
    - remove enable_webrtc build flag
    - make ninja less verbose to reduce build log size
  * debian/chromium-browser.sh.in: parse flashplugin manifest with Python 3
    (LP: #1772448)
  * debian/patches/add-missing-base-namespace.patch: added
  * debian/patches/chromium_useragent.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/enable-chromecast-by-default.patch: refreshed
  * debian/patches/fix-crashpad-linux-compat.patch: removed, no longer needed
  * debian/patches/fix-extra-arflags.patch: updated
  * debian/patches/fix-ffmpeg-ia32-build.patch: updated
  * debian/patches/last-commit-position: refreshed
  * debian/patches/revert-clang-nostdlib++.patch: removed, no longer needed
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: updated
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/known_gn_gen_args-*: remove enable_webrtc build flag

 -- Olivier Tilloy <email address hidden> Wed, 25 Jul 2018 09:22:28 +0200

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.