Ubuntu
chromium-browser package

Regression: chromium-browser no longer loads policies in 37.0.2062.120-0ubuntu0.14.04.1~pkg1049

Bug #1373802 reported by Mark Huijgen
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
Critical
Chad Miller

Bug Description

Release: Ubuntu 14.04
Package: chromium-browser_37.0.2062.120-0ubuntu0.14.04.1~pkg1049

After updating to the latest version indicated above this morning I found out that this version no longer loads my configured policies from /etc/chromium-browser/policies/*.

Running 'strings /usr/lib/chromium-browser/chromium-browser|grep policies' I noticed that in the new version the path vor policies changed to /etc/chromium/policies.

After creating a symlink /etc/chromium -> chromium-browser and restarting the browser my policies were loaded again.

I think this is a serious regression from the previous version (37.0.2062.94-0ubuntu0.14.04.1~pkg1042) for enterprise users where we want to lock down certain features in the browser and after this security update suddenly all policies are not loaded/enforced anymore.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
importance: Undecided → Critical
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package chromium-browser - 38.0.2125.111-0ubuntu0.14.10.1.1103

---------------
chromium-browser (38.0.2125.111-0ubuntu0.14.10.1.1103) utopic-security; urgency=medium

  * Upstream release 38.0.2125.111.
  * Upstream release 38.0.2125.104.
  * Upstream release 38.0.2125.101: (LP: #1310163)
    - CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and
      IPC bugs that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3189: Out-of-bounds read in PDFium.
    - CVE-2014-3190: Use-after-free in Events.
    - CVE-2014-3191: Use-after-free in Rendering.
    - CVE-2014-3192: Use-after-free in DOM.
    - CVE-2014-3193: Type confusion in Session Management.
    - CVE-2014-3194: Use-after-free in Web Workers.
    - CVE-2014-3195: Information Leak in V8.
    - CVE-2014-3196: Permissions bypass in Windows Sandbox.
    - CVE-2014-3197: Information Leak in XSS Auditor.
    - CVE-2014-3198: Out-of-bounds read in PDFium.
    - CVE-2014-3199: Release Assert in V8 bindings.
    - CVE-2014-3200: Various fixes from internal audits, fuzzing and other
      initiatives (Chrome 38).
  * debian/rules: Prefer GCC 4.8 when compiling. 4.9 remains buggy.
  * Make the verification step in clean make more compare-able output.
  * debian/patches/configuration-directory.patch: Account for new location of
    policies directory in /etc . Change back. (LP: #1373802)
  * debian/patches/lp-translations-paths: Map old third_party filenames to
    new name after processor compiles.
  * debian/rules: Fix patch-translations rule, workflow.
  * debian/patches/macro-templates-not-match: Anonymous struct isn't sizable.
  * debian/chromium-browser.sh.in: Fix broken logic of CHROMIUM_USER_FLAGS,
    which has never worked. (LP: #1381644)
  * debian/patches/disable-sse: Disable more SSE #includes.
  * debian/rules: Omit unnecessary files from packaging.
  * debian/chromium-browser.sh.in: Fix variable name bug and suggest
    ~/.chromium-browser.init file over hamfisted CHROMIUM_USER_FLAGS.
  * debian/patches/5-desktop-integration-settings.patch: Adapt to new settings
    APIs.

chromium-browser (37.0.2062.120-0ubuntu1) utopic; urgency=low

  * Upstream release 37.0.2062.120:
    - CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.
    - CVE-2014-3179: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Simplify and rearrange.
  * debian/rules, debian/known_gyp_flags: Keep better track of known GYP flags,
    so we can fail when something changes unexpectedly.
  * debian/rules: Fix up patch-translations rule.

chromium-browser (37.0.2062.94-0ubuntu1) utopic; urgency=low

  * Upstream release 37.0.2062.94.
    - CVE-2014-3165: Use-after-free in Blink websockets.
    - CVE-2014-3176, CVE-2014-3177: A combination of bugs in V8, IPC, sync, and
      extensions that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3168: Use-after-free in SVG.
    - CVE-2014-3169: Use-after-free in DOM.
    - CVE-2014-3170: Extension permission dialog spoofing.
    - CVE-2014-3171: Use-after-free in bindings.
    - CVE-2014-3172: Issue related to extension debugging.
 ...

Read more...

Changed in chromium-browser (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.