touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #21498
[Bug 1374222] Re: path for policy files changed
It's not called out specifically in the change log. The existing
entries in the change log are very concerning for the 12.04 LTS update:
chromium-browser (37.0.2062.120-0ubuntu0.12.04.1~pkg917) precise-
security; urgency=medium
* Release to stage
chromium-browser (37.0.2062.120-0ubuntu1) UNRELEASED; urgency=low
* Upstream release 37.0.2062.120:
- CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.
- CVE-2014-3179: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/rules: Simplify and rearrange.
* debian/rules, debian/known_gyp_flags: Keep better track of known GYP flags,
so we can fail when something changes unexpectedly.
* debian/rules: Fix up patch-translations rule.
Why are changes being made to debian/rules to "Simplify and rearrange"
in an LTS update? That's just inviting problems like this. In looking
at a side-by-side diff (via meld), it appears that the removal of this
line may have been of victim of the referenced rearranging. I attempted
to find the packaging source repository, but the one referenced in LP
appears to be out dated and did not see a reference to the current one
(if there is a public one).
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3178
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3179
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1374222
Title:
path for policy files changed
Status in “apparmor” package in Ubuntu:
New
Status in “chromium-browser” package in Ubuntu:
New
Bug description:
Between package version: 37.0.2062.94-0ubuntu0.12.04.1~pkg909
and package version: 37.0.2062.120-0ubuntu0.12.04.1~pkg917
The path checked by Ubuntu's chromium-browser package for policy files
has changed. This results in administrator mandated settings not
being applied, which should be considered a security vulnerability.
In previous versions of the package, policy files were read from: /etc/chromium-browser/policies
In the new version of the package, it is reading policy files from: /etc/chromium/policies
The new package version has dropped the following line from its debian/rules file:
sed -i 's,/etc/chromium/policies,/etc/chromium-browser/policies,' \
$(DEB_TAR_SRCDIR)/chrome/common/chrome_paths.cc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1374222/+subscriptions