touch-packages team mailing list archive

Thread
Date

[Bug 1374222] Re: path for policy files changed

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: "Jamin W. Collins" <jcollins@xxxxxxxxxxxxxxxx>
Date: Sat, 27 Sep 2014 06:40:53 -0000
Reply-to: Bug 1374222 <1374222@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It's not called out specifically in the change log.  The existing
entries in the change log are very concerning for the 12.04 LTS update:

chromium-browser (37.0.2062.120-0ubuntu0.12.04.1~pkg917) precise-
security; urgency=medium

  * Release to stage

chromium-browser (37.0.2062.120-0ubuntu1) UNRELEASED; urgency=low

  * Upstream release 37.0.2062.120:
    - CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.
    - CVE-2014-3179: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Simplify and rearrange.
  * debian/rules, debian/known_gyp_flags: Keep better track of known GYP flags,
    so we can fail when something changes unexpectedly.
  * debian/rules: Fix up patch-translations rule.

Why are changes being made to debian/rules to "Simplify and rearrange"
in an LTS update?  That's just inviting problems like this.  In looking
at a side-by-side diff (via meld), it appears that the removal of this
line may have been of victim of the referenced rearranging.  I attempted
to find the packaging source repository, but the one referenced in LP
appears to be out dated and did not see a reference to the current one
(if there is a public one).

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3178

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3179

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1374222

Title:
  path for policy files changed

Status in “apparmor” package in Ubuntu:
  New
Status in “chromium-browser” package in Ubuntu:
  New

Bug description:
  Between package version: 37.0.2062.94-0ubuntu0.12.04.1~pkg909
  and package version: 37.0.2062.120-0ubuntu0.12.04.1~pkg917

  The path checked by Ubuntu's chromium-browser package for policy files
  has changed.  This results in administrator mandated settings not
  being applied, which should be considered a security vulnerability.

  In previous versions of the package, policy files were read from: /etc/chromium-browser/policies
  In the new version of the package, it is reading policy files from: /etc/chromium/policies

  The new package version has dropped the following line from its debian/rules file:
      sed -i 's,/etc/chromium/policies,/etc/chromium-browser/policies,' \
          $(DEB_TAR_SRCDIR)/chrome/common/chrome_paths.cc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1374222/+subscriptions