📢 Actions Speak Louder Than Words!

Ubuntu Chromium DEB file are actually snap wrapper

Posted: Jul 30, 2021 | Reading time: 3 min
post Robbi Nespu

malicious files, it actually using Chromium snap package

The screenshot taken is the latest rev:head (currently when the post published) of chromium-browser/focal package files repository. I really surprise about this kind of packaging. Oh my God, how comes this is allowable?

Seems it start putting and using wrapper to use snap on rev:1505 , correct me if I wrong because I don’t use bazaar source code management so much compare to cvs, mercurial and git.

From the tagged 75.0.3770.80-0ubuntu1~snap1 entries, the change log said you been using snap in place of deb file starting from this version (since Eoan Ermine), it also don’t link any bug report for the discussion about decision on start using snap file:

chromium-browser (75.0.3770.80-0ubuntu1~snap1) eoan; urgency=medium

  * Upstream release: 75.0.3770.80
    - CVE-2019-5828: Use after free in ServiceWorker.
    - CVE-2019-5829: Use after free in Download Manager.
    - CVE-2019-5830: Incorrectly credentialed requests in CORS.
    - CVE-2019-5831: Incorrect map processing in V8.
    - CVE-2019-5832: Incorrect CORS handling in XHR.
    - CVE-2019-5833: Inconsistent security UI placement.
    - CVE-2019-5834: URL spoof in Omnibox on iOS.
    - CVE-2019-5835: Out of bounds read in Swiftshader.
    - CVE-2019-5836: Heap buffer overflow in Angle.
    - CVE-2019-5837: Cross-origin resources size disclosure in Appcache.
    - CVE-2019-5838: Overly permissive tab access in Extensions.
    - CVE-2019-5839: Incorrect handling of certain code points in Blink.
    - CVE-2019-5840: Popup blocker bypass.
  * Install the chromium snap in place of the debian packages, and make the
    wrapper script rename the desktop file in well-known desktop launchers
    (currently GNOME Shell and Unity)

 -- Olivier Tilloy <olivier.tilloy@canonical.com>  Wed, 12 Jun 2019 09:57:03 +0200

I wonders if everyone are concern about this. Why need put backdoor wrapper inside a deb file with intention to install snap package? Why not just orphan / deprecate the package and let user install it by him self via snap directly?

If you don’t understand how debian package works. Everything inside debian is the where you put packaging stuff, it means you put meta information and only do changes (patching) from this directory. When a package is being installed, first debian/*.preinst (please check this file) is called for installation, then debian/*.postinst for configuration. If all goes well, then the status of the package is successfully installed. Outside debian directory should containing upstream source code. So now it so funny this package don’t have upstream files but Ubuntu developer put his wrapper file instead.

The funny part, debian/copyright said:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: chromium
Upstream-Contact: https://www.chromium.org/contact
Source: https://chromium.googlesource.com/chromium/src.git

Files: *
Copyright: 2008-2011 Fabien Tassin <fta@ubuntu.com>
Copyright: 2009-2019 Ubuntu Chromium Team <https://launchpad.net/~chromium-team>
License: BSD-Style (3-clause)

which is totally confusing and wrong, there is no source here, all is self wrapper and debian packaging works. Even if mentioning using chromium snap source is also wrong, because the is no upstream source code checkout 🤔

Read more on lists.ubuntu.com/archives/ubuntu-users/2021-July/304712.html

Edit

Have some thoughts, discussion or feedback on this post?
Webmentions IndieWeb

Below you can find the interactions that this page has had using Indieweb. Which means, you can mentioned this URL on any website that support WebMention. Have you written a response to this post? Let me know the URL:

(Do you not have a website set up with WebMention capabilities? You can use Comment Parade.)