[cryptography] chromium: unconditionally downloads binary blob

Alexander Klimov alserkli at inbox.ru
Wed Jun 17 08:12:17 EDT 2015


<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>

After upgrading chromium to 43, I noticed that when it is running and 
immediately after the machine is on-line it silently starts 
downloading "Chrome Hotword Shared Module" extension, which contains a 
binary without source code. There seems no opt-out config.

that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.

The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.

[...]

We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP 
archive.

[...]

Shouldn't we see a DSA [Debian Security Advisory] following this 
incident?

Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.

Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.

-- 
Regards,
ASK


More information about the cryptography mailing list