Ubuntu
chromium-browser package

CHROMIUM_USER_FLAGS environment variable is ignored

Bug #1381644 reported by Kyle Brenneman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
High
Chad Miller

Bug Description

The script that starts Chromium has a section that's supposed to check whether the environment variable CHROMIUM_USER_FLAGS is defined, as if so, use it rather than CHROMIUM_FLAGS.

However, the script checks if the length of the string (not the variable) "CHROMIUM_USER_FLAGS" is zero, which of course is always false. As a result, it never uses CHROMIUM_USER_FLAGS at all.

I've attached a patch file that fixes the problem.

Steps to reproduce:
1) Set the environment variable CHROMIUM_USER_FLAGS to a non-empty string. Something like:
export CHROMIUM_USER_FLAGS="--password-store=gnome"
2) Run /usr/bin/chromium-browser
3) Look at the process's command line from ps to see if the options in CHROMIUM_USER_FLAGS are included.

Expected behavior: The flags from CHROMIUM_USER_FLAGS are added to the command line, and the flags from CHROMIUM_FLAGS are not.

Observed behavior: The flags from CHROMIUM_FLAGS are used, and the flags from CHROMIUM_USER_FLAGS are ignored.

Tags: patch
Revision history for this message
Kyle Brenneman (kyle-brenneman) wrote :
Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Chad Miller (cmiller) wrote :

I'm fixing in 14.10 U only. It's too dangerous to change in 14.04 T and 12.04 P.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "chromium-user-flags-fix.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package chromium-browser - 38.0.2125.111-0ubuntu0.14.10.1.1103

---------------
chromium-browser (38.0.2125.111-0ubuntu0.14.10.1.1103) utopic-security; urgency=medium

  * Upstream release 38.0.2125.111.
  * Upstream release 38.0.2125.104.
  * Upstream release 38.0.2125.101: (LP: #1310163)
    - CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and
      IPC bugs that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3189: Out-of-bounds read in PDFium.
    - CVE-2014-3190: Use-after-free in Events.
    - CVE-2014-3191: Use-after-free in Rendering.
    - CVE-2014-3192: Use-after-free in DOM.
    - CVE-2014-3193: Type confusion in Session Management.
    - CVE-2014-3194: Use-after-free in Web Workers.
    - CVE-2014-3195: Information Leak in V8.
    - CVE-2014-3196: Permissions bypass in Windows Sandbox.
    - CVE-2014-3197: Information Leak in XSS Auditor.
    - CVE-2014-3198: Out-of-bounds read in PDFium.
    - CVE-2014-3199: Release Assert in V8 bindings.
    - CVE-2014-3200: Various fixes from internal audits, fuzzing and other
      initiatives (Chrome 38).
  * debian/rules: Prefer GCC 4.8 when compiling. 4.9 remains buggy.
  * Make the verification step in clean make more compare-able output.
  * debian/patches/configuration-directory.patch: Account for new location of
    policies directory in /etc . Change back. (LP: #1373802)
  * debian/patches/lp-translations-paths: Map old third_party filenames to
    new name after processor compiles.
  * debian/rules: Fix patch-translations rule, workflow.
  * debian/patches/macro-templates-not-match: Anonymous struct isn't sizable.
  * debian/chromium-browser.sh.in: Fix broken logic of CHROMIUM_USER_FLAGS,
    which has never worked. (LP: #1381644)
  * debian/patches/disable-sse: Disable more SSE #includes.
  * debian/rules: Omit unnecessary files from packaging.
  * debian/chromium-browser.sh.in: Fix variable name bug and suggest
    ~/.chromium-browser.init file over hamfisted CHROMIUM_USER_FLAGS.
  * debian/patches/5-desktop-integration-settings.patch: Adapt to new settings
    APIs.

chromium-browser (37.0.2062.120-0ubuntu1) utopic; urgency=low

  * Upstream release 37.0.2062.120:
    - CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.
    - CVE-2014-3179: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Simplify and rearrange.
  * debian/rules, debian/known_gyp_flags: Keep better track of known GYP flags,
    so we can fail when something changes unexpectedly.
  * debian/rules: Fix up patch-translations rule.

chromium-browser (37.0.2062.94-0ubuntu1) utopic; urgency=low

  * Upstream release 37.0.2062.94.
    - CVE-2014-3165: Use-after-free in Blink websockets.
    - CVE-2014-3176, CVE-2014-3177: A combination of bugs in V8, IPC, sync, and
      extensions that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3168: Use-after-free in SVG.
    - CVE-2014-3169: Use-after-free in DOM.
    - CVE-2014-3170: Extension permission dialog spoofing.
    - CVE-2014-3171: Use-after-free in bindings.
    - CVE-2014-3172: Issue related to extension debugging.
 ...

Read more...

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.