[Bug 1163588] New: AUDIT-FIND: chromium: chrome_sandbox shouldn't be packaged any more
http://bugzilla.suse.com/show_bug.cgi?id=1163588 Bug ID: 1163588 Summary: AUDIT-FIND: chromium: chrome_sandbox shouldn't be packaged any more Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: tchvatal@suse.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: --- Blocker: --- I just noticed that on openSUSE we're shipping the chromium browser still with the setuid-root sandbox in /usr/lib/chrome_sandbox. This should NOT be necessary any more, since chromium uses Linux namespaces these days for sandboxing. The chome_sandbox binary should not need to be built and shipped at all. Upstream worked for years on making this possible: https://bugs.chromium.org/p/chromium/issues/detail?id=312380 By now it is possible for a longer time already to run without this setuid-root binary. Since openSUSE kernels should all support namespaces there should be no compelling reason to keep this setuid program around. Please adjust the packaging accordingly. Afterwards the security team can remove the entry from the permissions package. Thank you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c1 --- Comment #1 from Tomáš Chvátal <tchvatal@suse.com> --- Did you actually try if it works without it? I see it used in the logs, but maybe it just uses it if available... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c2 --- Comment #2 from Tomáš Chvátal <tchvatal@suse.com> --- I am mostly asking as all other distributions still ship this binary. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c3 --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- We made two simple tests on Leap 15.1 and Tumbleweed and there chromium starts successfully without the sandbox and also no warning is emitted that no sandboxing is used. Maybe we're the first major distribution to notice or act on this? I actually noted this in the first place, because on I saw on Gentoo Linux the suid binary isn't existing, and their USE flag docs says: ``` - - suid : Build the SUID sandbox, which is only needed on CONFIG_USER_NS=n kernels ``` Of course, please do your own checks and tests, if you find any blocker then please let us know. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c4 --- Comment #4 from Tomáš Chvátal <tchvatal@suse.com> --- I've removed the content from network:chromium repo, lets see what happens :) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c5 Tomáš Chvátal <tchvatal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Tomáš Chvátal <tchvatal@suse.com> --- I've sent the fix to tumbleweed, with next update of chromium it will propagate to all supported codestreams. -> Done. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c6 --- Comment #6 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1163588) was mentioned in https://build.opensuse.org/request/show/777696 Factory / chromium -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c7 --- Comment #7 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1163588) was mentioned in https://build.opensuse.org/request/show/779108 15.1 / chromium https://build.opensuse.org/request/show/779109 Backports:SLE-12-SP3 / chromium -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c8 --- Comment #8 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2020:0245-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1163484,1163588,1164828 CVE References: CVE-2020-6407,CVE-2020-6418 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): chromium-80.0.3987.122-34.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1163588 http://bugzilla.suse.com/show_bug.cgi?id=1163588#c9 --- Comment #9 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2020:0259-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1163484,1163588,1164828 CVE References: CVE-2020-6407,CVE-2020-6418 Sources used: openSUSE Leap 15.1 (src): chromium-80.0.3987.122-lp151.2.66.1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1163588 https://bugzilla.suse.com/show_bug.cgi?id=1163588#c10 --- Comment #10 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1163588) was mentioned in https://build.opensuse.org/request/show/819257 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1163588 https://bugzilla.suse.com/show_bug.cgi?id=1163588#c11 --- Comment #11 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1163588) was mentioned in https://build.opensuse.org/request/show/819386 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1163588 https://bugzilla.suse.com/show_bug.cgi?id=1163588#c12 --- Comment #12 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1163588) was mentioned in https://build.opensuse.org/request/show/819968 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1163588 https://bugzilla.suse.com/show_bug.cgi?id=1163588#c14 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available. Category: security (moderate) Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669 CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013 JIRA References: Sources used: openSUSE Leap 15.3 (src): permissions-20200127-lp153.24.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com