Chromium Browser for Kicksecure Discussions (not Whonix)

Patrick · January 30, 2021, 3:31am

Asked upstream.

github.com/flathub/org.chromium.Chromium

Are exploit mitigations enabled same as in upstream Chromium?

opened 03:31AM - 30 Jan 21 UTC

closed 02:51AM - 31 Jan 21 UTC

[Quote](https://www.whonix.org/wiki/Dev/Chromium#Chromium_Debian_Package_Securit…y): > The Chromium package on Debian disables many important exploit mitigations. > > For example, it does not enable Clang's type-based Control-Flow Integrity: https://salsa.debian.org/chromium-team/chromium/-/blob/7810576a1215c28d5daff0e0fbd0e3687fc43d72/debian/rules Compare this to another distribution which does such as Arch Linux: https://github.com/archlinux/svntogit-packages/blob/2cbe439471932d30ff2c8ded6b3dfd51b312bbc9/trunk/PKGBUILD#L145 > > Another example is that it disables automatic variable initialization: https://salsa.debian.org/chromium-team/chromium/-/blob/e55c310bb078d3c2b10fd27935b6a5a1a207f480/debian/patches/buster/clang7.patch > > It also disables Chromium's hardened memory allocator and defaults to the non-hardened glibc malloc: https://salsa.debian.org/chromium-team/chromium/-/blob/7810576a1215c28d5daff0e0fbd0e3687fc43d72/debian/rules#L64 > > Debian applies many of its own patches to Chromium. Many of these are unnecessary and can potentially introduce new vulnerabilities: https://salsa.debian.org/chromium-team/chromium/-/tree/7810576a1215c28d5daff0e0fbd0e3687fc43d72/debian/patches One of these patches have likely introduced a memory corruption bug that is currently causing hardened_malloc to kill Chromium: > > * https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/118 > * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971876 > > Debian's current Chromium package is extremely outdated, making it miss many security fixes and new security features. In addition, its Clang package is also severely outdated, making it impossible to enable any modern compiler mitigations even if the Debian maintainers cared enough to. Is `Chromium Flatpak` also effected? Are exploit mitigations in `Chromium Flatpak` enabled same as in upstream Chromium?

Patrick · February 18, 2021, 4:05pm

nurmagoz · March 5, 2021, 2:29pm

Chromium doesnt support OpenPower CPUs (No builds for ppc64 within debian)
Use Chromium? Sync Features Will Stop Working on March 15 - OMG! Ubuntu!

Thats should be better to not link it to google.

https://arxiv.org/pdf/2102.09301.pdf

Counter measures In response to a report that a tracker was using CNAMEs to circumvent privacyblocklists4, uBlock Origin released an update for its Firefox version that thwarts CNAME cloaking [23]. The extension blocks requests to CNAME trackers by resolving the domain names using the browser.dns.resolve API method to obtain the last CNAME record (if there is any) before each request is sent. Subsequently, the extension checks whether the domain name matches any of the rules in its block lists, and blocks requests with matching domains while adding the outcome to a local cache. Although uBlock Origin also has a version for Chromium-based browsers, the same defense cannot be applied because Chromium-based browser extensions do not have access to an API to performDNS queries. As such, at the time of this writing, it is technically impossible for these extensions to block requests to trackers that leverage CNAME records to avoid detection

Patrick · March 6, 2021, 9:12am

Indeed. This is good news. The transition isn’t nice for users but from Freedom Software viewpoint, it is good that Open Source code interacting with proprietary API has been removed.

Patrick · March 13, 2021, 10:29pm

Patrick · March 14, 2021, 1:09pm

Patrick · March 14, 2021, 1:10pm

Security bummer:

Patrick · March 14, 2021, 1:32pm

Viewing the situation as of 14 March 2021:

Remotely exploitable Chromium security vulnerability CVE-2021-21193 is as reported by Google being used in the wild.
Unfixed in Debian.
Unfixed in Chromium on Flathub.
Unfixed in Chromium on Snap Store.
Fixed in official Google Chrome (non-freedom!) version.

More details in wiki:
Remotely Exploitable Chromium Security Vulnerability CVE-2021-21193 exploited in the wild

Chromium is basically all independent upstream. The relevant ones available for Kicksecure all lag behind with security critical updates.

Patrick · April 3, 2021, 1:48pm

Viewing the situation as of 03 April 2021:

Patrick · April 3, 2021, 2:21pm

Both, FlatHub and Snap Store had a more than 2 weeks gap between Google reporting a security vulnerability being exploited in the wild and these software stores pushing an upgrade.
Debian chromium package is still vulnerable.

Exploited in the wild is a crucial difference here. That’s the line between theoretic considerations and security in the real world.

03 April 2021

firefox-esr on Debian Security Tracker
- One unimportant issue.
- No security vulnerabilities reported being exploited in the wild.
chromium on Debian Security Tracker
- 6 CVEs.
- At least 1 vulnerability reported being exploited in the wild.

Due to my above two posts and this post…

Firefox and Chromium | Madaidan's Insecurities may I suggest to replace Chromium with Chrome? @madaidan

It sounds right in theory but all the security mitigation in Chromium didn’t help to avoid this vulnerability being exploited in the wild. We should prioritize security in the real world over theoretic considerations. Despite all security innovations in Chrome / Chromium, that didn’t actually help users in the real world if Chromium maintenance (new releases with security fixes) lags behind Chrome. Maintenance is unfortunately something that cannot be excluded from the security comparison.

Now for more than 2 weeks Kicksecure would have had the choice to either install by default:

Firefox: No security vulnerabilities reported being exploited in the wild.
Chromium: At least 1 vulnerability reported being exploited in the wild.

More theoretic considerations…

Additionally, users on the Linux platform [1] had to choice:

to use non-freedom software Chrome + vulnerable being to Google Chrome Repository Insecurity

Kicksecure Freedom Software doesn’t have the chance to install Chrome by default because it would then become non-freedom software. Even when mixing Freedom Software with non-freedom software, I wouldn’t know if Chrome could be legally re-distributed. I haven’t found license agreement for Chrome yet.

The question of the Kicksecure default browser, Debian’s Firefox ESR (or from any other Firefox from alternative sources) versus any Chromium unfortunately now got less clear to me.

[1] Leaving out Windows from considerations since this is about what to do in Kicksecure, Freedom Software, Linux based.

madaidan · May 29, 2021, 3:59pm

Everything in the article still applies to Chromium. Independent parties packaging it insecurely doesn’t affect the security of it upstream.

Looking into Flatpak more, it appears they disable Chromium’s Layer-1 sandbox and replace it with the much weaker Flatpak sandbox for seemingly no reason: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/0005-flatpak-Add-initial-sandbox-support.patch

I’ve also heavily updated my Firefox article recently and I’m going to push another update soon.

Patrick · May 29, 2021, 5:25pm

madaidan via Whonix Forum:

Patrick:

Firefox and Chromium | Madaidan's Insecurities may I suggest to replace Chromium with Chrome? @madaidan

Everything in the article still applies to Chromium. Independent parties packaging it insecurely doesn’t affect the security of it upstream.

Worth mentioning distribution issues, though. Since it makes a big
difference for theory/practice.

Then Chromium upstream doesn’t really act like a usual upstream. No
stable releases. That link goes to Chrome instead. As mentioned earlier.
No (gpg) signed releases.

Since Chromium doesn’t really maintain a stable release upstream, that
results in this insecure situation in downstream Debian.

hunixtalk · June 2, 2021, 6:24pm

I find too many unresolved vulnerabilities in Debian’s Chromium security tracker. For now, is it better to use Firefox instead?
I don’t think Chromium from Debian will get any better soon, is it better to switch to a decent Chromium stable upstream? (I’m not aware of any stable upstream though) Maybe use Brave?

madaidan · June 3, 2021, 9:35pm

Firefox isn’t much better. Even assuming that Debian’s packaging of Firefox is flawless (it almost certainly is not), it’s still using an ESR build which inherently has many public, unfixed vulnerabilities upstream that can’t be patched even if Debian were to keep the package updated.

hunixtalk · June 4, 2021, 3:38pm

We might have to use another upstream, Chromium from Debian is even worse than Firefox (and Firefox-ESR) from Debian.

Patrick · July 15, 2021, 2:23pm

Discussed earlier. Doesn’t exist.
Chromium Browser for Kicksecure Discussions (not Whonix) - #27 by Patrick

HulaHoop · July 15, 2021, 4:25pm

Switched out chromium for firefox-esr because as things stand, chromium on Linux has very big problems with stale bug fixes compared to Mozilla.

https://gitlab.com/whonix/kicksecure-meta-packages/-/merge_requests/1/diffs?commit_id=7ba985581cfd02092186bc8cbe584ac4c0f086f9

Patrick · October 7, 2021, 6:32am

Not reverted.
You only added to dummy-dependency.
For such changes, you need to search the whole file for chromium, better the whole source code, best all source code. In this case, whole file would have been enough.
Meta package kicksecure-desktop-applications-recommended wasn’t changed.

HulaHoop · October 7, 2021, 2:07pm

That should do it for chromium, but it doesn’t add firefox. Should firefox-esr be added everywhere chromium was mentioned?

Patrick · October 7, 2021, 4:27pm

When appropriate. It can be seen from the context. From the package name as well as the description and the other fields.

There is:

Package: kicksecure-desktop-applications-recommended
Package: dummy-dependency

Still missing firefox-esr under Package: kicksecure-desktop-applications-recommended in the Depends: list.