Is Chromium safe?

If none of the more specific forums is the right place to ask

Is Chromium safe?

Postby debiandonder » 2019-03-09 16:25

Is the Chromium version in Debian save to use as it is not kept up to date like Chrome?

Google issued an alert about it's browser having some critical vulnerability this week and advised users to update to the latest version. The latest version of Chrome was released last Monday and Chromium on Debian has not yet been updates this Saturday.

Should I just use Firefox ESR, instead?
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby shep » 2019-03-09 16:54

The devil is in the details. Unfortunately CVE-2019-5786 was reserved by Google who has yet to provide details in the database

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786

That said, Debian has been providing Chromium security updates, the last was February 18, 2019

https://www.debian.org/security/
https://www.debian.org/security/2019/dsa-4395

Typically after firefox-esr or chromium cve's, the Debian security team will provide an update within a few days. In the interim, I would avoid sending critical passwords with chromium, particularly via a javascript interface.
shep
 
Posts: 306
Joined: 2011-03-15 15:22

Re: Is Chromium safe?

Postby Head_on_a_Stick » 2019-03-09 16:56

debiandonder wrote:Should I just use Firefox ESR, instead?

^ Probably this.

I seem to remember the chromium version falling behind a little for the last release but firefox-esr always tracked the current version very closely and was updated within a day or two of upstream.

Having said that, chrom{e,ium} has a better privsep model and so better security generally (at the expense of privacy).
User avatar
Head_on_a_Stick
 
Posts: 10382
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is Chromium safe?

Postby debiandonder » 2019-03-09 17:33

Thanks for the feedback everyone, I think I'll just wait till Chromium gets updated to the version that fixes the security problem and use Firefox ESR in the meantime. Firefox works with most websites I use anyway. It just messes up the memrise website as far as the language courses are concerned when they pronounce stuff, but works most of the time with everything else.

I switched to Chromium because Chrome was updating weekly and was bothering me. I keep going back to Chrome most of the time, but lately I'm too lazy too go through the whole setup thing and adding the adblocker and changing settings to block third party cookies and all of that.

I will just wait until Chrome 73 gets released and switch then or use Firefox ESR till I have to do something important like financial website stuff.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby milomak » 2019-03-10 13:26

let's see

Code: Select all
$ apt-cache policy chromium             
chromium:
  Installed: (none)
  Candidate: 72.0.3626.122-1
  Version table:
     73.0.3683.56-1 1
          1 http://debian.mirror.ac.za/debian experimental/main amd64 Packages
          1 http://ftp.is.co.za/debian experimental/main amd64 Packages
          1 http://ftp.uk.debian.org/debian experimental/main amd64 Packages
          1 http://deb-mir1.naitways.net/debian experimental/main amd64 Packages
     72.0.3626.122-1 500
        500 http://debian.mirror.ac.za/debian sid/main amd64 Packages
        500 http://ftp.is.co.za/debian sid/main amd64 Packages
        500 http://debian.saix.net sid/main amd64 Packages
        500 http://ftp.uk.debian.org/debian sid/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian sid/main amd64 Packages
     72.0.3626.109-1 500
        500 http://debian.mirror.ac.za/debian testing/main amd64 Packages
        500 http://ftp.is.co.za/debian testing/main amd64 Packages
        500 http://debian.saix.net testing/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian testing/main amd64 Packages
     70.0.3538.110-1~deb9u1 500
        500 http://debian.mirror.ac.za/debian stable/main amd64 Packages
        500 http://ftp.is.co.za/debian stable/main amd64 Packages
        500 http://debian.saix.net stable/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian stable/main amd64 Packages


Code: Select all
apt-cache policy google-chrome-stable
google-chrome-stable:
  Installed: 72.0.3626.121-1
  Candidate: 72.0.3626.121-1
  Version table:
 *** 72.0.3626.121-1 500
        500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
        100 /var/lib/dpkg/status
Desktop: iMac Late-2015 27" 5K Retina (17,1 - 3.3GHz) - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop: Lenovo ideapad Y700 [nVidia Optimus] (64-bit) - Debian Sid, Win10,
Kodi Box: AMD Athlon 5150 APU w/Radeon HD 8400 - Debian Sid
milomak
 
Posts: 1981
Joined: 2009-06-09 22:20

Re: Is Chromium safe?

Postby gusnan » 2019-03-10 15:26

You all have probably seen it, but:

https://www.debian.org/security/2019/dsa-4404
gusnan
 
Posts: 24
Joined: 2009-01-15 06:26

Re: Is Chromium safe?

Postby debiandonder » 2019-03-10 18:06

Thanks! The update came up today.

I think it was some vulnerability in Chrome that could be used to gain control of Windows 7 36-bit.

Keep calm and use Linux.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby debiandonder » 2019-03-11 02:39

Just a update. If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message. I must not like Daily Mail.

Firefox ESR works with that site, so no worries.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby Head_on_a_Stick » 2019-03-11 07:00

debiandonder wrote:If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.

That's not a bug, it's a feature!

debiandonder wrote:I must not like Daily Mail.

No, best not.

Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:

https://www.globaljustice.org.uk/blog/2 ... daily-mail
User avatar
Head_on_a_Stick
 
Posts: 10382
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-11 10:09

Why do you prefer to use chromium and not chrome?

Chrome can be downloaded as a .deb from Google's website and it will registers apt repositories for updates.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby dilberts_left_nut » 2019-03-11 10:57

MagicPoulp wrote:and it will registers apt repositories for updates.

Yay, root access to your PC for google ... :oops:
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5007
Joined: 2009-10-05 07:54
Location: enzed

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-11 11:59

Installing a .deb from Google does not give sudo access to google on my computer. Only the installation uses sudo not the execution of the program. And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.

dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list

If really you don't want to run sudo, you can use a chroot, that is a fake root folder.

Besides, AppArmor will be by default in Buster. So applications will be even more protected.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby Head_on_a_Stick » 2019-03-11 18:02

MagicPoulp wrote:Why do you prefer to use chromium and not chrome?

Because Google will not release the full source code for Chrome.

What are they hiding, exactly?
User avatar
Head_on_a_Stick
 
Posts: 10382
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is Chromium safe?

Postby debiandonder » 2019-03-11 21:21

Head_on_a_Stick wrote:
debiandonder wrote:If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.

That's not a bug, it's a feature!

debiandonder wrote:I must not like Daily Mail.

No, best not.

Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:

https://www.globaljustice.org.uk/blog/2 ... daily-mail


Sorry, I meant it must not like Daily Mail, meaning Chromium. It turned out it was Adguard adblocker that was causing the problem. Wish it had inbuilt privacy protection like Firefox. Just use Chromium because it works with all sites, not because I particularly like it.

Daily Mail has lots of pretty pictures, BBC is too boring.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby dilberts_left_nut » 2019-03-11 22:20

MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.
No, but adding the repo lets them put whatever they want on your box.
Only the installation uses sudo not the execution of the program.
There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.
And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
Really?
... and the pre & post-inst script mechanisms?
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
That can be called anything and contain anything.
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Which has nothing to do with the subject.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.

Snake Oil salesmen are alive and doing well.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5007
Joined: 2009-10-05 07:54
Location: enzed

Next

Return to General Questions

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable