Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Is Chromium safe?

If none of the specific sub-forums seem right for your thread, ask here.
Message
Author
debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Is Chromium safe?

#1 Post by debiandonder »

Is the Chromium version in Debian save to use as it is not kept up to date like Chrome?

Google issued an alert about it's browser having some critical vulnerability this week and advised users to update to the latest version. The latest version of Chrome was released last Monday and Chromium on Debian has not yet been updates this Saturday.

Should I just use Firefox ESR, instead?

shep
Posts: 423
Joined: 2011-03-15 15:22

Re: Is Chromium safe?

#2 Post by shep »

The devil is in the details. Unfortunately CVE-2019-5786 was reserved by Google who has yet to provide details in the database

https://cve.mitre.org/cgi-bin/cvename.c ... -2019-5786

That said, Debian has been providing Chromium security updates, the last was February 18, 2019

https://www.debian.org/security/
https://www.debian.org/security/2019/dsa-4395

Typically after firefox-esr or chromium cve's, the Debian security team will provide an update within a few days. In the interim, I would avoid sending critical passwords with chromium, particularly via a javascript interface.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#3 Post by Head_on_a_Stick »

debiandonder wrote:Should I just use Firefox ESR, instead?
^ Probably this.

I seem to remember the chromium version falling behind a little for the last release but firefox-esr always tracked the current version very closely and was updated within a day or two of upstream.

Having said that, chrom{e,ium} has a better privsep model and so better security generally (at the expense of privacy).
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#4 Post by debiandonder »

Thanks for the feedback everyone, I think I'll just wait till Chromium gets updated to the version that fixes the security problem and use Firefox ESR in the meantime. Firefox works with most websites I use anyway. It just messes up the memrise website as far as the language courses are concerned when they pronounce stuff, but works most of the time with everything else.

I switched to Chromium because Chrome was updating weekly and was bothering me. I keep going back to Chrome most of the time, but lately I'm too lazy too go through the whole setup thing and adding the adblocker and changing settings to block third party cookies and all of that.

I will just wait until Chrome 73 gets released and switch then or use Firefox ESR till I have to do something important like financial website stuff.

milomak
Posts: 2160
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Is Chromium safe?

#5 Post by milomak »

let's see

Code: Select all

$ apt-cache policy chromium             
chromium:
  Installed: (none)
  Candidate: 72.0.3626.122-1
  Version table:
     73.0.3683.56-1 1
          1 http://debian.mirror.ac.za/debian experimental/main amd64 Packages
          1 http://ftp.is.co.za/debian experimental/main amd64 Packages
          1 http://ftp.uk.debian.org/debian experimental/main amd64 Packages
          1 http://deb-mir1.naitways.net/debian experimental/main amd64 Packages
     72.0.3626.122-1 500
        500 http://debian.mirror.ac.za/debian sid/main amd64 Packages
        500 http://ftp.is.co.za/debian sid/main amd64 Packages
        500 http://debian.saix.net sid/main amd64 Packages
        500 http://ftp.uk.debian.org/debian sid/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian sid/main amd64 Packages
     72.0.3626.109-1 500
        500 http://debian.mirror.ac.za/debian testing/main amd64 Packages
        500 http://ftp.is.co.za/debian testing/main amd64 Packages
        500 http://debian.saix.net testing/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian testing/main amd64 Packages
     70.0.3538.110-1~deb9u1 500
        500 http://debian.mirror.ac.za/debian stable/main amd64 Packages
        500 http://ftp.is.co.za/debian stable/main amd64 Packages
        500 http://debian.saix.net stable/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian stable/main amd64 Packages

Code: Select all

apt-cache policy google-chrome-stable 
google-chrome-stable:
  Installed: 72.0.3626.121-1
  Candidate: 72.0.3626.121-1
  Version table:
 *** 72.0.3626.121-1 500
        500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
        100 /var/lib/dpkg/status
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

gusnan
Posts: 46
Joined: 2009-01-15 06:26
Has thanked: 3 times
Been thanked: 1 time

Re: Is Chromium safe?

#6 Post by gusnan »

You all have probably seen it, but:

https://www.debian.org/security/2019/dsa-4404

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#7 Post by debiandonder »

Thanks! The update came up today.

I think it was some vulnerability in Chrome that could be used to gain control of Windows 7 36-bit.

Keep calm and use Linux.

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#8 Post by debiandonder »

Just a update. If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message. I must not like Daily Mail.

Firefox ESR works with that site, so no worries.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#9 Post by Head_on_a_Stick »

debiandonder wrote:If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.
That's not a bug, it's a feature!
debiandonder wrote:I must not like Daily Mail.
No, best not.

Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:

https://www.globaljustice.org.uk/blog/2 ... daily-mail
deadbang

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#10 Post by MagicPoulp »

Why do you prefer to use chromium and not chrome?

Chrome can be downloaded as a .deb from Google's website and it will registers apt repositories for updates.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Is Chromium safe?

#11 Post by dilberts_left_nut »

MagicPoulp wrote:and it will registers apt repositories for updates.
Yay, root access to your PC for google ... :oops:
AdrianTM wrote:There's no hacker in my grandma...

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#12 Post by MagicPoulp »

Installing a .deb from Google does not give sudo access to google on my computer. Only the installation uses sudo not the execution of the program. And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.

dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list

If really you don't want to run sudo, you can use a chroot, that is a fake root folder.

Besides, AppArmor will be by default in Buster. So applications will be even more protected.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#13 Post by Head_on_a_Stick »

MagicPoulp wrote:Why do you prefer to use chromium and not chrome?
Because Google will not release the full source code for Chrome.

What are they hiding, exactly?
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#14 Post by debiandonder »

Head_on_a_Stick wrote:
debiandonder wrote:If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.
That's not a bug, it's a feature!
debiandonder wrote:I must not like Daily Mail.
No, best not.

Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:

https://www.globaljustice.org.uk/blog/2 ... daily-mail
Sorry, I meant it must not like Daily Mail, meaning Chromium. It turned out it was Adguard adblocker that was causing the problem. Wish it had inbuilt privacy protection like Firefox. Just use Chromium because it works with all sites, not because I particularly like it.

Daily Mail has lots of pretty pictures, BBC is too boring.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Is Chromium safe?

#15 Post by dilberts_left_nut »

MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.
No, but adding the repo lets them put whatever they want on your box.
Only the installation uses sudo not the execution of the program.
There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.
And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
Really?
... and the pre & post-inst script mechanisms?
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
That can be called anything and contain anything.
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Which has nothing to do with the subject.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.
Snake Oil salesmen are alive and doing well.
AdrianTM wrote:There's no hacker in my grandma...

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#16 Post by MagicPoulp »

Head_on_a_Stick wrote:
MagicPoulp wrote:Why do you prefer to use chromium and not chrome?
Because Google will not release the full source code for Chrome.

What are they hiding, exactly?
Yes good point. They do tracking, and they collect data about people. Like the Javascript code injection they use with their front-end advertising script. But if they own the browser, it is even better.

But one can assume that one does not care. I already use google mail. So at this point, I don't really care using the proprietary google chrome.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#17 Post by MagicPoulp »

Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

It seems strange. But I did not check the internals of dpkg myself.

A chroot will not give sudo access to your real root folder but to a fake one.
dilberts_left_nut wrote:
MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.
No, but adding the repo lets them put whatever they want on your box.
Only the installation uses sudo not the execution of the program.
There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.
And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
Really?
... and the pre & post-inst script mechanisms?
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
That can be called anything and contain anything.
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Which has nothing to do with the subject.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.
Snake Oil salesmen are alive and doing well.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Is Chromium safe?

#18 Post by dilberts_left_nut »

MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

It seems strange. But I did not check the internals of dpkg myself.

A chroot will not give sudo access to your real root folder but to a fake one.
You seem to be missing some basic concepts.
What does "sudo access" mean?
Using a chroot is indeed giving you full access to the filesystem you are chrooting into.

The package installation procedure must have root privileges to install system files, set owner and group permissions etc and run the install scripts to add users/groups and such and set up other environment requirements for the software being installed.

By adding a repo and installing packages you are handing control of your system to whoever can put code in that repo.

The Debian repo's have systems in place to ensure provided binaries match the source code, which is all reviewable and provides a chain of trust that is verifiable.

Closed source binaries (and random 'third party' repo's) do not - use at your own risk.
AdrianTM wrote:There's no hacker in my grandma...

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#19 Post by MagicPoulp »

OK you gave your opinion.

But I thought dpkg was smart. Waiting for somone else to clarify if dpkg is smart or not.

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#20 Post by debiandonder »

I don't know if Chromium Debian Stretch version is safe, because I was using it today, with two tabs open and went away to make some tea. When I came back everything was frozen. Mouse didn't work keyboard din't work. Just Chromium staring at me.

This is the second time this year that I had a complete system freeze. The previous time was with Firefox Snap version on Ubuntu 14.04.

I beginning to wonder I should just try Manjaro to see if it's more stable than Debian or Ubuntu.

Locked