Ubuntu
chromium-browser package

auto-open pdf files is impossible because of security warnings

Bug #1009902 reported by peridot
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

When I click on a link to a PDF file, the file downloads but a warning appears, saying "this type of file may harm your computer" and asking whether I want to keep it or remove it. If I hit "keep", which I basically always want to do since I clicked on the link in the first place, the PDF is then automatically opened in evince.

What should happen: either no warning at all under these circumstances, or one warning only. Instead, even if I click the same link to the same PDF file again, I get the warning again.

Upstream claims to have fixed this bug:
http://code.google.com/p/chromium/issues/detail?id=65895

In particular, they do not want to remove the warning entirely, because PDF vulnerabilities do occur, but they claim that if (a) the user has set PDFs to auto-open and (b) the user has already accepted a PDF from the given site, then the warning will not reoccur. For me, it reoccurs every time, that is, I do not see the behaviour upstream claims.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: chromium-browser 18.0.1025.151~r130497-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-23.31-lowlatency 3.2.14
Uname: Linux 3.2.0-23-lowlatency x86_64
ApportVersion: 2.0.1-0ubuntu8
Architecture: amd64
Date: Thu Jun 7 04:53:40 2012
Desktop-Session:
 DESKTOP_SESSION = gnome-shell
 XDG_CONFIG_DIRS = /etc/xdg/xdg-gnome-shell:/usr/share/ubuntustudio-menu/:/etc/xdg/
 XDG_DATA_DIRS = /usr/share/gnome-shell:/usr/share/gnome:/usr/local/share/:/usr/share/
EcryptfsInUse: Yes
Env:
 MOZ_PLUGIN_PATH = None
 LD_LIBRARY_PATH = None
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANGUAGE=en_CA:en
 TERM=xterm-256color
 PATH=(custom, user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: chromium-browser
UpgradeStatus: Upgraded to precise on 2012-04-27 (40 days ago)
chromium-default: CHROMIUM_FLAGS=""

Revision history for this message
peridot (peridot-faceted) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 37.0.2062.94-0ubuntu0.12.04.1~pkg909

---------------
chromium-browser (37.0.2062.94-0ubuntu0.12.04.1~pkg909) precise-security; urgency=medium

  * Release to stage

chromium-browser (37.0.2062.94-0ubuntu1) UNRELEASED; urgency=low

  * Upstream release 37.0.2062.94.
    - CVE-2014-3165: Use-after-free in Blink websockets.
    - CVE-2014-3176, CVE-2014-3177: A combination of bugs in V8, IPC, sync, and
      extensions that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3168: Use-after-free in SVG.
    - CVE-2014-3169: Use-after-free in DOM.
    - CVE-2014-3170: Extension permission dialog spoofing.
    - CVE-2014-3171: Use-after-free in bindings.
    - CVE-2014-3172: Issue related to extension debugging.
    - CVE-2014-3173: Uninitialized memory read in WebGL.
    - CVE-2014-3174: Uninitialized memory read in Web Audio.
    - CVE-2014-3175: Various fixes from internal audits, fuzzing and other
      initiatives.
    - CVE-2014-3176, CVE-2014-3177: Interaction of extensions, IPC, the sync
      API, and Google V8 to execute arbitrary code.
  * Fix a shell bug in the binary-wrapper that prevented USER flags
    from working properly.
  * debian/control: Suggests chromiumflashplugin .
  * debian/apport: Significant cleanup.
  * debian/rules: Disable SSE instructions on x86 to avoid SIGILL on some CPUs.
    (LP: #1353185)
  * debian/checkout-orig-source.mk: Don't include src/ prefix in orig tarball.
  * debian/patches/*: refresh line numbers.
  * debian/patches/search-credit.patch,
    debian/patches/additional-search-engines.patch: Track source files moved.
  * debian/patches/ffmpeg-gyp-config.patch,
    debian/patches/fix-gyp-space-in-object-filename-exception.patch,
    debian/patches/gyp-icu-m32-test:
    Disabled. No longer needs fixing.
  * debian/control: build-dep on openssl.
  * debian/patches/disable-sse2: Don't require SSE/SSE2 CPU features on x86.
    (LP: #1353185)
  * debian/rules: Use built-in PDF support. (LP: #513745, #1009902)

chromium-browser (36.0.1985.143-0ubuntu1) precise-security; urgency=low

  * Upstream release 36.0.1985.143:
    - CVE-2014-3165: Use-after-free in web sockets.
    - CVE-2014-3166: Information disclosure in SPDY.
    - CVE-2014-3167: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Avoid some unnecessary warning of invalid mv.
  * debian/rules: Don't use tcmalloc on i386.
  * debian/control: Don't have (unused) shlibs-depends on -dbg packages
    and non-binary packages.
  * debian/chromium-browser-codecs-ffmpeg-extra.dirs,
    debian/chromium-browser-codecs-ffmpeg.dirs: Removed. Unused.
  * debian/chromium-browser.lintian-overrides,
    debian/chromium-codecs-ffmpeg-extra-dbg.lintian-overrides,
    debian/chromium-codecs-ffmpeg-extra.lintian-overrides,
    debian/chromium-codecs-ffmpeg.lintian-overrides,
    debian/source/lintian-overrides: Add lintian overrides.
 -- Chad MILLER <email address hidden> Sun, 31 Aug 2014 17:27:11 -0400

Changed in chromium-browser (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.