New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 594632 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Chromecast does not use OFFICIAL_BUILD at all

Project Member Reported by kmackay@chromium.org, Mar 14 2016

Issue description

Chromecast builds that are given to users should be built with OFFICIAL_BUILD #defined, but currently they aren't.
 

Comment 1 by jam@chromium.org, Mar 14 2016

the chromium code is written with the assumption that we can slightly decrease security or increase memory consumption in non-shipping builds for developer convenience.

as an example of security issues, here's a place where we open up the sandbox to ease debugging in non-official: https://code.google.com/p/chromium/codesearch#chromium/src/content/app/content_main_runner.cc&l=207

as an example of increased binary size: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/wtf/PartitionAlloc.h&l=446
Labels: -Pri-2 Security_Impact-Stable Security_Severity-Medium M-50 Pri-1
Project Member

Comment 3 by ClusterFuzz, Apr 5 2016

Labels: Nag
slan@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 4 by sheriffbot@chromium.org, Apr 21 2016

slan: Uh oh! This issue still open and hasn't been updated in the last 37 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, May 6 2016

slan: Uh oh! This issue still open and hasn't been updated in the last 52 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by och...@chromium.org, May 24 2016

Labels: -Type-Bug-Security -Security_Impact-Stable -Security_Severity-Medium Type-Bug
This doesn't seem like a it should be a Type=Bug-Security, since there is no concrete vulnerability here. Flipping labels.

Comment 7 by och...@chromium.org, May 24 2016

Components: Security

Comment 8 by jam@chromium.org, Jun 30 2016

@ochang: see comment 1, there are extra holes we open up.
Currently, static key pinning is enabled when OFFICIAL_BUILD is set.
https://cs.chromium.org/chromium/src/net/http/transport_security_state.cc?q=transportsecuritystate&sq=package:chromium&dr=CSs&l=724

We cannot enable OFFICIAL_BUILD until static key pinning no longer relies on this flag. rsleevi@ is looking at fixing this.
Cc: s...@chromium.org
Labels: -Pri-1 -M-50 -Nag -OS-All M-59 OS-Android OS-Chrome OS-iOS OS-Linux OS-Mac OS-Windows Pri-2
Owner: ----
To clarify: rsleevi@ is not working on this. I highlighted the risk of setting it.
Status: Untriaged (was: Assigned)

Comment 12 by pkl@chromium.org, Mar 6 2017

Cc: jasonkliu@chromium.org
jasonkliu is talking to the cast team about other issues.
Cc: -jasonkliu@chromium.org
Owner: jasonkliu@chromium.org
Status: Assigned (was: Untriaged)
Owner: ----
Status: Available (was: Assigned)
Owner: halliwell@chromium.org
The static key pinning part was fixed a while back: https://codereview.chromium.org/2737583002

Seems like we could attempt to use is_official_build now.
Project Member

Comment 17 by bugdroid1@chromium.org, Jun 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8777982503bdf20d27992ded417d64b8a2be081e

commit 8777982503bdf20d27992ded417d64b8a2be081e
Author: Luke Halliwell <halliwell@chromium.org>
Date: Mon Jun 12 15:59:06 2017

[Chromecast] Fix death test failures in official builds

CHECK macro strings are dropped in official builds to save space.

BUG= 594632 

Change-Id: Ic53faaa7480fa3c72a75e9af9c4a658cf05b4cc4
Reviewed-on: https://chromium-review.googlesource.com/530103
Reviewed-by: Stephen Lanham <slan@chromium.org>
Commit-Queue: Luke Halliwell <halliwell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#478642}
[modify] https://crrev.com/8777982503bdf20d27992ded417d64b8a2be081e/chromecast/media/cma/backend/alsa/slew_volume_unittests.cc
[modify] https://crrev.com/8777982503bdf20d27992ded417d64b8a2be081e/chromecast/media/cma/backend/alsa/stream_mixer_alsa_unittest.cc

Status: Fixed (was: Available)
1.26 release enabled is_official_build

Sign in to add a comment