Chromium Browser in Bionic - end of support and CVE problems

Asked by Piotr

Dear Community,

I would ask you about security problems with Chromium browser in bionic. I can see a lot of CVE report which are not fixed. I want to know if it will be fixed or not for bionic. My ubuntu-support-status command suggest that for chromium-browser on bionic support was ended. Is it mean that all security problems will be not fixed?

I hope that you will answer.

This is link: https://ubuntu.com/security/cve?q=&package=chromium-browser&priority=&version=bionic&status=needed

Yours faithfully,
Piotr

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu chromium-browser Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
david John (davidjohn1213) said :
#1

Did you get the solution for this?

Revision history for this message
Manfred Hampl (m-hampl) said :
#2

Have you considered using chromium from the snap store?

Revision history for this message
Piotr (peterq94) said :
#4

@Manferd Hampl like you know I am beginner. If I will install chromium from snap store I will get support? If I will install from snap store I will have chromium outside ubuntu "universe" repositorium?

@david John, I thinked about change OS to focal but I have a lot of problems with LXQt on my machine.

Revision history for this message
Manfred Hampl (m-hampl) said :
#5

The snap store has completely different support strategy and does not distinguish between different categories (like "main" and "universe" in Ubuntu). https://snapcraft.io/chromium

Revision history for this message
Piotr (peterq94) said :
#7

@Manfred Hampl thank you for your professional and helpful answer. Like always you had good idea. Now I am thinking go away from debian chromium-browser package (I mean .deb package from Ubuntu repository).

Maybe I can install Google Chrome instead Chromium. I know that Chromium is better for privacy reason but I want to try with Google. Maybe they will have less CVE in their software. I know that Chrome based on Chromium but maybe they included some changes in the code. I simply downloaded the package from this website: https://www.google.com/chrome/

Now I have downloaded file: google-chrome-stable_current_amd64.deb and every things will be fine but I don't know how install this with apt command? I always used apt to install packages from Ubuntu repository. Is it a option to install package from the file? I knot that are option with dpkg or apt-get but I always used apt because it was easier for me. I heard also that apt is better than apt-get because it is newer program than apt-get. I founded this command: sudo apt install ./google-chrome-stable_current_amd64.deb.

Second problem is to verify this package. File can be corrupted or other things like Meet in the middle can be done. So I found this solution: https://www.google.com/linuxrepositories/

I downloaded gpg keys and I imported to gpg program but I can't verify this .deb package file from google because error is showed (gpg output in terminal) so I think that apt must do this instead gpg . So how I can do this ? I readed instruction to rpm package and it is very easy in there but for apt I have no idea how do this and I can't find solution on the internet.

P.S. I don't know if apt will verify file before installation. If I will add gpg keys from google website to apt with apt-key add command then maybe I should use apt install <name_of_package> and apt will download and verify package automatically but I don't know what is name of the package. On google website I can't find this information.

Revision history for this message
actionparsnip (andrew-woodhead666) said :
#8

sudo dpkg -i ~/Downloads/google-chrome-stable_current_amd64.deb

sudo apt-get -f install

Revision history for this message
Manfred Hampl (m-hampl) said :
#9

"I have downloaded file: google-chrome-stable_current_amd64.deb but I don't know how install this with apt command"
You are mixing two different things.
apt and apt-get are programs for downloading from a configured repository and installing packages.
They are practically identical, and I cannot rate one being better than the other.
If you have already downloaded a deb file, then you have to use dpkg or gdebi for installing.

"I heard also that apt is better than apt-get"
In the paste there were separate commands apt-get and apt-seacrh, but they now have been combined and apt can do what the different commands did.

"I want to try with Google. Maybe they will have less CVE in their software."
The basic login in Chrome and Chromium is identical. So if there is a flaw that has got a CVE number in one of them, then for sure the bug is also present in the other.
If you dig into the links of your first reference to
https://ubuntu.com/security/CVE-2021-21233
and further to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21233
you will even see that the description only mentions "Google Chrome" and not "Chromium", although it most probably also affects the other one.

"I downloaded gpg keys but I can't verify this .deb package file"
The gpg keys cannot be used for validating a *.deb file that you already have downloaded.
They are to be used for verifying apt archives and they are checked before downloading the software packages.
You can use them on the google chrome repository only if you set up that repository (e.g. with add-apt-archive), and if you download the chrome *.deb file with an apt command.

Revision history for this message
Piotr (peterq94) said :
#10

@Manfred Hampl thank you again for the professional answer. So on Ubuntu family system is no option to verify downloaded *.deb file with gpg keys?

" Recent versions of apt-get will automatically attempt to verify packages on download. If an appropriate key is not found or if the package is corrupted, you will get a message like the following:

WARNING: The following packages cannot be authenticated!
packagename "

So on Google website I can see that apt-get will automatically verify packages on download. But my question is how I can use apt-get to download *.deb files from google chrome website? Is it only option to set up google repository? Google doesn't have information about repository http adress which I can add. Can you help?

Revision history for this message
Manfred Hampl (m-hampl) said :
#11
Revision history for this message
Piotr (peterq94) said :
#12

Thank you Manfred Hampl, I installed Google Chrome browser but I was suprised that ubuntu-support-status command output "tell" me that this package is not supported. Is this normal because bionic is outdated software or maybe Google doesn't support chrome for bionic? What is reason of this output?

Revision history for this message
Manfred Hampl (m-hampl) said :
#13

You are misinterpreting the output of ubuntu-support-status
Ubuntu does not provide support for the chrome package that you gave downloaded from the google repository.
ubuntu-support-status does not make any statement whether that package may be supported by somebody else. That is something that you have to investigate yourself.

Revision history for this message
Piotr (peterq94) said :
#15

@Manfred Hampl, thank you for answer. You wrote that Ubuntu doesn't provide support for chrome package. Of course is it true so why this package is mentioned in ubuntu-support-status? This shoulde be output like something that --> not applicable but nor unsupported. How this can be unsupported if ubuntu never supported this package. For me it is not logic but maybe my perception is wrong.

Revision history for this message
Manfred Hampl (m-hampl) said :
#16

What is wrong with "unsupported"?

"unsupported" is the opposite of "supported" and means that _currently_ there is no support for this package by Ubuntu.

It can be that the package was supported in the past and is no longer supported,
but "unsupported" can also mean that the package has never been supported at all.
For all foreign packages it is the latter.

The chrome package from google has never been supported by Ubuntu, and it probably will never be supported. So it is simply "unsupported".

And ubuntu-support-status shows the status of all packages that you have installed on your system, independent from their origin. Why should it exclude chrome from google?

Revision history for this message
Piotr (peterq94) said :
#17

I also noticed bug. I don't know why but on /etc/apt/sources.list.d I created google-chrome.list but in next day I noticed also second file at directory /etc/apt/sources.list.d and the name was google.list. I didn't create two files. One files created automatically itself and I received errors on update. I removed one of the file and now works perfectly but why it created automatically?

Revision history for this message
Best Manfred Hampl (m-hampl) said :
#18

I doubt that any Ubuntu program creates additional sources.list.d files without being asked to do so.
Maybe Google chrome does something like that, but this is outside Ubuntu support.
I suggest that you check with google, because you have installed the google version of the chrome/chromium browser.

Revision history for this message
Piotr (peterq94) said :
#19

Thanks Manfred Hampl, that solved my question.