Chrome mysteriously reversed to an earlier version

Today while I was using the download feature in Chrome I noticed that the files that are downloaded are displayed at the bottom of the screen, which was characteristic for the older versions of Chrome. In the last few months the Chrome installed on my Manjaro was showing the latest downloads from one little icon which was situated on the right side of the address bar. When a file is downloaded it would be found there if you click it.

I don’t update my Manjaro applications very often, but I’m absolutely positive that I used this newer version of Chrome where the downloaded files are displayed on the top, (to the right side of the address bar) for at least several months. The only thing that could have changed my Chrome was the fact that I installed one Snap application using Pamac several days ago. However, I’m pretty sure that I turned off the automatic updating of all applications in Pamac, and that only that one Snap application was installed (although it was a very big installation that included Wine and some huge file of almost one gigabyte). Even if Pamac somehow mistakenly updated Chrome, one would expect that it would update it to to the latest version, not reverse to a version from September last year.

The version that I currently have is:

chrome Version 117.0.5938.88 (Official Build) (64-bit) date

It was installed from AUR.

The current version displayed there is google-chrome 123.0.6312.58-1, so my Chrome definitely got reversed to some earlier version.

Is there some way to determine what happened on my system and to explain this weird change? I have looked into the Pamac log and I don’t see anything suspicious there regarding Chrome. I can paste it here if need be.

1 Like

Well in theory it is not possible :slight_smile: So it will be something surprising, strange and unexpected. Like you accidentally booting into a earlier btrfs snapshot of the system…or doing some cleanup, and accidentally replacing the pkgbuild in the buildcache with an older version…

pacman -Qs chrome
grep -i chrome /var/log/pacman.log

Your best bet.

pacman -Qs chrome

will not work because chrome is not in the repos. Maybe cscs meant something like pamac search -i chrome but i do not see how this will help, you know your version, you do not know how it got there.

I meant what I wrote.
Qs is for installed packages.
No matter their original source … if its ALPM and installed … -Q is for it.

Maybe you are thinking of -Ss or -Si which would search the repos.

1 Like

Here is what I get for these commands:

[ben85@ben85-inspiron3521 ~]$ pacman -Qs google-chrome
local/google-chrome 117.0.5938.88-1
    The popular web browser by Google (Stable Channel)
[ben85@ben85-inspiron3521 ~]$ pacman -Qs chrome
local/google-chrome 117.0.5938.88-1
    The popular web browser by Google (Stable Channel)
local/libcamera 0.1.0-2
    A complex camera support library for Linux, Android, and ChromeOS
local/libcamera-ipa 0.1.0-2
    A complex camera support library for Linux, Android, and ChromeOS - signed
[ben85@ben85-inspiron3521 ~]$ grep -i chrome /var/log/pacman.log

[2023-09-19T02:56:26+0200] [ALPM] installed google-chrome (117.0.5938.88-1)
[2023-09-19T02:56:27+0200] [ALPM-SCRIPTLET] ==> NOTE: Custom flags should be put directly in: ~/.config/chrome-flags.conf
[2023-09-19T02:56:27+0200] [ALPM-SCRIPTLET] ==> NOTE: The launcher is called: 'google-chrome-stable'
[ben85@ben85-inspiron3521 ~]$ 

To be honest, I didn’t check what version of Chrome I used until I noticed this change, but it was definitely a newer version than this one (if nothing else then because of that recently downloaded files method that is used}.

In my Pamac, under options and then advanced options I have the option “enable downgrades” enabled. Could this have caused the reversal of Chrome (at least theoretically) while that snap package was being installed?

Ooops my bad. :facepalm:
Of course…once build it is a normal package.

I dont use pamac
But I’m pretty sure this is equal to pacmans double u
( Syu vs Syuu )
Meaning if a repo package is downgraded in your branch
( output like ‘XYZ is newer than…’ )
Then it will be synced with the repo. It doesnt mean packages will be randomly downgraded, or anything at all for AUR packages really.

According to this the only thing you have ever done with respect to google-chrome is install this 117 version in september, and nothing else has ever happened with that package.
Are you sure about your previous statements?
For example … was this ‘newer chrome’ you were using actually from the AUR? It was not a SNAP or flatpak or something?

1 Like

Well…if that is all and you did not update and or rebuild since september…i can imagine that was the version at that time.
Where does the pacman.log end actually, what is the last/most recent you see, if you open with a text editor?
Because that can support the theory of accidentally booting a backup snapshot. I personally do not use btrfs, maybe the others can tell how to check (if you use btrfs).

And i really do hope you have updated since september…otherwise you are in a pretty unsupported state.

For example … was this ‘newer chrome’ you were using actually from the AUR? It was not a SNAP or flatpak or something?

good point

Yes I am absolutely sure that the version that I used was from AUR, and I am absolutely sure that it was the only chrome that was installed on this computer. I suppose that it was updated once when I did the complete update of everything via terminal.

btw. Does pamac also update AUR packages when the complete update is performed?

I can also paste here the logs from that snap installation if anybody thinks that it could be useful. Just please tell me how to obtain these logs, because I’m not very knowledgeable about the stuff regarding the terminal.

If AUR is enabled, yes.

pamac also shares pacmans logs.

I guess this is also a possibility.

Another one might be third-party repos.

(though this should have shown in the log)

As it stands now … according to the ALPM logs … you installed chrome 117 about 6 months ago, and have never updated it.

Here is my pacman log since the beginning of February, which is the time when I’m certain that I used the newer Chrome.

[2024-02-05T00:00:05+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-02-05T00:00:05+0100] [PACMAN] synchronizing package lists
[2024-02-07T19:14:08+0100] [ALPM] transaction started
[2024-02-07T19:14:09+0100] [ALPM] removed guvcview (2.0.8-3)
[2024-02-07T19:14:14+0100] [ALPM] transaction completed
[2024-02-07T19:14:14+0100] [ALPM] running '30-systemd-update.hook'...
[2024-02-07T19:14:14+0100] [ALPM] running 'update-desktop-database.hook'...
[2024-02-07T19:14:55+0100] [ALPM] transaction started
[2024-02-07T19:14:55+0100] [ALPM] installed guvcview (2.0.8-3)
[2024-02-07T19:14:56+0100] [ALPM] transaction completed
[2024-02-07T19:14:56+0100] [ALPM] running '30-systemd-update.hook'...
[2024-02-07T19:14:56+0100] [ALPM] running 'update-desktop-database.hook'...
[2024-02-12T00:00:02+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-02-12T00:00:02+0100] [PACMAN] synchronizing package lists
[2024-02-19T00:00:15+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-02-19T00:00:15+0100] [PACMAN] synchronizing package lists
[2024-02-26T00:00:14+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-02-26T00:00:14+0100] [PACMAN] synchronizing package lists
[2024-02-29T23:29:51+0100] [PAMAC] synchronizing package lists
[2024-02-29T23:32:12+0100] [ALPM] transaction started
[2024-02-29T23:32:12+0100] [ALPM] installed qt5pas (1:1.2.15-1)
[2024-02-29T23:32:14+0100] [ALPM] installed doublecmd-qt5 (1.1.9-1)
[2024-02-29T23:32:14+0100] [ALPM] installed libunrar (1:6.2.12-1)
[2024-02-29T23:32:19+0100] [ALPM] transaction completed
[2024-02-29T23:32:19+0100] [ALPM] running '30-systemd-update.hook'...
[2024-02-29T23:32:19+0100] [ALPM] running 'gtk-update-icon-cache.hook'...
[2024-02-29T23:32:19+0100] [ALPM] running 'update-desktop-database.hook'...
[2024-03-04T00:00:27+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-03-04T00:00:27+0100] [PACMAN] synchronizing package lists
[2024-03-06T12:10:53+0100] [PACMAN] Running 'pacman -S gimp'
[2024-03-06T12:11:07+0100] [ALPM] running '00-timeshift-autosnap.hook'...
[2024-03-06T12:11:07+0100] [ALPM-SCRIPTLET] ==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
[2024-03-06T12:11:07+0100] [ALPM] transaction started
[2024-03-06T12:11:07+0100] [ALPM] upgraded archlinux-keyring (20231222-1 -> 20240208-1)
[2024-03-06T12:11:08+0100] [ALPM-SCRIPTLET] ==> Appending keys from archlinux.gpg...
[2024-03-06T12:11:14+0100] [ALPM-SCRIPTLET] ==> Updating trust database...
[2024-03-06T12:11:14+0100] [ALPM-SCRIPTLET] gpg: next trustdb check due at 2024-04-10
[2024-03-06T12:11:15+0100] [ALPM] transaction completed
[2024-03-06T12:11:15+0100] [ALPM] running '30-systemd-daemon-reload-system.hook'...
[2024-03-06T12:11:17+0100] [ALPM] running '30-systemd-update.hook'...
[2024-03-06T12:11:47+0100] [ALPM] running '00-timeshift-autosnap.hook'...
[2024-03-06T12:11:47+0100] [ALPM-SCRIPTLET] ==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
[2024-03-06T12:11:47+0100] [ALPM] transaction started
[2024-03-06T12:11:50+0100] [ALPM] upgraded gimp (2.10.36-1 -> 2.10.36-4)
[2024-03-06T12:11:51+0100] [ALPM] transaction completed
[2024-03-06T12:11:51+0100] [ALPM] running '30-systemd-update.hook'...
[2024-03-06T12:11:51+0100] [ALPM] running 'gtk-update-icon-cache.hook'...
[2024-03-06T12:11:51+0100] [ALPM] running 'update-desktop-database.hook'...
[2024-03-06T12:21:09+0100] [ALPM] transaction started
[2024-03-06T12:21:24+0100] [ALPM] removed gimp (2.10.36-4)
[2024-03-06T12:21:26+0100] [ALPM] transaction completed
[2024-03-06T12:21:26+0100] [ALPM] running '30-systemd-update.hook'...
[2024-03-06T12:21:27+0100] [ALPM] running 'gtk-update-icon-cache.hook'...
[2024-03-06T12:21:27+0100] [ALPM] running 'update-desktop-database.hook'...
[2024-03-06T15:30:20+0100] [ALPM] transaction started
[2024-03-06T15:30:24+0100] [ALPM] installed gimp (2.10.36-4)
[2024-03-06T15:30:25+0100] [ALPM] transaction completed
[2024-03-06T15:30:25+0100] [ALPM] running '30-systemd-update.hook'...
[2024-03-06T15:30:26+0100] [ALPM] running 'gtk-update-icon-cache.hook'...
[2024-03-06T15:30:26+0100] [ALPM] running 'update-desktop-database.hook'...
[2024-03-11T00:00:25+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-03-11T00:00:25+0100] [PACMAN] synchronizing package lists
[2024-03-18T00:00:37+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-03-18T00:00:37+0100] [PACMAN] synchronizing package lists
[2024-03-25T00:00:08+0100] [PACMAN] Running '/usr/bin/pacman -Fy'
[2024-03-25T00:00:08+0100] [PACMAN] synchronizing package lists
[2024-03-26T18:25:39+0100] [PAMAC] synchronizing package lists

One theoretical question - let’s suppose that I have some kind of rootkit or Trojan installed on my computer. If the hacker removed the newer chrome and replaced it or reverted to the earlier version, would it be possible for him to avoid being logged into the pamac and Pacman logs? Is it possible to make these type of changes and to circumvent pamac and pacman Logs?

I don’t know if this is useful, and I’m not sure what this command actually does, but it seems there is some kind of correlation between Google Chrome and that last snap installation:

pacman -Qs google-chrome && snap list 
local/google-chrome 117.0.5938.88-1
    The popular web browser by Google (Stable Channel)
Name                    Version                     Rev    Tracking       Publisher   Notes
bare                    1.0                         5      latest/stable  canonical✓  base
core                    16-2.61.2                   16928  latest/stable  canonical✓  core
core18                  20231027                    2812   latest/stable  canonical✓  base
core20                  20240111                    2182   latest/stable  canonical✓  base
gnome-3-28-1804         3.28.0-19-g98f9e67.98f9e67  198    latest/stable  canonical✓  -
gnome-3-38-2004         0+git.efb213a               143    latest/stable  canonical✓  -
gtk-common-themes       0.1-81-g442e511             1535   latest/stable  canonical✓  -
gtk2-common-themes      0.1                         13     latest/stable  canonical✓  -
snapd                   2.61.2                      21184  latest/stable  canonical✓  snapd
wine-platform-5-stable  5.0.3                       18     latest/stable  mmtrt       -
wine-platform-runtime   v1.0                        363    latest/stable  mmtrt       -
[ben85@ben85-inspiron3521 ~]$ pacman -Qs google-chrome && snap list 

It looks like you use this a lot.
I dont notice very many updates.

Do you believe this is updating your packages? It is not.

I am curious what happens if you do updates:

sudo pacman -Syu && pamac update -a

Yes … but it would need to all be done by hand.
Besides manually placing all the correct files in the correct places (and removing ‘new’ ones), the attacker would also need to manually augment the logs to, for example, remove every instance of chrome being updated.

We see the old chrome installed as a package, and all your listed snaps, which do not include chrome.
They do include wine … but its an even further stretch to wonder about ‘is chrome installed through wine what you are thinking of?’ … right? … right?? :sweat_smile:

To be honest, I rarely use the terminal. As far as I remember, I only updated everything through the terminal once during the latest installation (and I forget now what is the command for that :)) but it definitely has four letters. When I need something like that I just browse this forum and copy/paste it and then soon after that I forget the correct syntax. I updated the system completely via pamac several times since the installation in September last year.

So to answer your question, it doesn’t look very probable that I typed that command, especially if it appears many times. If it appears in the log, does that mean that somebody with the administrative permissions typed it? What does that command do, and do you think that the theoretical hacker could have some use for that command (for example, to find out which packages and their traces in logs he would need to remove)?

As for your second question, I don’t know if that’s a possibility. Do you think it’s possible to install something through Wine?

That was what i thought too :sweat_smile: I wrote in the beginning it will come out to be something very weird in the end. This would certainly qualify :slight_smile:

Installing usually means root (except in the case of flatpak or wine), so yes. But it does not make any sense. If i have root access to a machine, i have it all. Why would i need to downgrade anything…the whole point of having an older version of some software is for ot to be vulnerable to some exploit, so i can get some privilege escalation. If i have root, why would i bother with something else. So this is veeeery improbable.

I was just wondering.
Its probably just the pacman-filesdb-refresh.service, which will do that on a timer if pacman-filesdb-refresh.timer is enabled.

Yes, it certainly is … thats probably one of the biggest features of wine.

Just to be clear - to my eyes, none of this screams nefarious activity. Earlier I said it was ‘possible’ for an attacker to achieve these results, but thats all I meant - that it was technically possible to achieve. Not that it qualifies as likely.

1 Like

I do not know if the --enable-downgrade option works the same for AUR packages as repository packages, but there should have been a request from pamac for user to agree to downgrade and an entry in the journal to show package changes

I suggest you try building AUR package with pamac

pamac build google-chrome

If pamac offers to build latest version (123.0.6312.86-1) press Y to accept

and when next future version is released to AUR, check if pamac can find the new version with

pamac update -a


pamac build google-chrome

If pamac is working as expected both commands should show new version
But if history is repeating the first command will fail

Apparently this went without any problems, and this is an even newer version than the one I remember using in December last year and the beginning of this year (until a couple days ago).

I distinctly remember being even a little irritated by the change in the position of the latest downloads in Chrome, and it took me some time to get used to it. So there is no chance that I didn’t use the newer version of Chrome (newer than the September version) on this computer. But how that newer version was obliterated remains a mystery.

As for the snap programs, I only enabled snap a few days ago when I installed that vedic astrology program from there (the program is called “Jhora” and I could find it only on Snap). Before that, snap was not enabled.

I also remember that in September last year I was trying to find Google Chrome among the official repositories in pamac and was surprised that it wasn’t there, so I had to find a suitable installation in AUR. Flatpack is not and has never been enabled on this installation.

Here is how the updating of Google Chrome went:

[ben85@ben85-inspiron3521 ~]$ pamac build google-chrome 
Checking google-chrome dependencies...
Resolving dependencies...
Checking inter-conflicts...

To build (1):
  google-chrome  123.0.6312.58-1  (117.0.5938.88-1)  AUR

Edit build files : [e] 
Apply transaction ? [e/y/N] y

Cloning google-chrome build files...
Generating google-chrome information...
==== AUTHENTICATING FOR org.manjaro.pamac.commit ====
Authentication is required to install, update, or remove packages
Authenticating as: ben85

Building google-chrome...
==> Making package: google-chrome 123.0.6312.86-1 (Tue 26 Mar 2024 10:40:33 PM CET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading google-chrome-stable_123.0.6312.86-1_amd64.deb...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  102M  100  102M    0     0   867k      0  0:02:00  0:02:00 --:--:--  627k
  -> Found eula_text.html
  -> Found
==> Validating source files with sha512sums...
    google-chrome-stable_123.0.6312.86-1_amd64.deb ... Passed
    eula_text.html ... Passed ... Passed
==> Removing existing $srcdir/ directory...
==> Extracting sources...
  -> Extracting google-chrome-stable_123.0.6312.86-1_amd64.deb with bsdtar
==> Entering fakeroot environment...
==> Starting package()...
==> Tidying install...
  -> Removing empty directories...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "google-chrome"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: google-chrome 123.0.6312.86-1 (Tue 26 Mar 2024 10:44:22 PM CET)
==> Cleaning up...

Checking keyring...                                                        [1/1]
Checking integrity...                                                      [1/1]
Loading packages files...                                                  [1/1]
Checking file conflicts...                                                 [1/1]
Checking available disk space...                                           [1/1]
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
Upgrading google-chrome (117.0.5938.88-1 -> 123.0.6312.86-1)...            [1/1]
Running post-transaction hooks...
Arming ConditionNeedsUpdate...                                             [1/3]
Updating icon theme caches...                                              [2/3]
Updating the desktop file MIME type cache...                               [3/3]
Transaction successfully finished.
[ben85@ben85-inspiron3521 ~]$ 

If somebody has some time to spare and would like to help me solve this mystery, perhaps they could install that program called Jhora from Snap, and then see if something happens to the current installation of Chrome.

I have a feeling that my latest installation from Snap and the disappearance of newer versions of Chrome are somehow connected.

I have just checked google-chrome installed on my partner’s system and it is not up to date

$ google-chrome-stable --version
Google Chrome 120.0.6099.129

pacman log shows this version was installed 2023-12-22

[2023-12-22T17:57:35+0000] [ALPM] upgraded google-chrome (117.0.5938.92-1 -> 120.0.6099.129-1)

So her system also appears to have missed updates for this package

But both commands pamac update -a and pamac build google-chrome show that the new package version is available

To build (1):
  google-chrome  123.0.6312.86-1  (120.0.6099.129-1)  AUR

For what its worth I did the same.
(my partner actually has chrome installed … and chromium … and firefox … another story…)

Seems chrome could use an update there too, but a minor tag from
123.0.6312.58-1 > 123.0.6312.86-1

So it would appear its been getting updates.

Which would make sense, as some day(s?) ago sudo pacman -Syu && paru -Sua was run.

Maybe there is something up with pamac aur updates?