Today while I was using the download feature in Chrome I noticed that the files that are downloaded are displayed at the bottom of the screen, which was characteristic for the older versions of Chrome. In the last few months the Chrome installed on my Manjaro was showing the latest downloads from one little icon which was situated on the right side of the address bar. When a file is downloaded it would be found there if you click it.
I don’t update my Manjaro applications very often, but I’m absolutely positive that I used this newer version of Chrome where the downloaded files are displayed on the top, (to the right side of the address bar) for at least several months. The only thing that could have changed my Chrome was the fact that I installed one Snap application using Pamac several days ago. However, I’m pretty sure that I turned off the automatic updating of all applications in Pamac, and that only that one Snap application was installed (although it was a very big installation that included Wine and some huge file of almost one gigabyte). Even if Pamac somehow mistakenly updated Chrome, one would expect that it would update it to to the latest version, not reverse to a version from September last year.
The version that I currently have is:
chrome Version 117.0.5938.88 (Official Build) (64-bit) date
The current version displayed there is google-chrome 123.0.6312.58-1, so my Chrome definitely got reversed to some earlier version.
Is there some way to determine what happened on my system and to explain this weird change? I have looked into the Pamac log and I don’t see anything suspicious there regarding Chrome. I can paste it here if need be.
Well in theory it is not possible So it will be something surprising, strange and unexpected. Like you accidentally booting into a earlier btrfs snapshot of the system…or doing some cleanup, and accidentally replacing the pkgbuild in the buildcache with an older version…
will not work because chrome is not in the repos. Maybe cscs meant something like pamac search -i chrome but i do not see how this will help, you know your version, you do not know how it got there.
[ben85@ben85-inspiron3521 ~]$ pacman -Qs google-chrome
local/google-chrome 117.0.5938.88-1
The popular web browser by Google (Stable Channel)
[ben85@ben85-inspiron3521 ~]$ pacman -Qs chrome
local/google-chrome 117.0.5938.88-1
The popular web browser by Google (Stable Channel)
local/libcamera 0.1.0-2
A complex camera support library for Linux, Android, and ChromeOS
local/libcamera-ipa 0.1.0-2
A complex camera support library for Linux, Android, and ChromeOS - signed
IPA
[ben85@ben85-inspiron3521 ~]$ grep -i chrome /var/log/pacman.log
[2023-09-19T02:56:26+0200] [ALPM] installed google-chrome (117.0.5938.88-1)
[2023-09-19T02:56:27+0200] [ALPM-SCRIPTLET] ==> NOTE: Custom flags should be put directly in: ~/.config/chrome-flags.conf
[2023-09-19T02:56:27+0200] [ALPM-SCRIPTLET] ==> NOTE: The launcher is called: 'google-chrome-stable'
[ben85@ben85-inspiron3521 ~]$
To be honest, I didn’t check what version of Chrome I used until I noticed this change, but it was definitely a newer version than this one (if nothing else then because of that recently downloaded files method that is used}.
In my Pamac, under options and then advanced options I have the option “enable downgrades” enabled. Could this have caused the reversal of Chrome (at least theoretically) while that snap package was being installed?
I dont use pamac
But I’m pretty sure this is equal to pacmans double u
( Syu vs Syuu )
Meaning if a repo package is downgraded in your branch
( output like ‘XYZ is newer than…’ )
Then it will be synced with the repo. It doesnt mean packages will be randomly downgraded, or anything at all for AUR packages really.
According to this the only thing you have ever done with respect to google-chrome is install this 117 version in september, and nothing else has ever happened with that package.
Are you sure about your previous statements?
For example … was this ‘newer chrome’ you were using actually from the AUR? It was not a SNAP or flatpak or something?
Well…if that is all and you did not update and or rebuild since september…i can imagine that was the version at that time.
Where does the pacman.log end actually, what is the last/most recent you see, if you open with a text editor?
Because that can support the theory of accidentally booting a backup snapshot. I personally do not use btrfs, maybe the others can tell how to check (if you use btrfs).
And i really do hope you have updated since september…otherwise you are in a pretty unsupported state.
For example … was this ‘newer chrome’ you were using actually from the AUR? It was not a SNAP or flatpak or something?
Yes I am absolutely sure that the version that I used was from AUR, and I am absolutely sure that it was the only chrome that was installed on this computer. I suppose that it was updated once when I did the complete update of everything via terminal.
btw. Does pamac also update AUR packages when the complete update is performed?
I can also paste here the logs from that snap installation if anybody thinks that it could be useful. Just please tell me how to obtain these logs, because I’m not very knowledgeable about the stuff regarding the terminal.
One theoretical question - let’s suppose that I have some kind of rootkit or Trojan installed on my computer. If the hacker removed the newer chrome and replaced it or reverted to the earlier version, would it be possible for him to avoid being logged into the pamac and Pacman logs? Is it possible to make these type of changes and to circumvent pamac and pacman Logs?
I don’t know if this is useful, and I’m not sure what this command actually does, but it seems there is some kind of correlation between Google Chrome and that last snap installation:
pacman -Qs google-chrome && snap list
local/google-chrome 117.0.5938.88-1
The popular web browser by Google (Stable Channel)
Name Version Rev Tracking Publisher Notes
bare 1.0 5 latest/stable canonical✓ base
core 16-2.61.2 16928 latest/stable canonical✓ core
core18 20231027 2812 latest/stable canonical✓ base
core20 20240111 2182 latest/stable canonical✓ base
gnome-3-28-1804 3.28.0-19-g98f9e67.98f9e67 198 latest/stable canonical✓ -
gnome-3-38-2004 0+git.efb213a 143 latest/stable canonical✓ -
gtk-common-themes 0.1-81-g442e511 1535 latest/stable canonical✓ -
gtk2-common-themes 0.1 13 latest/stable canonical✓ -
snapd 2.61.2 21184 latest/stable canonical✓ snapd
wine-platform-5-stable 5.0.3 18 latest/stable mmtrt -
wine-platform-runtime v1.0 363 latest/stable mmtrt -
[ben85@ben85-inspiron3521 ~]$ pacman -Qs google-chrome && snap list
It looks like you use this a lot.
I dont notice very many updates.
Do you believe this is updating your packages? It is not.
I am curious what happens if you do updates:
sudo pacman -Syu && pamac update -a
Yes … but it would need to all be done by hand.
Besides manually placing all the correct files in the correct places (and removing ‘new’ ones), the attacker would also need to manually augment the logs to, for example, remove every instance of chrome being updated.
We see the old chrome installed as a package, and all your listed snaps, which do not include chrome.
They do include wine … but its an even further stretch to wonder about ‘is chrome installed through wine what you are thinking of?’ … right? … right??
To be honest, I rarely use the terminal. As far as I remember, I only updated everything through the terminal once during the latest installation (and I forget now what is the command for that :)) but it definitely has four letters. When I need something like that I just browse this forum and copy/paste it and then soon after that I forget the correct syntax. I updated the system completely via pamac several times since the installation in September last year.
So to answer your question, it doesn’t look very probable that I typed that command, especially if it appears many times. If it appears in the log, does that mean that somebody with the administrative permissions typed it? What does that command do, and do you think that the theoretical hacker could have some use for that command (for example, to find out which packages and their traces in logs he would need to remove)?
As for your second question, I don’t know if that’s a possibility. Do you think it’s possible to install something through Wine?
That was what i thought too I wrote in the beginning it will come out to be something very weird in the end. This would certainly qualify
Installing usually means root (except in the case of flatpak or wine), so yes. But it does not make any sense. If i have root access to a machine, i have it all. Why would i need to downgrade anything…the whole point of having an older version of some software is for ot to be vulnerable to some exploit, so i can get some privilege escalation. If i have root, why would i bother with something else. So this is veeeery improbable.
I was just wondering.
Its probably just the pacman-filesdb-refresh.service, which will do that on a timer if pacman-filesdb-refresh.timer is enabled.
Yes, it certainly is … thats probably one of the biggest features of wine.
Note;
Just to be clear - to my eyes, none of this screams nefarious activity. Earlier I said it was ‘possible’ for an attacker to achieve these results, but thats all I meant - that it was technically possible to achieve. Not that it qualifies as likely.
I do not know if the --enable-downgrade option works the same for AUR packages as repository packages, but there should have been a request from pamac for user to agree to downgrade and an entry in the journal to show package changes
I suggest you try building AUR package with pamac
pamac build google-chrome
If pamac offers to build latest version (123.0.6312.86-1) press Y to accept
and when next future version is released to AUR, check if pamac can find the new version with
pamac update -a
or
pamac build google-chrome
If pamac is working as expected both commands should show new version
But if history is repeating the first command will fail
Apparently this went without any problems, and this is an even newer version than the one I remember using in December last year and the beginning of this year (until a couple days ago).
I distinctly remember being even a little irritated by the change in the position of the latest downloads in Chrome, and it took me some time to get used to it. So there is no chance that I didn’t use the newer version of Chrome (newer than the September version) on this computer. But how that newer version was obliterated remains a mystery.
As for the snap programs, I only enabled snap a few days ago when I installed that vedic astrology program from there (the program is called “Jhora” and I could find it only on Snap). Before that, snap was not enabled.
I also remember that in September last year I was trying to find Google Chrome among the official repositories in pamac and was surprised that it wasn’t there, so I had to find a suitable installation in AUR. Flatpack is not and has never been enabled on this installation.
Here is how the updating of Google Chrome went:
[ben85@ben85-inspiron3521 ~]$ pamac build google-chrome
Preparing...
Checking google-chrome dependencies...
Resolving dependencies...
Checking inter-conflicts...
To build (1):
google-chrome 123.0.6312.58-1 (117.0.5938.88-1) AUR
Edit build files : [e]
Apply transaction ? [e/y/N] y
Cloning google-chrome build files...
Generating google-chrome information...
==== AUTHENTICATING FOR org.manjaro.pamac.commit ====
Authentication is required to install, update, or remove packages
Authenticating as: ben85
Password:
==== AUTHENTICATION COMPLETE ====
Building google-chrome...
==> Making package: google-chrome 123.0.6312.86-1 (Tue 26 Mar 2024 10:40:33 PM CET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Downloading google-chrome-stable_123.0.6312.86-1_amd64.deb...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 102M 100 102M 0 0 867k 0 0:02:00 0:02:00 --:--:-- 627k
-> Found eula_text.html
-> Found google-chrome-stable.sh
==> Validating source files with sha512sums...
google-chrome-stable_123.0.6312.86-1_amd64.deb ... Passed
eula_text.html ... Passed
google-chrome-stable.sh ... Passed
==> Removing existing $srcdir/ directory...
==> Extracting sources...
-> Extracting google-chrome-stable_123.0.6312.86-1_amd64.deb with bsdtar
==> Entering fakeroot environment...
==> Starting package()...
==> Tidying install...
-> Removing empty directories...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "google-chrome"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
-> Adding install file...
-> Generating .MTREE file...
-> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: google-chrome 123.0.6312.86-1 (Tue 26 Mar 2024 10:44:22 PM CET)
==> Cleaning up...
Checking keyring... [1/1]
Checking integrity... [1/1]
Loading packages files... [1/1]
Checking file conflicts... [1/1]
Checking available disk space... [1/1]
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
Upgrading google-chrome (117.0.5938.88-1 -> 123.0.6312.86-1)... [1/1]
Running post-transaction hooks...
Arming ConditionNeedsUpdate... [1/3]
Updating icon theme caches... [2/3]
Updating the desktop file MIME type cache... [3/3]
Transaction successfully finished.
[ben85@ben85-inspiron3521 ~]$
If somebody has some time to spare and would like to help me solve this mystery, perhaps they could install that program called Jhora from Snap, and then see if something happens to the current installation of Chrome.
I have a feeling that my latest installation from Snap and the disappearance of newer versions of Chrome are somehow connected.
So it will be something surprising, strange and unexpected. Like you accidentally booting into a earlier btrfs snapshot of the system…or doing some cleanup, and accidentally replacing the pkgbuild in the buildcache with an older version…
