1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted chromium 127.0.6533.88-1~deb12u1 (source) into proposed-update

    From Debian FTP Masters@21:1/5 to All on Sun Aug 25 10:40:02 2024
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Format: 1.8
    Date: Tue, 30 Jul 2024 23:50:29 -0400
    Source: chromium
    Architecture: source
    Version: 127.0.6533.88-1~deb12u1
    Distribution: bookworm-security
    Urgency: high
    Maintainer: Debian Chromium Team <chromium@packages.debian.org>
    Changed-By: Andres Salomon <dilinger@debian.org>
    Changes:
    chromium (127.0.6533.88-1~deb12u1) bookworm-security; urgency=high
    .
    [ Andres Salomon ]
    * New upstream stable release.
    - CVE-2024-6988: Use after free in Downloads. Reported by
    lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group.
    - CVE-2024-6989: Use after free in Loader. Reported by Anonymous.
    - CVE-2024-6991: Use after free in Dawn. Reported by wgslfuzz.
    - CVE-2024-6992: Out of bounds memory access in ANGLE.
    Reported by Xiantong Hou of Wuheng Lab and Pisanbao.
    - CVE-2024-6993: Inappropriate implementation in Canvas.
    Reported by Anonymous.
    - CVE-2024-6994: Heap buffer overflow in Layout.
    Reported by Huang Xilin of Ant Group Light-Year Security Lab.
    - CVE-2024-6995: Inappropriate implementation in Fullscreen.
    Reported by Alesandro Ortiz.
    - CVE-2024-6996: Race in Frames.
    Reported by Louis Jannett (Ruhr University Bochum).
    - CVE-2024-6997: Use after free in Tabs.
    Reported by Sven Dysthe (@svn-dys).
    - CVE-2024-6998: Use after free in User Education.
    Reported by Sven Dysthe (@svn-dys).
    - CVE-2024-6999: Inappropriate implementation in FedCM.
    Reported by Alesandro Ortiz.
    - CVE-2024-7000: Use after free in CSS. Reported by Anonymous.
    - CVE-2024-7001: Inappropriate implementation in HTML.
    Reported by Jake Archibald.
    - CVE-2024-7003: Inappropriate implementation in FedCM.
    Reported by Alesandro Ortiz.
    - CVE-2024-7004: Insufficient validation of untrusted input in Safe
    Browsing. Reported by Anonymous.
    - CVE-2024-7005: Insufficient validation of untrusted input in Safe
    Browsing. Reported by Umar Farooq.
    - CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert.
    - CVE-2024-7255: Out of bounds read in WebTransport.
    Reported by Marten Richter.
    - CVE-2024-7256: Insufficient data validation in Dawn.
    Reported by gelatin dessert.
    * Switch from building against (gcc's) libstdc++ to (clang's) libc++.
    Upstream is playing fast and loose with memory in ways that results
    in crashes with gcc's stricter libstdc++, but not with clang's libc++
    (which allows accessing deleting memory apparently). We can't maintain
    workarounds any more, and upstream really doesn't care (see, for
    example, https://crbug.com/346174906 , where they add workarounds only
    for their ASAN memory checker).
    * d/copyright:
    - delete new rust, cargo, llvm, and node binaries.
    - delete third_party/zstd so we can link against system zstd.
    - stop deleting the bundled woff, snappy, and jsoncpp; those can't be
    dynamically linked against with clang's libc++.
    * d/control:
    - build-dep against libzstd-dev and bindgen.
    - drop build-dep on libwoff-dev, libsnappy-dev, libjsoncpp-dev, and
    add build-deps on libc++-16-dev / libc++abi-16-dev.
    * d/rules:
    - drop use_goma=false (upstream switched to rbe).
    - set rust_bindgen_root.
    - rework get-orig-source to not use mk-origtargz, which is
    incredibly slow (total run 45 mins for the current 6.2G upstream
    release). Instead, use d/scripts/get-exludes.pl and tar's
    --exclude-from to drastically speed things up (total run now takes
    8 mins).
    - include bindgen 0.66.1-3 packages from snapshot.debian.org, as
    bookworm's bindgen 0.60.1 is too old. The packages are
    unpacked during build.
    * d/patches:
    - upstream/tabstrip-include.patch: drop, merged upstream.
    - upstream/quiche-deque.patch: drop, merged upstream.
    - upstream/gpu-header.patch: drop, merged upstream.
    - upstream/blink-header.patch: drop, merged upstream.
    - upstream/blink-header2.patch: drop, merged upstream.
    - upstream/blink-header3.patch: drop, merged upstream.
    - upstream/realtime-reporting.patch: drop, merged upstream.
    - upstream/urlvisit-header.patch: drop, merged upstream.
    - upstream/accessibility-format.patch: drop, merged upstream.
    - upstream/observer.patch: drop, merged upstream.
    - bookworm/clang16.patch: refresh.
    - bookworm/rust-downgrade-osstr-users.patch: refresh w/ minor changes.
    - ungoogled/disable-privacy-sandbox.patch: refresh.
    - disable/signin.patch: upstream dropped prefs::kAutologinEnabled.
    - upstream/crabbyav1f.patch: add build fix pulled from upstream.
    - upstream/lock-impl.patch: add build fix pulled from upstream.
    - upstream/containers-header.patch: add build fix pulled from upstream.
    - upstream/paint-layer-header.patch: add build fix pulled from upstream
    - fixes/bindgen.patch: work around bindgen-related things (hopefully
    correctly?)
    - bookworm/lex-3way.patch: add patch to support
    std::lexicographical_compare_three_way, which was added in clang-17.
    - bookworm/traitors.patch: another clang-16 hack; backport
    pointer_traits.h from libc++-18-dev to work around clang
    std::to_address() issue.
    - bookworm/constexpr.patch: add more of the usual constexpr
    workarounds; only needed for clang-16.
    - bookworm/constcountrycode.patch, bookworm/omnibox-constexpr.patch:
    remove, now part of bookworm/constexpr.patch.
    - fixes/absl-optional.patch: drop, only needed for libstdc++-dev.
    - fixes/bad-font-gc*: drop, only needed for libstdc++-dev.
    - fixes/chromium-browser-ui-missing-deps.patch: add a bunch of
    mojo-related dependency build fixes.
    - bookworm/bubble-contents.patch: refresh.
    - bookworm/gn-funcs.patch: add workarounds for missing functions in
    bookworm's older generate-ninja.
    - bookworm/gn-absl.patch: add workarounds for absl changes that rely
    on newer gn.
    - bookworm/crabbyav1f.patch: add experimental feature toggle, needed
    for older rustc.
    .
    [ Timothy Pearson ]
    * d/patches:
    - fixes/fixes/memory-allocator-dcheck-assert-fix.patch: Fix assert on
    64k page systems such as aarch64 and ppc64el
    * d/patches/ppc64le:
    - ffmpeg/0001-Add-support-for-ppc64.patch: Drop, no longer needed
    - third_party/use-sysconf-page-size-on-ppc64.patch: Refresh for upstream
    changes
    Checksums-Sha1:
    c78fdce8e1d111626e8aa62db927cace5cdb8f27 3789 chromium_127.0.6533.88-1~deb12u1.dsc
    a81a33c056af65fb74b4ce6dd855eef511185aef 873345564 chromium_127.0.6533.88.orig.tar.xz
    026aec18935a6839904121b0865fa2a3af80dfa9 8493024 chromium_127.0.6533.88-1~deb12u1.debian.tar.xz
    18531f2a61845bc7d3e6e9ef5cecfacbd1d1c33b 22054 chromium_127.0.6533.88-1~deb12u1_source.buildinfo
    Checksums-Sha256:
    718fae385161e6a9995fb15604df582a96f72ca54540343d6ecd503c923a7b6c 3789 chromium_127.0.6533.88-1~deb12u1.dsc
    54f1a7f7ccebdbe62654751c9939f9c3ee6d25ebd3a7f823f944764d8fb84aa4 873345564 chromium_127.0.6533.88.orig.tar.xz
    8e0ba139f3ef2522045238a9930b251be503afd3a9deea7c614c37e87a86770c 8493024 chromium_127.0.6533.88-1~deb12u1.debian.tar.xz
    e10501ea61b7bf7cf2f069e0f1b8c71ff8f7ab8b7d1d620405567099c53a9015 22054 chromium_127.0.6533.88-1~deb12u1_source.buildinfo
    Files:
    8d8920e206937af1b74d22caba017d35 3789 web optional chromium_127.0.6533.88-1~deb12u1.dsc
    5ce7abbb21378ea5e2d567a93ba12808 873345564 web optional chromium_127.0.6533.88.orig.tar.xz
    d9a56fee6a686435ec445dc822ab56a6 8493024 web optional chromium_127.0.6533.88-1~deb12u1.debian.tar.xz
    caafe952643040ac9a42679c3ea5c657 22054 web optional chromium_127.0.6533.88-1~deb12u1_source.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmap7cgUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8NudjdLMQ/8DZ56cE66EyL3sbBicE81UoOGZr+A Fn6BF3XaLUYcPSOME62DspLAPoD9TQEwxTT/KDen9vGDGIzMRbOm5A8L+RNpxmQ2 dXIUkhlCfM3XULlJ/+mYBWOmb2CrEwSmfXUdjNWz6z9tOAxwH3Ezy7XxvlkuVxKb c26hCMk7yPVH//pih2Vr0EfRlZrn6Rr5MYk4ILBfElewb47EwLVPNSGO/ygKpcad WGYEiIs/D7L+7XgPpn0QPD+nVlIyXKRtJwOaZtK+clT69Tdy4RV5X5j/LDs9f4UK 3QWa2LsVVnuIcoPP9yMirkyggpgIzOqO0j+1bNGyicOk59uQo3PnzbpKKfSQJw4/ 2jMEhpnSpOZQpvqHuJKjaydNRKe7wmCvi21iiBfbv8GXJV+ehOofVT0Y3n0yeIm/ 9RNQ0mVVuB5AeCLxMugfAjM7F3qcVZdNbAgfXW83GNPaw48Be5FXaKOCfupMwMwL tagrz/PeAKaHQCk7y91ZEuc2LRay45NkVtMoDPAArkBoURCuFOuZEkx/BHZ+wUJ7 IQJr2H019/n/byeOlby8gy6xaCyxdwnOOlEtMlDomVNCfvoUIacUjjlrA1666l3C R3j45nLx3Xa5um+iiI7fn1rbmVZAgyFWT6FRHcqNoE7pxC4+8s0OpoCcAfA10h8P V0Ke0ZXNR3ncs/o=
    =6EL/
    -----END PGP SIGNATURE-----


    --==============H58267613569185935=Content-Type: application/pgp-signature

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZsrsCwAKCRCb9qggYcy5 IW0YAP9TKLlVCBzFF+cLL9dKUI0OBMRFeedero9Y4h8Ux1ncOQD/R79rjSbAf+lm sJ6+VIEPBCrnWsYol6535G9Iwv+1rQM=PIfy
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)