-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Apr 2022 15:02:16 -0400 Source: chromium Architecture: source Version: 100.0.4896.60-1 Distribution: unstable Urgency: high Maintainer: Debian Chromium Team <chromium@packages.debian.org> Changed-By: Andres Salomon <dilinger@debian.org> Changes: chromium (100.0.4896.60-1) unstable; urgency=high . * Fix debian/watch to find the correct upstream version. * Ensure xz uses all available cpu cores when preparing orig.tar.gz * Switch to bundled ICU, since Debian's ICU is 2 years old at this point and upstream depends on a bunch of new API in ICU 69.1. * debian/copyright: - ensure all *.dlls are dropped from source. - Stop dropping '*fuzz' directories. It was too aggressive, resulting in build errors for perfectly fine BSD-3-clause and similar code. - Instead, drop '*corpus' and '*corpora' directories. Some of it is fine (lots generated by oss-fuzz with .dict files provided), but not all of it is and it's easier to just drop it. - Drop an esbuild binary. - The full upstream tarball includes additional stuff we don't want, so drop *.jar, tools/win, and some other stuff in third_party/. * debian/rules: - Disabling & deleting swiftshader now also needs to add dawn_use_swiftshader=false. - Switch from -lite upstream tarball to the full tarball in order to include ICU sources. * debian/patches: - upstream/libdrm.patch - drop, merged upstream. - debianization/manpage.patch - drop a small chunk merged upstream. - system/icu.patch - drop now that we're bundling ICU. - bullseye/icu-types.patch - drop now that we're bundling ICU. - system/convertutf.patch - update build for bundled ICU path. - fixes/closure.patch - drop now that we're no longer using lite tarball. - disable/driver-chrome-path.patch - refresh for BUILDFLAG() macro. - system/jsoncpp.patch - refresh for unrelated ios change. - disable/catapult.patch - refresh due to moving around of .pak files. * New upstream stable release. - CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani - CVE-2022-1127: Use after free in QR Code Generator. Reported by anonymous - CVE-2022-1128: Inappropriate implementation in Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of Shielder - CVE-2022-1129: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) - CVE-2022-1130: Insufficient validation of untrusted input in WebOTP. Reported by Sergey Toshin of Oversecurity Inc. - CVE-2022-1131: Use after free in Cast UI. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research - CVE-2022-1132: Inappropriate implementation in Virtual Keyboard. Reported by Andr.Ess - CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous - CVE-2022-1134: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab - CVE-2022-1135: Use after free in Shopping Cart. Reported by Wei Yuan of MoyunSec VLab - CVE-2022-1136: Use after free in Tab Strip . Reported by Krace - CVE-2022-1137: Inappropriate implementation in Extensions. Reported by Thomas Orlita - CVE-2022-1138: Inappropriate implementation in Web Cursor. Reported by Alesandro Ortiz - CVE-2022-1139: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer - CVE-2022-1141: Use after free in File Manager. Reported by raven at KunLun lab - CVE-2022-1142: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab - CVE-2022-1143: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab - CVE-2022-1144: Use after free in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab - CVE-2022-1145: Use after free in Extensions. Reported by Yakun Zhang of Baidu Security - CVE-2022-1146: Inappropriate implementation in Resource Timing. Reported by Sohom Datta Checksums-Sha1: 74798d08ca8a1d2869f34604b7671214043dc158 3619 chromium_100.0.4896.60-1.dsc 93757e1dc5f4cc5593b3c09b656c59a7ca3276f6 586200052 chromium_100.0.4896.60.orig.tar.xz 3a772e3b033444d06a39ede3a7cad049acc6d813 210160 chromium_100.0.4896.60-1.debian.tar.xz 5caf543c2bcfbc540b1543aa8ef221748b89daee 20430 chromium_100.0.4896.60-1_source.buildinfo Checksums-Sha256: e5cd5a2ee6349a9749cd98100da20f3e58d225a85c56ca2d87aaf1a7c11a9e1d 3619 chromium_100.0.4896.60-1.dsc 358bfbcdd4acb3f345cd001be3e34dc231c0e29b0658b09b63d5bbf914b420d6 586200052 chromium_100.0.4896.60.orig.tar.xz 4e5cf870bcd1959796761968a7b761d358453e73ae848cfdd3f437e8bda0ab25 210160 chromium_100.0.4896.60-1.debian.tar.xz e6a964b50b2b16709ace427497e4598b02be2f93ec0d5a32c00e6fb46c9e3481 20430 chromium_100.0.4896.60-1_source.buildinfo Files: 18436efe52f60bacb077562cb645f984 3619 web optional chromium_100.0.4896.60-1.dsc c45fd4f7cff66fcbb761f26095204d29 586200052 web optional chromium_100.0.4896.60.orig.tar.xz 185c1f4534c3be22a54f6215a00d78cf 210160 web optional chromium_100.0.4896.60-1.debian.tar.xz cfa243b9504f3471fa9b4d0762bf668c 20430 web optional chromium_100.0.4896.60-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmJHVAEUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8NudjfE6g/+N+nNk6CAZZ739F9oZ8n/WTd40WAh ri8cbxuEFVoYJPaG+krVQfnpIL2KgIgmH8NMTF9ayMOlUo37qnODkajMThaDBSAy 34TA/k4kY8TErKFJHRs4/YZi8DLn3tX+bNDAQRDNYubC8bCvUUx1q787YXhaRmX5 dLetLqHrDCkvdGfxrBjoxD+q8tSmfqXWz4+ktGaqw9FSdAmObDpn959BGTYCYwoL 2wkwUzmJpWKIDY0YLugdKs9GzPgVtOCWy3X3omQbjuc5buDQscIDOjCAnMohEUVh 9l1V+qFezNOCKcelkwrG6kprLnMlhvXhHe8jYmvkA8cUL/MbgEUMvpVy2FcPiCSa SY4MdsRc7MCKBSOx1pezwgwv2LUnUXLrFRraTJsCuvSohuGI1q8Q0mXIr3y9HRNT 3YxgZOuS386OboblK3hYQaX5nOGoXQ6pF52HIuqITtVxbCRWXp6UvwqLL36ccBoe 0GihZm1ulZRSzSRl1M8YpyVcEl0bEtTah6b2Ku2+9wlcsjX/ob7+tB/QYcMOrgV2 kPtA1NRzgAGPztO6HmyUPnTgbhjZKYZjD32SDd7IhNXiUBCDuP4/wnCPxvM0EZSz 05H7JFrSJSMZTYc5tYdPh6sDZrPwZF+TUgKbAreyJzYuzuufIDpRMFp3dUXefNgo K8834XGde1pNzXM= =B0Jl -----END PGP SIGNATURE-----