-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Apr 2022 23:22:56 -0400
Source: chromium
Architecture: source
Version: 100.0.4896.60-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
chromium (100.0.4896.60-1~deb11u1) bullseye-security; urgency=high
.
* Fix debian/watch to find the correct upstream version.
* Ensure xz uses all available cpu cores when preparing orig.tar.gz
* Switch to bundled ICU, since Debian's ICU is 2 years old at this point
and upstream depends on a bunch of new API in ICU 69.1.
* debian/copyright:
- ensure all *.dlls are dropped from source.
- Stop dropping '*fuzz' directories. It was too aggressive, resulting
in build errors for perfectly fine BSD-3-clause and similar code.
- Instead, drop '*corpus' and '*corpora' directories. Some of it is
fine (lots generated by oss-fuzz with .dict files provided), but
not all of it is and it's easier to just drop it.
- Drop an esbuild binary.
- The full upstream tarball includes additional stuff we don't want,
so drop *.jar, tools/win, and some other stuff in third_party/.
* debian/rules:
- Disabling & deleting swiftshader now also needs to add
dawn_use_swiftshader=false.
- Switch from -lite upstream tarball to the full tarball in order to
include ICU sources.
* debian/patches:
- upstream/libdrm.patch - drop, merged upstream.
- debianization/manpage.patch - drop a small chunk merged upstream.
- system/icu.patch - drop now that we're bundling ICU.
- bullseye/icu-types.patch - drop now that we're bundling ICU.
- system/convertutf.patch - update build for bundled ICU path.
- fixes/closure.patch - drop now that we're no longer using lite tarball.
- disable/driver-chrome-path.patch - refresh for BUILDFLAG() macro.
- system/jsoncpp.patch - refresh for unrelated ios change.
- disable/catapult.patch - refresh due to moving around of .pak files.
- upstream/rvo-workaround.patch - added to fix FTBFS w/ clang-11. Pulled
from upstream git.
* New upstream stable release.
- CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani
- CVE-2022-1127: Use after free in QR Code Generator.
Reported by anonymous
- CVE-2022-1128: Inappropriate implementation in Web Share API.
Reported by Abdel Adim (@smaury92) Oisfi of Shielder
- CVE-2022-1129: Inappropriate implementation in Full Screen Mode.
Reported by Irvan Kurniawan (sourc7)
- CVE-2022-1130: Insufficient validation of untrusted input in WebOTP.
Reported by Sergey Toshin of Oversecurity Inc.
- CVE-2022-1131: Use after free in Cast UI. Reported by
Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research
- CVE-2022-1132: Inappropriate implementation in Virtual Keyboard.
Reported by Andr.Ess
- CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous
- CVE-2022-1134: Type Confusion in V8.
Reported by Man Yue Mo of GitHub Security Lab
- CVE-2022-1135: Use after free in Shopping Cart.
Reported by Wei Yuan of MoyunSec VLab
- CVE-2022-1136: Use after free in Tab Strip . Reported by Krace
- CVE-2022-1137: Inappropriate implementation in Extensions.
Reported by Thomas Orlita
- CVE-2022-1138: Inappropriate implementation in Web Cursor.
Reported by Alesandro Ortiz
- CVE-2022-1139: Inappropriate implementation in Background Fetch API.
Reported by Maurice Dauer
- CVE-2022-1141: Use after free in File Manager.
Reported by raven at KunLun lab
- CVE-2022-1142: Heap buffer overflow in WebUI.
Reported by Leecraso and Guang Gong of 360 Alpha Lab
- CVE-2022-1143: Heap buffer overflow in WebUI.
Reported by Leecraso and Guang Gong of 360 Alpha Lab
- CVE-2022-1144: Use after free in WebUI.
Reported by Leecraso and Guang Gong of 360 Alpha Lab
- CVE-2022-1145: Use after free in Extensions.
Reported by Yakun Zhang of Baidu Security
- CVE-2022-1146: Inappropriate implementation in Resource Timing.
Reported by Sohom Datta
Checksums-Sha1:
d6706927251405b47991cd1383dc2a4565c2355d 3689 chromium_100.0.4896.60-1~deb11u1.dsc
93757e1dc5f4cc5593b3c09b656c59a7ca3276f6 586200052 chromium_100.0.4896.60.orig.tar.xz
e8eb889ef7d82b5834bde24c101ab93826508bb0 210952 chromium_100.0.4896.60-1~deb11u1.debian.tar.xz
f807167c20e9ed560353594c014263753d3177da 20464 chromium_100.0.4896.60-1~deb11u1_source.buildinfo
Checksums-Sha256:
797c243fc25025aafd82c03258458063452ad9669a90d5e37f941170b67585b0 3689 chromium_100.0.4896.60-1~deb11u1.dsc
358bfbcdd4acb3f345cd001be3e34dc231c0e29b0658b09b63d5bbf914b420d6 586200052 chromium_100.0.4896.60.orig.tar.xz
3378c3eb48e366ff83c26311ff7cc73155f12c4095e4ec958595404dc7b17693 210952 chromium_100.0.4896.60-1~deb11u1.debian.tar.xz
4cde42337868a4897b7f3e166c78413c75b1b8a48d8dbdf1d1c6fbb8fb6d18d5 20464 chromium_100.0.4896.60-1~deb11u1_source.buildinfo
Files:
d180b0b30be0142beffac44acec42f57 3689 web optional chromium_100.0.4896.60-1~deb11u1.dsc
c45fd4f7cff66fcbb761f26095204d29 586200052 web optional chromium_100.0.4896.60.orig.tar.xz
0ea5b8362d8cb0e1b92a5a389321de4d 210952 web optional chromium_100.0.4896.60-1~deb11u1.debian.tar.xz
75e815e95d059a4b2c5f754b85405f5d 20464 web optional chromium_100.0.4896.60-1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmJIkIgUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjeG9A/+OfD52KiNBqWNTyruQCRMkJUjFApp
4b4m5US/S+Wjsnj3KvicdFuDSciqvje1C+meFvEl1npVoCVdk9DzPTwln+5hLzpp
QIrZy0b0sUaU9iJ4Ummx7xhW04w/mDKmOqE5Ieg1I90rwi7mOT6rLdvLZVui+Amh
IahTjWV5yKinOnV9S2YKWmWDsvw+iKcxQG3I6K3INDxr6C0YTUD2te2h1C0GxzcQ
bndrwOZ1xxN4h4mbX62hV3IcrJS7z0dnW2mB2ooSh7CJa5NdYHqxkxxqQ24SUUsO
IFbih5nu4YsQftzUjFQFAV9ZT3NTw3YdBluD9/YRYRJS/4cU2oFjS62mB8svHMdl
xEfdcb4rELPQyMx/YpCRUFjEh+QegyuDzvvLBHTE3Nmu8ltCjmZZhpwq1FAN3j0k
if1kHk7XxLd8xpnRrKT/uJCYCccH32tyQItEvtfRRlTIue4rG4H5nipokLvwbNsT
KOIxopp2Qh4WPwzkK2yf5a7A6glsTENIVroGuCaLC9OPE5tkf0gKlJom+WHLz5y/
FRHahFIWDIb+EUbt/Kg+4OtRtvTPJNx8FL7yaF7tYakgPuads0J8KGi7UV9tAJ0l
u4X3TZY/X8d+8xKX5sfyJacUBWNtjbMRPtmg8vkMPE6rOpYIranXy8EUMQP5r1rb
2lk2iiK8jvyzp+c=
=MAFX
-----END PGP SIGNATURE-----
