-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 19 Apr 2024 12:33:38 -0400
Source: chromium
Architecture: source
Version: 124.0.6367.60-1
Distribution: unstable
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
chromium (124.0.6367.60-1) unstable; urgency=high
.
* New upstream stable release.
- CVE-2024-3832: Object corruption in V8.
Reported by Man Yue Mo of GitHub Security Lab.
- CVE-2024-3833: Object corruption in WebAssembly.
Reported by Man Yue Mo of GitHub Security Lab.
- CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang
- CVE-2024-3837: Use after free in QUIC.
Reported by {rotiple, dch3ck} of CW Research Inc.
- CVE-2024-3838: Inappropriate implementation in Autofill.
Reported by Ardyan Vicky Ramadhan.
- CVE-2024-3839: Out of bounds read in Fonts.
Reported by Ronald Crane (Zippenhop LLC).
- CVE-2024-3840: Insufficient policy enforcement in Site Isolation.
Reported by Ahmed ElMasry.
- CVE-2024-3841: Insufficient data validation in Browser Switcher.
Reported by Oleg.
- CVE-2024-3843: Insufficient data validation in Downloads.
Reported by Azur.
- CVE-2024-3844: Inappropriate implementation in Extensions.
Reported by Alesandro Ortiz.
- CVE-2024-3845: Inappropriate implementation in Network.
Reported by Daniel Baulig.
- CVE-2024-3846: Inappropriate implementation in Prompts.
Reported by Ahmed ElMasry.
- CVE-2024-3847: Insufficient policy enforcement in WebUI.
Reported by Yan Zhu.
* d/copyright:
- delete __pycache__ directories to shut up dpkg warnings.
- stop deleting bundled libwebp directory.
* Drop build-dep on libwebp-dev and start building against the bundled
libwebp. We need to do this because chromium uses features of libavif
that require libsharpyuv-dev; but that's only available in sid/trixie.
* d/patches:
- upstream/std-to-address.patch: drop, merged upstream.
- fixes/optional2.patch: drop, merged upstream.
- fixes/blink-fonts-shape-result.patch: drop, merged upstream.
- bookworm/constexpr-equality.patch: drop, merged upstream.
- disable/catapult.patch: refresh.
- disable/google-api-warning.patch: rework to be a smaller patch.
- bookworm/clang16.patch: refresh.
- ungoogled/disable-privacy-sandbox.patch: drop hunk related to deprecated
preference.
- upstream/mojo-null.patch: pull a (typescript) build fix from upstream.
- upstream/uint-includes.patch: simple header build fix from upstream.
- upstream/fps-optional.patch: add header build fix.
- upstream/span-optional.patch: add header build fix.
- upstream/extractor-bitset.patch: add header build fix.
- upstream/atomic.patch: add header build fix.
- upstream/webgpu-optional.patch: add header build fix.
- fixes/absl-optional.patch: comment out assert() that caused crash.
This could be another clang16/libstdc++ miscompilation issue, but
needs further investigation.
- fixes/bad-font-gc2.patch: drop a bunch of test-related pieces.
- fixes/bad-font-gc0000.patch, fixes/bad-font-gc000.patch,
fixes/bad-font-gc00.patch, fixes/bad-font-gc0.patch,
fixes/bad-font-gc11.patch, fixes/bad-font-gc3.patch: revert a bunch
more (new) upstream commits related to bad-font-gc2.patch. When the
use-after-free bug gets fixed, all this can be dropped.
* d/patches/ppc64le:
- third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch,
third_party/0003-third_party-ffmpeg-Add-ppc64-generated-config.patch,
workarounds/HACK-third_party-libvpx-use-generic-gnu.patch,
breakpad/0001-Implement-support-for-ppc64-on-Linux.patch,
ffmpeg/0001-Add-support-for-ppc64.patch,
third_party/dawn-fix-typos.patch,
third_party/use-sysconf-page-size-on-ppc64.patch: refresh.
- third_party/skia-vsx-instructions.patch: refresh & update for header
renaming.
- third_party/0001-Add-PPC64-support-for-boringssl.patch,
third_party/0002-third-party-boringssl-add-generated-files.patch:
disable these two until Tim has a chance to look at them.
Checksums-Sha1:
54744311d3d16714282cf693a472347b9a297edc 3706 chromium_124.0.6367.60-1.dsc
2cc0dded258c8f3c623e10e330195e1e3f9c40a5 847907384 chromium_124.0.6367.60.orig.tar.xz
658c435815beb11bdb03801c4785e147b8f6ba58 413280 chromium_124.0.6367.60-1.debian.tar.xz
24bae039d2f51a5cfcbbd4520b3a47526afc092e 21880 chromium_124.0.6367.60-1_source.buildinfo
Checksums-Sha256:
ee5d7db7540efa5721480c6dbece24c5065b697fae434e6dbd538cdff9de823f 3706 chromium_124.0.6367.60-1.dsc
b382eaade5057c56ca257bdf6a78c2c59116b56ce6c1ab166220cea1f5d950d2 847907384 chromium_124.0.6367.60.orig.tar.xz
7269ad2b36a77fcd1b08d01183c9bf6f7991b767dc56c7c6c290d78284d7beab 413280 chromium_124.0.6367.60-1.debian.tar.xz
6d8cea80261a5ae774b85a3ba11f818dfb38722cff0a4c6d5b32c37494c0dade 21880 chromium_124.0.6367.60-1_source.buildinfo
Files:
115b2ca478ee47ca156a877d7b80258e 3706 web optional chromium_124.0.6367.60-1.dsc
c229f60fab61eb4d55c385e2131236e5 847907384 web optional chromium_124.0.6367.60.orig.tar.xz
1e93986e1a4458926e33b1e47db6044b 413280 web optional chromium_124.0.6367.60-1.debian.tar.xz
ceba52fffb08e9eaa1a8cd65ff3cd0e9 21880 web optional chromium_124.0.6367.60-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYintIUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjcR+w//co+PY+NDhxUG9ri8VN1Ynp5Rp/9T
ZNVTvuBPYpqdDW5nezAkgNUixhGZfnPogsdH3SvPvQjcwBbSgajo+rDSdSh4eDaF
oHJGeRc0ZfAR0i6vbSdl0SOGX916R45HGnNZ6FkF2NdnvaG+Ib8PMzUF7QTLrVO+
KVO9yo9MEsV4K4tXo97wIyjWkztGm9J+rL5NUTJtvj1VVNRv9Bb2BmrBK28u8+Ei
yL9Dl9haj78QS1LOkRsKGDl2Mdd7Ika7IuK7kiLN166Ky3FAH6By/lhBF8vbZtek
Cf1odmXIyJ5tNPxrN2eSuOaydCHODmr+7HV4NNoaANp+O/nCAkMlhg4U/Sff7R99
tuhwUpjHDOg1QuMlCCOFiJTaFjS0NlAycIPNg+H8494CLSL9Nn9ccxzPA+J4P1cv
io8I0IObmJ0zkHYt4IxDKwbLDYfXtMtiCR0MEz4z56vOHiub8wUHaFDZhRX7NlzA
s9Y/55g0F74Tf2xOZrt3+iTZlhjfug9wSO1DT1bAc082692P7BEBD3ZQzqZvJpBm
gcz+hOq7xWqv2asnmT3ci8YebyaIjTHcPuYSJacvvnK53vDVN+ypkAqR/HGeHOh8
lunqhuwYHLi7W5kbOvXbahhicklb9L7j/oUITPFIu4s9CNI8dfbbqlwPMIdG7U7B
JwT4Y/pHV6dvaYo=
=ut49
-----END PGP SIGNATURE-----
