Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-testing-changes@lists.debian.org>
Subject: Accepted chromium 126.0.6478.126-1~deb13u1 (source) into testing-proposed-updates
Date: Mon, 15 Jul 2024 19:36:44 +0000
Signed by: Andres Salomon <dilinger@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 15 Jul 2024 05:28:21 +0000
Source: chromium
Architecture: source
Version: 126.0.6478.126-1~deb13u1
Distribution: trixie
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1068096 1071662 1073378
Changes:
 chromium (126.0.6478.126-1~deb13u1) trixie; urgency=high
 .
   * Rebuild for trixie.
   * Revert libxml2-dev versioned build dep, and re-add
     d/patches/fixes/libxml-parseerr.patch.
 .
 chromium (126.0.6478.126-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2024-6290: Use after free in Dawn. Reported by wgslfuzz.
     - CVE-2024-6291: Use after free in Swiftshader.
       Reported by Cassidy Kim(@cassidy6564).
     - CVE-2024-6292: Use after free in Dawn. Reported by wgslfuzz.
     - CVE-2024-6293: Use after free in Dawn. Reported by wgslfuzz.
   * d/patches/upstream/observer.patch: add crash-on-exit fix from
     upstream (closes: #1073378).
 .
 chromium (126.0.6478.114-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee
       (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024.
     - CVE-2024-6101: Inappropriate implementation in WebAssembly.
       Reported by @ginggilBesel.
     - CVE-2024-6102: Out of bounds memory access in Dawn.
       Reported by wgslfuzz.
     - CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz.
 .
 chromium (126.0.6478.56-1) unstable; urgency=high
 .
   * New upstream stable release.
     - CVE-2024-5830: Type Confusion in V8.
       Reported by Man Yue Mo of GitHub Security Lab.
     - CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz.
     - CVE-2024-5832: Use after free in Dawn. Reported by wgslfuzz.
     - CVE-2024-5833: Type Confusion in V8. Reported by @ginggilBesel.
     - CVE-2024-5834: Inappropriate implementation in Dawn.
       Reported by gelatin dessert.
     - CVE-2024-5835: Heap buffer overflow in Tab Groups.
       Reported by Weipeng Jiang (@Krace) of VRI.
     - CVE-2024-5836: Inappropriate Implementation in DevTools.
       Reported by Allen Ding.
     - CVE-2024-5837: Type Confusion in V8. Reported by Anonymous.
     - CVE-2024-5838: Type Confusion in V8.
       Reported by Zhenghang Xiao (@Kipreyyy).
     - CVE-2024-5839: Inappropriate Implementation in Memory Allocator.
       Reported by Mickey.
     - CVE-2024-5840: Policy Bypass in CORS. Reported by Matt Howard.
     - CVE-2024-5841: Use after free in V8.
       Reported by Cassidy Kim(@cassidy6564).
     - CVE-2024-5842: Use after free in Browser UI.
       Reported by Sven Dysthe (@svn_dy).
     - CVE-2024-5843: Inappropriate implementation in Downloads.
       Reported by hjy79425575.
     - CVE-2024-5844: Heap buffer overflow in Tab Strip. Reported by Sri.
     - CVE-2024-5845: Use after free in Audio. Reported by anonymous.
     - CVE-2024-5846: Use after free in PDFium.
       Reported by Han Zheng (HexHive).
     - CVE-2024-5847: Use after free in PDFium.
       Reported by Han Zheng (HexHive).
   * d/copyright: delete bullseye environment that upstream ships (??).
   * d/patches:
     - upstream/appservice-include.patch: drop, merged upstream.
     - upstream/lens-include.patch: drop, merged upstream.
     - upstream/mojo-bindings-include.patch: drop, merged upstream.
     - upstream/ninja.patch: drop, merged upstream.
     - upstream/no-vector-consts.patch: drop, merged upstream.
     - upstream/vulkan-include.patch: drop, merged upstream.
     - system/clang-format.patch: drop it; we broke it some time ago, and
       didn't notice. Guess we don't need it?
     - bookworm/clang16.patch: refresh.
     - fixes/bad-font-gc00000.patch: refresh
     - fixes/bad-font-gc11.patch: refresh
     - fixes/bad-font-gc2.patch: refresh
     - disable/signin.patch: refresh
     - upstream/quiche-deque.patch: gcc build fix pulled from upstream.
     - upstream/gpu-header.patch: add header build fix from upstream.
     - upstream/blink-header.patch: add header build fix from upstream.
     - upstream/blink-header2.patch: add header build fix from upstream.
     - upstream/blink-header3.patch: add header build fix from upstream.
     - upstream/realtime-reporting.patch: gcc build fix from upstream.
     - upstream/urlvisit-header.patch: add header build fix from upstream.
     - upstream/accessibility-format.patch: gcc build fix from upstream.
     - bookworm/urlhelper-ctor.patch: work around a clang-16 bug; add an
       explicit constructor.
 .
   [ Timothy Pearson ]
   * d/patches/ppc64le:
     - sandbox/0008-sandbox-fix-ppc64le-glibc234.patch: Modify for upstream
       changes
     - third_party/0002-Add-PPC64-generated-files-for-boringssl.patch: Modify
       for upstream changes
     - libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: Refresh
       for upstream changes
 .
 chromium (125.0.6422.141-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2024-5493: Heap buffer overflow in WebRTC.
       Reported by Cassidy Kim(@cassidy6564).
     - CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz.
     - CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz.
     - CVE-2024-5496: Use after free in Media Session.
       Reported by Cassidy Kim(@cassidy6564).
     - CVE-2024-5497: Out of bounds memory access in Keyboard Inputs.
       Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab.
     - CVE-2024-5498: Use after free in Presentation API.
     - CVE-2024-5499: Out of bounds write in Streams API.
   * d/patches/fixes/libxml-parseerr.patch: delete, now that we have a
     newer libxml2.
   * d/control: add versioned build-dep on libxml2-dev >= 2.12.
 .
 chromium (125.0.6422.112-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of
       Google's Threat Analysis Group and Brendon Tiszka of Chrome Security.
   * Fix handling of quoted arguments (closes: #1071662).
 .
 chromium (125.0.6422.76-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang.
     - CVE-2024-5158: Type Confusion in V8.
       Reported by Zhenghang Xiao (@Kipreyyy).
     - CVE-2024-5159: Heap buffer overflow in ANGLE.
       Reported by David Sievers (@loknop).
     - CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz.
   * Don't silently ignore arguments meant for the wrapper script if chromium
     args happen to come first (closes: #1068096).
   * d/patches:
     - upstream/tabstrip-include.patch: add header build fix.
Checksums-Sha1:
 914bbb70ef1c71a70f87b023a40baf45bee7bcd5 3788 chromium_126.0.6478.126-1~deb13u1.dsc
 87e695d0a9cbc777cedf80bfdbf01b2fd5b4b243 963484100 chromium_126.0.6478.126.orig.tar.xz
 06b13d2156418c7f888438e5eea5ab1e6c3120bf 430444 chromium_126.0.6478.126-1~deb13u1.debian.tar.xz
 7f2dd0f0240fd2fc05953914f86c4b3ed28d0b9f 21944 chromium_126.0.6478.126-1~deb13u1_source.buildinfo
Checksums-Sha256:
 7d58af94dc7c089ad23c7a1acd2fff511ef4bc6a625ff9046a08672013635e59 3788 chromium_126.0.6478.126-1~deb13u1.dsc
 aa828cedf44c81e21282393b8436d9c75bb20f6427476d614649b0813bf5ee16 963484100 chromium_126.0.6478.126.orig.tar.xz
 ae1b2014c84faf2ecd4479a7f60a05fa050d1f569061b262b5f1d4b5ac125336 430444 chromium_126.0.6478.126-1~deb13u1.debian.tar.xz
 b872e8cad1bc13f450e4b3c7a3decf7df8331a0dd8bd0800cb1d9bace71ffce3 21944 chromium_126.0.6478.126-1~deb13u1_source.buildinfo
Files:
 636a233c3f0214439bbf4d9564600fe4 3788 web optional chromium_126.0.6478.126-1~deb13u1.dsc
 799dbd059c1642ac0ce58438f44d1169 963484100 web optional chromium_126.0.6478.126.orig.tar.xz
 6e32992cdac465cdf16e5c08d9df67be 430444 web optional chromium_126.0.6478.126-1~deb13u1.debian.tar.xz
 3d1abbfb1efc90fcc65f7c00302e9650 21944 web optional chromium_126.0.6478.126-1~deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmaVWkoUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8Nudjeq/w//TDxkY2MPt0jKGXQdebXSySkD1KXt
HdCcIByPz0sFtgeJ9VL3pD0n61ag4syjBjnWj6DgAWIQyXVxh9mBMlBtG/OF6dyl
A6Bryk9pAsr0dLW2wY5dmLQooll5hEnCjgJ9BnyBEOGxMpZi633Y3BMWkLnYLThi
ztFVxLaICc0V6h14dJ7p2TxKMhVngn94o3/sI/oKYEU2nnUMkU/fDZPqBO1+Iuxe
qzd+NaqnyQSB5Bb57uqfFhV5LlaVBeXX+0RQwAZRwNBiAEmMF+Qq/vTLQoXi40iP
GPQ9ZRpIhH5eA1WbnYw4iJ4zMhPJP2WGM0/dTCHfgkjsi8LYn6sXMjQmfVB8IVMt
+/1LYSGF7VWQw27Dm6yAc6JAidTufjKF4lvEzcz21gZIdyELjFh/Qgpv8OrLVAXf
A57XbcKQaOC5vlbH/ScCEBpvjYVRwN35QtsBj1lrRzmfq8RiGM5tTVLgTyaF4XWC
nlYcV7v3+J5cQWo8sUMPI6EhYE6lp9xqZFTXvp9gbb0e1uA+cD+1zvog+PTN4cQy
t8z0HrGhYmBhmWr3CUF78QF46OSb0K+xfiLrqcJZsPDai4secc7x57f6YUgoq/qk
dbQelouPEKAOgK9iUYNVCSINxmnnEXTgxl/Il93mGC0u6CGNezsD8NL1Q6GLPtUU
DvKFumR+bMyOXUM=
=yrFI
-----END PGP SIGNATURE-----
News for package chromium
