-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 19 Oct 2024 01:12:11 -0400 Source: chromium Architecture: source Version: 130.0.6723.58-1~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Chromium Team <chromium@packages.debian.org> Changed-By: Andres Salomon <dilinger@debian.org> Changes: chromium (130.0.6723.58-1~deb12u1) bookworm-security; urgency=high . [ Andres Salomon ] * New upstream stable release. - CVE-2024-9954: Use after free in AI. Reported by DarkNavy. - CVE-2024-9955: Use after free in Web Authentication. Reported by anonymous. - CVE-2024-9956: Inappropriate implementation in Web Authentication. Reported by mastersplinter. - CVE-2024-9957: Use after free in UI. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group. - CVE-2024-9958: Inappropriate implementation in PictureInPicture. Reported by Lyra Rebane (rebane2001). - CVE-2024-9959: Use after free in DevTools. Reported by Sakana.S. - CVE-2024-9960: Use after free in Dawn. Reported by Anonymous. - CVE-2024-9961: Use after free in Parcel Tracking. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group. - CVE-2024-9962: Inappropriate implementation in Permissions. Reported by Shaheen Fazim. - CVE-2024-9963: Insufficient data validation in Downloads. Reported by Anonymous. - CVE-2024-9964: Inappropriate implementation in Payments. Reported by Hafiizh. - CVE-2024-9965: Insufficient data validation in DevTools. Reported by Shaheen Fazim. - CVE-2024-9966: Inappropriate implementation in Navigations. Reported by Harry Chen. * d/copyright: rollup -> @rollup deletion. * d/patches: - debianization/sandbox.patch: refresh. - fixes/bindgen.patch: refresh. - disable/catapult.patch: refresh. - system/zlib.patch: drop. Upstream removed courgette, and its replacement (zucchini) doesn't appear to use zlib. - system/rollup.patch: update path due to upstream renaming; call ./rollup/.../rollup instead of ./@rollup/wasm-node/.../rollup. - system/event.patch: drop half of patch due to upstream deletions. - upstream/mojo-null.patch: merged into mojo.patch. - upstream/mojo.patch: update based on 130 test files. - bookworm/gn-absl.patch: refresh. - bookworm/gn-funcs.patch: refresh. - bookworm/cacheline.patch: add patch to revert usage of std::hardware_destructive_interference_size, which clang-16 lacks. - bookworm/constexpr2.patch: add around clang16 build failure workaround related to constexpr. - upstream/stack-header.patch: add missing include. . [ Daniel Richard G. ] * d/rules: Drop the clang-16 -I/-Wl,-rpath flags from CXXFLAGS/LDFLAGS as they are no longer needed. . [ Timothy Pearson ] * d/patches: - upstream/blink-fix-size-assertions.patch: Fix build on non-amd64 platforms - fixes/fix-assert-in-vnc-sessions.patch: Fix assertion and SIGTRAP when starting Chromium from within a VNC session * d/patches/ppc64le: - core/add-ppc64-pthread-stack-size.patch: Define correct pthread stack size on ppc64 systems - core/cargo-add-ppc64.diff - third_party/0001-Add-PPC64-support-for-boringssl.patch: Refresh for upstream changes - third_party/0001-Force-baseline-POWER8-AltiVec-VSX-CPU-features-when- .patch: Refresh for upstream changes - third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch: Refresh for upstream changes - third_party/skia-vsx-instructions.patch: Refresh for upstream changes - workarounds/HACK-debian-clang-disable-skia-musttail.patch: Refresh for upstream changes Checksums-Sha1: 9b58a912ed64ca3fc2ed71c778c1b5e54c0d6c4d 3812 chromium_130.0.6723.58-1~deb12u1.dsc 459f8f8697616c7d28eacb85e21a91d7804b9c9a 814710360 chromium_130.0.6723.58.orig.tar.xz 3582fed395fd3f5587135b0cf26a6a7e59d72ccf 8498460 chromium_130.0.6723.58-1~deb12u1.debian.tar.xz 97f952bbad0d7321fce934c11ffa6c511a4f6584 22071 chromium_130.0.6723.58-1~deb12u1_source.buildinfo Checksums-Sha256: 5487b114e847bc1093c27a38305d8f297f19f0c2a00fbae3662929c409a5ad59 3812 chromium_130.0.6723.58-1~deb12u1.dsc 7e2d6b1769bb8116e1fa6cdb5221a9b1296183723be014627ffd6762245bdd96 814710360 chromium_130.0.6723.58.orig.tar.xz f796bfb84be710bb28bac308d4bf9317feb1e4aaa73968257a337d7f4fd9e2b6 8498460 chromium_130.0.6723.58-1~deb12u1.debian.tar.xz a6bf7d3b650ab789a6768a9d3dd1dcce6dd3ceef91cf910cd8e7dd4743e6c12b 22071 chromium_130.0.6723.58-1~deb12u1_source.buildinfo Files: e28169a30325e308969c3ae2c40b6284 3812 web optional chromium_130.0.6723.58-1~deb12u1.dsc 0674b973214cb49e0865d56e68f9e239 814710360 web optional chromium_130.0.6723.58.orig.tar.xz 011dab044f29a6281419993a4d129e00 8498460 web optional chromium_130.0.6723.58-1~deb12u1.debian.tar.xz 36df75e1b4d35eb9f3e4f97a66bf6f80 22071 web optional chromium_130.0.6723.58-1~deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcT9CMUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8NudjcA7w/+IqenBR/8ACltbIDbV5u7G4qbZkK3 rYbRjd9EsEvylCqdxVeOjQLNEWwqmxOA2Ax3lrMJ/fI4RPfhygMO0V47wvStZAJ4 DL9IFcBOY0xF2o8q6US+x6LqC8ONH7XmlERZaiTsrzSw+2ks1UgFq/kICPjbghJA GelBvjcw0ZUpzPwDXMzkryJB69fpY7C368D4h4YQZeuJX95YyvLQRgnAQ9JOF3Ri zzLfED/JyEKeVjxJr0sQdm2ozUhb41vd4FBPu3z7TFl399fgx86cvzLXskA88H8P ciMbpJqy7tKPueWoTmYmKu08SCnYushODZp19CBiBh8bcNsQOpqw0kQQV0qD23sJ aWOfhSIx+FKZHC3AWwsIjd5p4GyG/uaedjzKEkR5NGlAKUgOPHZP3YAmAWQHCdLw hptXJPc22VWM4QCJmLJgv89FYI6eWt9qhGbDnVgg+AKQPmItgjMhncIPgltbTRwd IcIvLK4L00wg3BoBzoogedKoUOyWRzzsxhn8nQZI05GS2KzBdef/0RdA6OzOYYhO 4MMyISdbkCtcT1td41AUMO5zVVwTG/bhm5WDOYZHOyQTvK/5M53HxakhlHamc0uU A+y0pEvpRS8o8+QbAmeASyw3v7bE0aokKnGOLlmTLeri0bjMYBdvbb2FcHfJ7FSI P9S7sytFYckavCE= =Zy5c -----END PGP SIGNATURE-----