Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted chromium 146.0.7680.177-1~deb12u1 (source) into oldstable-security
Date: Fri, 03 Apr 2026 00:34:17 +0000
Signed by: Andres Salomon <dilinger@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Apr 2026 12:42:51 -0400
Source: chromium
Architecture: source
Version: 146.0.7680.177-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
 chromium (146.0.7680.177-1~deb12u1) bookworm-security; urgency=high
 .
   [ Andres Salomon ]
   * New upstream security release.
     - CVE-2026-5272: Heap buffer overflow in GPU.
       Reported by inspector-ambitious.
     - CVE-2026-5273: Use after free in CSS. Reported by Anonymous.
     - CVE-2026-5274: Integer overflow in Codecs.
       Reported by heapracer (@heapracer).
     - CVE-2026-5275: Heap buffer overflow in ANGLE.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5276: Insufficient policy enforcement in WebUSB.
       Reported by Ariel Simon.
     - CVE-2026-5277: Integer overflow in ANGLE.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5278: Use after free in Web MIDI.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5279: Object corruption in V8.
       Reported by Hyeonjun Ahn (@_deayzl).
     - CVE-2026-5280: Use after free in WebCodecs.
       Reported by heapracer (@heapracer).
     - CVE-2026-5281: Use after free in Dawn.
       Reported by 86ac1f1587b71893ed2ad792cd7dde32.
     - CVE-2026-5282: Out of bounds read in WebCodecs.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5283: Inappropriate implementation in ANGLE.
       Reported by sweetchip.
     - CVE-2026-5284: Use after free in Dawn.
       Reported by 86ac1f1587b71893ed2ad792cd7dde32.
     - CVE-2026-5285: Use after free in WebGL.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5286: Use after free in Dawn. Reported by sweetchip.
     - CVE-2026-5287: Use after free in PDF. Reported by Syn4pse.
     - CVE-2026-5288: Use after free in WebView. Reported by Google.
     - CVE-2026-5289: Use after free in Navigation. Reported by Google.
     - CVE-2026-5290: Use after free in Compositing. Reported by Google.
     - CVE-2026-5291: Inappropriate implementation in WebGL.
       Reported by heapracer (@heapracer).
     - CVE-2026-5292: Out of bounds read in WebCodecs. Reported by Google.
   * d/patches:
     - upstream/Fix-blink-compilation-for-platforms-other-than-x86-and-arm.patch:
       drop, merged upstream.
     - ungoogled/disable-ai.patch: resync with u-c.
 .
   [ Daniel Richard G. ]
   * d/copyright: Exclude *.pb (protobuf) binary files.
   * d/patches: Various ungoogled-chromium-related updates.
     - disable/glic.patch: Drop, replaced with disable-ai.patch from the
       ungoogled-chromium project.
     - ungoogled/disable-ai.patch: Import new patch from ungoogled-chromium
       that zaps glic, screen_ai, and various other adjacent AI-based features.
     - ungoogled/disable-mei-preload.patch: Import patch to allow building
       without *.pb files.
     - ungoogled/disable-privacy-sandbox.patch: Update imported patch.
 .
   [ Timothy Pearson ]
   * d/patches/ppc64le:
     - third_party/0005-blink-add-audio-vector-support.patch: Fix FBTFS from
       upstream adding vector-accelerated audio delay functions
 .
   [ Jianfeng Liu ]
   * d/patches/upstream:
     - Fix-blink-compilation-for-platforms-other-than-x86-and-arm.patch: Fix
       FBTFS from upstream for blink audio delay function on loong64
Checksums-Sha1:
 b1737ce0e7ead70bf54647db5278e58cd3536dfe 4068 chromium_146.0.7680.177-1~deb12u1.dsc
 41b4ac22684ced460e9212915c484c1051ddc552 785637692 chromium_146.0.7680.177.orig.tar.xz
 4caa5bc64273b186a3697c272baecac140d44943 8570632 chromium_146.0.7680.177-1~deb12u1.debian.tar.xz
 667c2419d4f4d88aee32c7cd020cf80f3d46ff44 26842 chromium_146.0.7680.177-1~deb12u1_source.buildinfo
Checksums-Sha256:
 a3c1b569b4f38bb54a99708ef6b23ffd162223e2283467e2c5d9d2d444e78753 4068 chromium_146.0.7680.177-1~deb12u1.dsc
 2b8322234ce8cd272a47923a772088b29b65fbdde8fe871eb2cc833d9acf5cdc 785637692 chromium_146.0.7680.177.orig.tar.xz
 ba00d826c193786168680de132fa59a823acdc8563cc67314ca18857c0658401 8570632 chromium_146.0.7680.177-1~deb12u1.debian.tar.xz
 04a6a8efd8802a77a27a4c0e51ae9afd626c8dd4db8b3357266dc8ad5b34db7a 26842 chromium_146.0.7680.177-1~deb12u1_source.buildinfo
Files:
 2ea61d75aa9e18254b19a70ae85e5cf6 4068 web optional chromium_146.0.7680.177-1~deb12u1.dsc
 96240fa6e716a879c557e8c22fe212d4 785637692 web optional chromium_146.0.7680.177.orig.tar.xz
 8b1cd68735f3df7e612d9815665741c5 8570632 web optional chromium_146.0.7680.177-1~deb12u1.debian.tar.xz
 f73f01397221cd99b81ac5b2e158f910 26842 web optional chromium_146.0.7680.177-1~deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmnOFZgUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8Nudjfu1RAAxjH8ClAcfkLb7hfh8iEtDk6fv4K5
0TG1C5ZjiBHQ+1sOWHM7IbHMtVGb0x6aiAKa8lA538rX+VSbykhKrzFZyipRxnS+
weTU/8XMTyNoDS3FUIYGzoiEi3S9Bk1UOz1gCRIFBcpSHvjLCeQwvZQ6ulLa4hJT
1cgNJ3OCO3DoVHiED1RlInf7QzJroh3t62j+1ODwEMq8LChcAw/1jXOZeUya9+Q6
HyhnAw8EBbe3UbBP0o0fq6OTf6DkNpbvUAD1sdggy3dRg/DwniCXbiwGrO2OrvC8
DA88gsqyOwCNLSzYZ/14EBB8WlbEb8qdPgpe46eBoceOC0yt1yeiXsFADDcFQAoj
arzlCaBsQMV4EoG8eGRGLLUR9l9g+7gvHmRJY69iYUxS2u3gO6fzzSWvq/Xd7pVH
MUwxisnAHzP+pTh/bwifMpggVHoQfZaa62NG/RrjPCl9nyBlM/Y0A7UBm9F6+FI8
02bFD6V0+O9vhLJhoeTzy6t09pknP1QoC8quEeBrMIvBMgcl5PgoNo6afg3v7MYq
1uDGHM4EizsbM69+UtpqghqyVU9vNZcx/B8+ouDFlZrNXI7WcEFRCnGtgjUYSDNz
nBQAnKXYNdwB1sIhSGkUdyvr8XdqEXiX0L7LK5wVNlPnEipAByXIyBax0AwfDiS7
SqhNp8UhkMD/II8=
=MAN4
-----END PGP SIGNATURE-----
News for package chromium
