1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted chromium 105.0.5195.52-1~deb11u1 (source) into proposed-update

    From Debian FTP Masters@21:1/5 to All on Sun Sep 11 15:40:01 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Format: 1.8
    Date: Wed, 31 Aug 2022 20:48:11 -0400
    Source: chromium
    Architecture: source
    Version: 105.0.5195.52-1~deb11u1
    Distribution: bullseye-security
    Urgency: high
    Maintainer: Debian Chromium Team <chromium@packages.debian.org>
    Changed-By: Andres Salomon <dilinger@debian.org>
    Closes: 987292
    Changes:
    chromium (105.0.5195.52-1~deb11u1) bullseye-security; urgency=high
    .
    * New upstream stable release.
    - CVE-2022-3038: Use after free in Network Service.
    Reported by Sergei Glazunov of Google Project Zero.
    - CVE-2022-3039: Use after free in WebSQL. Reported by
    Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability
    Research Institute.
    - CVE-2022-3040: Use after free in Layout. Reported by Anonymous.
    - CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and
    Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute.
    - CVE-2022-3042: Use after free in PhoneHub. Reported by koocola
    (@alo_cook) and Guang Gong of 360 Vulnerability Research Institute.
    - CVE-2022-3043: Heap buffer overflow in Screen Capture.
    Reported by @ginggilBesel.
    - CVE-2022-3044: Inappropriate implementation in Site Isolation.
    Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research
    - CVE-2022-3045: Insufficient validation of untrusted input in V8.
    Reported by Ben Noordhuis <info@bnoordhuis.nl>.
    - CVE-2022-3046: Use after free in Browser Tag.
    Reported by Rong Jian of VRI.
    - CVE-2022-3071: Use after free in Tab Strip.
    Reported by @ginggilBesel.
    - CVE-2022-3047: Insufficient policy enforcement in Extensions API.
    Reported by Maurice Dauer.
    - CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen.
    Reported by Andr.Ess.
    - CVE-2022-3049: Use after free in SplitScreen.
    Reported by @ginggilBesel.
    - CVE-2022-3050: Heap buffer overflow in WebUI.
    Reported by Zhihua Yao of KunLun Lab.
    - CVE-2022-3051: Heap buffer overflow in Exosphere.
    Reported by @ginggilBesel.
    - CVE-2022-3052: Heap buffer overflow in Window Manager.
    Reported by Khalil Zhani.
    - CVE-2022-3053: Inappropriate implementation in Pointer Lock.
    Reported by Jesper van den Ende (Pelican Party Studios).
    - CVE-2022-3054: Insufficient policy enforcement in DevTools.
    Reported by Kuilin Li.
    - CVE-2022-3055: Use after free in Passwords. Reported by Weipeng
    Jiang (@Krace) and Guang Gong of 360 Vulnerability Research
    Institute.
    - CVE-2022-3056: Insufficient policy enforcement in Content
    Security Policy. Reported by Anonymous.
    - CVE-2022-3057: Inappropriate implementation in iframe Sandbox.
    Reported by Gareth Heyes.
    - CVE-2022-3058: Use after free in Sign-In Flow.
    Reported by raven at KunLun lab.
    * Drop workaround for lack of older clang's -ffile-prefix-map. This
    should make reproducible builds happy.
    * debian/copyright:
    - Update for new libevent location (moved out of base/).
    - libopenjpeg20 -> libopenjpeg
    * debian/patches:
    - debianization/support-i386.patch: refresh.
    - disable/catapult.patch: refresh.
    - disable/libaom-arm.patch: refresh.
    - system/event.patch: update for new libevent location.
    - system/openjpeg.patch: refresh.
    - bullseye/clang13.patch: drop part of patch dropped upstream.
    - upstream/disk-cache.patch: build fix pulled from upstream.
    - upstream/browser-finder.patch: build fix pulled from upstream.
    - upstream/masklayer-geom.patch: build fix pulled from upstream.
    - system/jsoncpp.patch: drop, merged upstream.
    - fixes/angle-wayland: build fix due to mismatched wayland headers
    on sid. Only needed until angle updates its copy of wayland.
    - disable/welcome-page.patch: drop. Upstream fixed the original
    issue some time ago, and this new version finally cleaned up
    the workaround.
    - fixes/connection-message.patch: drop it. I looked at sending this
    upstream, but the original extension doesn't exist any more,
    and chromium properly prints an error if a proxy is unreachable.
    If you can still reproduce the issue (described in
    http://bugs.debian.org/864539), let me know so I can get it fixed
    upstream.
    * debian/scripts/unbundle: upstream tripled the number of (previously
    vendored) libraries that we can use system versions of. However,
    the majority of them are either not in bullseye or are too old, so
    we'll have to wait to use the debian versions for the ones not newly
    added as build-deps.
    * Disable optimize_webui, due to a build failure using nodejs from
    bullseye. I'll reenable this when it either gets fixed or we're done
    with bullseye security support.
    * Remove sse3-support dependency and just refuse to run if SSE3 is
    not present. Breaking via preinst script isn't appropriate for
    packages that might be installed by default (eg, by Debian Edu).
    * debian/control: add build-deps for brotli, libdouble-conversion-dev,
    libwoff-dev, and libxnvctrl-dev (closes: #987292).
    * Rework default search engine stuff. People did not like the "Your
    browser is managed" and "Your administrator can change your browser
    setup remotely" messages, which are admittedly alarming.
    Instead of using /etc/chromium/policies/recommended/duckduckgo.json,
    delete that and use /etc/chromium/master_preferences instead. Checksums-Sha1:
    d7687d6807f27cc1ae4c7d78257b235410d1566a 3703 chromium_105.0.5195.52-1~deb11u1.dsc
    6ba6f55075924cd84f5965df56e8f3af3a518187 649804380 chromium_105.0.5195.52.orig.tar.xz
    d0c29cf912480dfcc0bbf95becc11bd55869e74d 211728 chromium_105.0.5195.52-1~deb11u1.debian.tar.xz
    93fe51c897435566819d7c0798872b4b2fbd15a6 21161 chromium_105.0.5195.52-1~deb11u1_source.buildinfo
    Checksums-Sha256:
    a8b70757bfd17e410f3827333330822755d51bd5efefdcbd57818904188cdae8 3703 chromium_105.0.5195.52-1~deb11u1.dsc
    0e6291a7ed25a05f888c75a5c4d9851d7caaef7a4e107726f7d1eec8009925a6 649804380 chromium_105.0.5195.52.orig.tar.xz
    0509ee166aa18830d0a29db5a0bdf217b5f17eaa392d7b65c7d7d175ccb13aa0 211728 chromium_105.0.5195.52-1~deb11u1.debian.tar.xz
    0a3c04230271bd26cfe675f7eb53188c6f6df8682037a30a4393948f1a4b0f36 21161 chromium_105.0.5195.52-1~deb11u1_source.buildinfo
    Files:
    484a0462912dce401107c194b44328c2 3703 web optional chromium_105.0.5195.52-1~deb11u1.dsc
    c54755caa29708fee3b7c55ebffcee6b 649804380 web optional chromium_105.0.5195.52.orig.tar.xz
    f04b1fe9c5d25d18ea45cd37835c8f6f 211728 web optional chromium_105.0.5195.52-1~deb11u1.debian.tar.xz
    2dde1cce6bac774091316bbe676caaa8 21161 web optional chromium_105.0.5195.52-1~deb11u1_source.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmMQDlAUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8NudjfECA/8DwRhBzGWhk+SDBNta04RtJ0g9ah0 NavkxLmfOLARHQgmln/QKqoDUbbXePwQbit44TU6MmHGZNbDe6Auup9a+d47cdUd PXGWSyOf0debOjEAoEYGduV0UsMqTd/XI8gjMdZfTtDZOyA2pXPL1pLvDd30QPHl F9eObxfUY6otkgqrnYA2VlZd64svEtZ7D8639ZflRxSZjjMjDyBxhCaUBLaDktUg DaXGy2ZvUFlVs6Hf435RAzgVytwZPCmuQy2JDFgIv5PzwB/gMUZqD5b1Z1Vc+ij7 0GPZJMZC+AdPHLjeUG7CKTaVRFmlJM0jDw/aUGv3jEvW1R23ZImS/uI8EZ+IRPXn bSK5so+ZZ+GeivsiZLgApu0mz6RhPpW6DUCcJ/NWlZqh3QNM7VqR7nTiZQsNXIob VLUU0/gXndn9L0GTaEm7j5XKbtdZG0dpjDw31krs8BEQA0BUz0Wewwn45J/dX29v 1zsyvzhLB0EGkKdumldsdC8Ti5rmX2R6DxTIoUv5c3/Xqh7bKhDTc8Gm5LqeH5BD QX6pfXSE8/RpyDnNhJgAkR0a26/UrjSGo1y9daQqEHNWqHypqufa9hEuyFtc5bJV r55ap+FhdwknYP18nVgzGMbdKiDphxw5pZM4G44qgfouWLsai9UZwN3gMTZ4GnhV yUnrd88nO+mSeNM=
    =Hz37
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)