1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted chromium 97.0.4692.71-0.1~deb11u1 (source) into proposed-updat

    From Debian FTP Masters@21:1/5 to All on Sat Jan 22 20:20:02 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Format: 1.8
    Date: Thu, 13 Jan 2022 18:30:21 -0500
    Source: chromium
    Architecture: source
    Version: 97.0.4692.71-0.1~deb11u1
    Distribution: bullseye-security
    Urgency: high
    Maintainer: Debian Chromium Team <chromium@packages.debian.org>
    Changed-By: Andres Salomon <dilinger@debian.org>
    Closes: 861796 942962 955540 995212 996375
    Changes:
    chromium (97.0.4692.71-0.1~deb11u1) bullseye-security; urgency=high
    .
    * Non-maintainer upload.
    * Stop building chromium's bunded gn and instead build-dep on generate-ninja.
    * Drop numerous patches related to gcc building, since we just build w/ clang.
    * Use python3 as default instead of relying on python2
    (closes: #942962, #996375).
    * Enable the ozone backend in the build (closes: #955540).
    * Automatically detect & enable Wayland support when launching chromium
    (closes: #861796).
    * Rename crashpad_handler to chrome_crashpad_handler.
    * No longer hardcode desktop GL implementation as default - it causes
    the chromium compositor's draw buffer to fill up & crash on my system.
    * Enable official builds.
    * New upstream stable release (closes: #995212).
    - CVE-2022-0096: Use after free in Storage. Reported by Yangkang
    (@dnpushme) of 360 ATA
    - CVE-2022-0097: Inappropriate implementation in DevTools. Reported by
    David Erceg
    - CVE-2022-0098: Use after free in Screen Capture. Reported by
    @ginggilBesel
    - CVE-2022-0099: Use after free in Sign-in. Reported by Rox
    - CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by
    Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications
    Corp. Ltd.
    - CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven
    (@raid_akame)
    - CVE-2022-0102: Type Confusion in V8. Reported by Brendon Tiszka
    - CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin
    Khan and Omair
    - CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin
    Khan and Omair
    - CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber
    Security Lab, OPPO Mobile Telecommunications Corp. Ltd.
    - CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani
    - CVE-2022-0107: Use after free in File Manager API. Reported by raven
    (@raid_akame)
    - CVE-2022-0108: Inappropriate implementation in Navigation. Reported by
    Luan Herrera (@lbherrera_)
    - CVE-2022-0109: Inappropriate implementation in Autofill. Reported by
    Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University
    - CVE-2022-0110: Incorrect security UI in Autofill. Reported by
    Alesandro Ortiz
    - CVE-2022-0111: Inappropriate implementation in Navigation. Reported by
    garygreen
    - CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas
    Orlita
    - CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan
    Herrera (@lbherrera_)
    - CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by
    Looben Yang
    - CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand
    of Google Project Zero
    - CVE-2022-0116: Inappropriate implementation in Compositing. Reported
    by Irvan Kurniawan (sourc7)
    - CVE-2022-0117: Policy bypass in Service Workers. Reported by
    Dongsung Kim (@kid1ng)
    - CVE-2022-0118: Inappropriate implementation in WebShare. Reported by
    Alesandro Ortiz
    - CVE-2022-0120: Inappropriate implementation in Passwords. Reported by
    CHAKRAVARTHI (Ruler96)
    (96.0.4664.110)
    - CVE-2021-4098: Insufficient data validation in Mojo. Reported by
    Sergei Glazunov of Google Project Zero
    - CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin
    of Solita
    - CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin
    of Solita
    - CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by
    Abraruddin Khan and Omair
    - CVE-2021-4102: Use after free in V8. Reported by Anonymous
    (96.0.4664.93)
    - CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of
    MoyunSec VLab
    - CVE-2021-4053: Use after free in UI. Reported by Rox
    - CVE-2021-4079: Out of bounds write in WebRTC. Reported by Brendon
    Tiszka
    - CVE-2021-4054: Incorrect security UI in autofill. Reported by
    Alesandro Ortiz
    - CVE-2021-4078: Type confusion in V8. Reported by Nan
    Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab
    - CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen
    Rong
    - CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360
    Alpha Lab
    - CVE-2021-4057: Use after free in file API. Reported by Sergei
    Glazunov of Google Project Zero
    - CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin
    Khan and Omair
    - CVE-2021-4059: Insufficient data validation in loader. Reported by
    Luan Herrera (@lbherrera_)
    - CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini
    - CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso
    and Guang Gong of 360 Alpha Lab
    - CVE-2021-4063: Use after free in developer tools. Reported by
    Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research
    - CVE-2021-4064: Use after free in screen capture. Reported by
    @ginggilBesel
    - CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010
    from Topsec ChiXiao Lab
    - CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun
    Jeong(@n3sk) of Theori
    - CVE-2021-4067: Use after free in window manager. Reported by
    @ginggilBesel
    - CVE-2021-4068: Insufficient validation of untrusted input in new tab
    page. Reported by NDevTK
    (96.0.4664.45)
    - CVE-2021-38008: Use after free in media. Reported by Marcin Towalski
    - CVE-2021-38009: Inappropriate implementation in cache.
    Reported by Luan Herrera (@lbherrera_)
    - CVE-2021-38006: Use after free in storage foundation.
    Reported by Sergei Glazunov of Google Project Zero
    - CVE-2021-38007: Type Confusion in V8. Reported by Polaris Feng and
    SGFvamll at Singular Security Lab
    - CVE-2021-38005: Use after free in loader.
    Reported by Sergei Glazunov of Google Project Zero
    - CVE-2021-38010: Inappropriate implementation in service workers.
    Reported by Sergei Glazunov of Google Project Zero
    - CVE-2021-38011: Use after free in storage foundation.
    Reported by Sergei Glazunov of Google Project Zero
    - CVE-2021-38012: Type Confusion in V8. Reported by Yonghwi Jin (@jinmo123)
    - CVE-2021-38013: Heap buffer overflow in fingerprint recognition.
    Reported by raven (@raid_akame)
    - CVE-2021-38014: Out of bounds write in Swiftshader.
    Reported by Atte Kettunen of OUSPG
    - CVE-2021-38015: Inappropriate implementation in input.
    Reported by David Erceg
    - CVE-2021-38016: Insufficient policy enforcement in background fetch.
    Reported by Maurice Dauer
    - CVE-2021-38017: Insufficient policy enforcement in iframe sandbox.
    Reported by NDevTK
    - CVE-2021-38018: Inappropriate implementation in navigation.
    Reported by Alesandro Ortiz
    - CVE-2021-38019: Insufficient policy enforcement in CORS.
    Reported by Maurice Dauer
    - CVE-2021-38020: Insufficient policy enforcement in contacts picker.
    Reported by Luan Herrera (@lbherrera_)
    - CVE-2021-38021: Inappropriate implementation in referrer.
    Reported by Prakash (@1lastBr3ath)
    - CVE-2021-38022: Inappropriate implementation in WebAuthentication.
    Reported by Michal Kepkowski
    (95.0.4638.69)
    - CVE-2021-37997: Use after free in Sign-In. Reported by Wei Yuan of
    MoyunSec VLab
    - CVE-2021-37998: Use after free in Garbage Collection. Reported by
    Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications
    Corp. Ltd.
    - CVE-2021-37999: Insufficient data validation in New Tab Page.
    Reported by Ashish Arun Dhone
    - CVE-2021-38000: Insufficient validation of untrusted input in Intents.
    Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google
    Threat Analysis Group
    - CVE-2021-38001: Type Confusion in V8. Reported by @s0rrymybad of
    Kunlun Lab via Tianfu Cup
    - CVE-2021-38002: Use after free in Web Transport. Reported by @__R0ng
    of 360 Alpha Lab, 漏洞研究院青训队 via Tianfu Cup
    - CVE-2021-38003: Inappropriate implementation in V8. Reported by Clément
    Lecigne from Google TAG and Samuel Groß from Google Project Zero
    - CVE-2021-38004: Insufficient policy enforcement in Autofill. Reported
    by Mark Amery
    (95.0.4638.54)
    - CVE-2021-37981: Heap buffer overflow in Skia. Reported by Yangkang
    (@dnpushme) of 360 ATA
    - CVE-2021-37982: Use after free in Incognito. Reported by Weipeng Jiang
    (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group
    - CVE-2021-37983: Use after free in Dev Tools. Reported by Zhihua Yao
    of KunLun Lab
    - CVE-2021-37984: Heap buffer overflow in PDFium. Reported by Antti
    Levomäki, Joonas Pihlaja and Christian Jalio from Forcepoint
    - CVE-2021-37985: Use after free in V8. Reported by Yangkang (@dnpushme)
    of 360 ATA
    - CVE-2021-37986: Heap buffer overflow in Settings.
    Reported by raven (@raid_akame)
    - CVE-2021-37987: Use after free in Network APIs. Reported by
    Yangkang (@dnpushme) of 360 ATA
    - CVE-2021-37988: Use after free in Profiles. Reported by raven
    (@raid_akame)
    - CVE-2021-37989: Inappropriate implementation in Blink.
    Reported by Matt Dyas, Ankur Sundara
    - CVE-2021-37990: Inappropriate implementation in WebView. Reported by
    Kareem Selim of CyShield
    - CVE-2021-37991: Race in V8. Reported by Samuel Groß of Google Project
    Zero
    - CVE-2021-37992: Out of bounds read in WebAudio. Reported by
    sunburst@Ant Security Light-Year Lab
    - CVE-2021-37993: Use after free in PDF Accessibility. Reported by Cassidy
    Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd.
    - CVE-2021-37996: Insufficient validation of untrusted input in Downloads.
    Reported by Anonymous
    - CVE-2021-37994: Inappropriate implementation in iFrame Sandbox.
    Reported by David Erceg
    - CVE-2021-37995: Inappropriate implementation in WebApp Installer.
    Reported by Terence Eden
    (94.0.4606.81)
    - CVE-2021-37977: Use after free in Garbage Collection. Reported by
    Anonymous
    - CVE-2021-37978: Heap buffer overflow in Blink. Reported by Yangkang
    (@dnpushme) of 360 ATA
    - CVE-2021-37979: Heap buffer overflow in WebRTC. Reported by Marcin
    Towalski of Cisco Talos
    - CVE-2021-37980: Inappropriate implementation in Sandbox. Reported by
    Yonghwi Jin (@jinmo123) of Theori
    (94.0.4606.71)
    - CVE-2021-37974: Use after free in Safe Browsing. Reported by Weipeng
    Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group
    - CVE-2021-37975: Use after free in V8. Reported by Anonymous
    - CVE-2021-37976: Information leak in core. Reported by Clément Lecigne
    from Google TAG, with technical assistance from Sergei Glazunov and
    Mark Brand from Google Project Zero
    (94.0.4606.61)
    - CVE-2021-37973: Use after free in Portals. Reported by Clément Lecigne
    from Google TAG, with technical assistance from Sergei Glazunov and
    Mark Brand from Google Project Zero
    (94.0.4606.54)
    - CVE-2021-37956 Use after free in Offline use. Reported by Huyna at
    Viettel Cyber Security
    - CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang
    - CVE-2021-37958: Inappropriate implementation in Navigation. Reported by
    James Lee (@Windowsrcer)
    - CVE-2021-37959: Use after free in Task Manager. Reported by raven
    (@raid_akame)
    - CVE-2021-37961: Use after free in Tab Strip. Reported by Khalil Zhani
    - CVE-2021-37962: Use after free in Performance Manager. Reported by Sri
    - CVE-2021-37963: Side-channel information leakage in DevTools. Reported
    by Daniel Genkin and Ayush Agarwal, University of Michigan, Eyal Ronen
    and Shaked Yehezkel, Tel Aviv University, Sioli O’Connell, University of
    Adelaide, and Jason Kim, Georgia Institute of Technology
    - CVE-2021-37964: Inappropriate implementation in ChromeOS Networking.
    Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong
    Kong
    - CVE-2021-37965: Inappropriate implementation in Background Fetch API.
    Reported by Maurice Dauer
    - CVE-2021-37966: Inappropriate implementation in Compositing. Reported by
    Mohit Raj (shadow2639)
    - CVE-2021-37967: Inappropriate implementation in Background Fetch API.
    Reported by SorryMybad (@S0rryMybad) of Kunlun Lab
    - CVE-2021-37968: Inappropriate implementation in Background Fetch API.
    Reported by Maurice Dauer
    - CVE-2021-37969: Inappropriate implementation in Google Updater. Reported
    by Abdelhamid Naceri (halov)
    - CVE-2021-37970: Use after free in File System API. Reported by
    SorryMybad (@S0rryMybad) of Kunlun Lab
    - CVE-2021-37971: Incorrect security UI in Web Browser UI. Reported by
    Rayyan Bijoora
    - CVE-2021-37972: Out of bounds read in libjpeg-turbo. Reported by Xu
    Hanyu and Lu Yutao from Panguite-Forensics-Lab of Qianxin Checksums-Sha1:
    75ff28b7b22b585c19b8849a230af234c3ae6b06 3779 chromium_97.0.4692.71-0.1~deb11u1.dsc
    3616e212d6f12237ef3110ac8925eeb0b01ba626 516819808 chromium_97.0.4692.71.orig.tar.xz
    f152b65765c74eeaff9a687e5f04c68683f1747c 152972 chromium_97.0.4692.71-0.1~deb11u1.debian.tar.xz
    9a313b86d9929c4ab88b5c30b2488eb9842cca8f 25423 chromium_97.0.4692.71-0.1~deb11u1_source.buildinfo
    Checksums-Sha256:
    b544dcf4305d8a8b26e6735297e80dad38833bed4f64d02d76690dac0f8d5bd3 3779 chromium_97.0.4692.71-0.1~deb11u1.dsc
    cca093107bf6991b4777889012646455f8e520b446c9f27250653f98ed4bb7e0 516819808 chromium_97.0.4692.71.orig.tar.xz
    c580ae26caf4634eb4f29ad24f7caa0f1de0d149d2d11532a77f4a53f1a58eb5 152972 chromium_97.0.4692.71-0.1~deb11u1.debian.tar.xz
    04571c8941bb500b3b9bf56ebb926a9c6997d76bc64957942747b48a7354e3f6 25423 chromium_97.0.4692.71-0.1~deb11u1_source.buildinfo
    Files:
    87822041004430424c90ae9efcb9579e 3779 web optional chromium_97.0.4692.71-0.1~deb11u1.dsc
    88cfb419d88af08f2925b9e6efb3921e 516819808 web optional chromium_97.0.4692.71.orig.tar.xz
    f0dbf9d8bdf53260d7aba6823c174edc 152972 web optional chromium_97.0.4692.71-0.1~deb11u1.debian.tar.xz
    9a29fa7149c2f2a9d0cb60c3ebcda2fa 25423 web optional chromium_97.0.4692.71-0.1~deb11u1_source.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmHgvfEUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8NudjewCQ/9E7osRJ3Ej9tV40r4SilE9H+uFjYB tcvoeTpQ6Vh3KhmX8OAJ7KqnG/NVKwizjqRzX80sXgtT6pIONUzoCDlPOcaCq+U8 5UNXOdgbOzF9PVHaHFOA1PyuQaQBc2ZW6xBbiLVU++uG55ZdCCQbrTNiDktYHqDF 05F37m1ZfspaSIh7eECBR/fV+Rp+hcVXvu+L4GcS2cHshMbGC044CI5X5Zf1Arh3 k2+uUvtZvD63aViguANQUtZo2e4h0IiDycKYbfNkzanknST+Nb7ZArq7jvLEMNde OllgFyd7vqYVFvYLnTJdtWSiEIys1fsZqoabHAucE4XAKUGVNLIiOEdyT1y2u1PD 1KIux6rGCY6PgRlrHtD01m1MFf8eREGfs1TmcP9jIVl63YLT7wIh8v8dPTh9OxU5 5VZUzgs1EbfM0p/l95VOqhBrjDakugMVVgWTfzLw+XLr1aWglSnGjHMwvA1J4oIA hhqe+GTPANMd4WlCyYpqbF8JTpw9KXqP5kbFbkciwSwtxR7J8YdUGWO4wRZOzrTp JdkeUURVLCxrjwEi9sPp+N48EI+FjwTAVK6+r0NugNaNLJgAnCBH/xkD8IhMNWG6 PZx/iKgVZ7LuzcdJCZ4OcJijfOEevPyg/rEk2jQ0PGhQu3MPe0YfOsvQZo4MXcpM aNBJGcTdl1SOrac=
    =d8kj
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)