Accepted chromium 116.0.5845.96-1~deb11u1 (source) into oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 15 Aug 2023 17:46:56 -0400
Source: chromium
Architecture: source
Version: 116.0.5845.96-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
chromium (116.0.5845.96-1~deb11u1) bullseye-security; urgency=high
.
* New upstream stable release.
- CVE-2023-2312: Use after free in Offline. Reported by avaue at S.S.L.
- CVE-2023-4349: Use after free in Device Trust Connectors.
Reported by Weipeng Jiang (@Krace) of VRI.
- CVE-2023-4350: Inappropriate implementation in Fullscreen.
Reported by Khiem Tran (@duckhiem).
- CVE-2023-4351: Use after free in Network.
Reported by Guang and Weipeng Jiang of VRI.
- CVE-2023-4352: Type Confusion in V8.
Reported by Sergei Glazunov of Google Project Zero.
- CVE-2023-4353: Heap buffer overflow in ANGLE.
Reported by Christoph Diehl / Microsoft Vulnerability Research.
- CVE-2023-4354: Heap buffer overflow in Skia.
Reported by Mark Brand of Google Project Zero.
- CVE-2023-4355: Out of bounds memory access in V8.
Reported by Sergei Glazunov of Google Project Zero.
- CVE-2023-4356: Use after free in Audio.
Reported by Zhenghang Xiao (@Kipreyyy).
- CVE-2023-4357: Insufficient validation of untrusted input in XML.
Reported by Igor Sak-Sakovskii.
- CVE-2023-4358: Use after free in DNS.
Reported by Weipeng Jiang (@Krace) of VRI.
- CVE-2023-4359: Inappropriate implementation in App Launcher.
Reported by @retsew0x01.
- CVE-2023-4360: Inappropriate implementation in Color.
Reported by Axel Chong.
- CVE-2023-4361: Inappropriate implementation in Autofill.
Reported by Thomas Orlita.
- CVE-2023-4362: Heap buffer overflow in Mojom IDL.
Reported by Zhao Hai of NanJing Cyberpeace TianYu Lab.
- CVE-2023-4363: Inappropriate implementation in WebShare.
Reported by Alesandro Ortiz.
- CVE-2023-4364: Inappropriate implementation in Permission Prompts.
Reported by Jasper Rebane.
- CVE-2023-4365: Inappropriate implementation in Fullscreen.
Reported by Hafiizh.
- CVE-2023-4366: Use after free in Extensions. Reported by asnine.
- CVE-2023-4367: Insufficient policy enforcement in Extensions API.
Reported by Axel Chong.
- CVE-2023-4368: Insufficient policy enforcement in Extensions API.
Reported by Axel Chong.
* d/patches:
- fixes/cmath.patch: drop, merged upstream.
- fixes/vector.patch: drop, merged upstream.
- fixes/cookieresult.patch: drop, merged upstream.
- upstream/feature-list-static.patch: drop, merged upstream.
- disable/catapult.patch: refresh.
- upstream/statelessV4L2.patch: refresh.
- ppc64le/third_party/0001-Add-PPC64-support-for-boringssl.patch: refresh.
- ppc64le/libaom/0001-Add-ppc64-target-to-libaom.patch: refresh.
- ppc64le/breakpad/0001-Implement-support-for-ppc64-on-Linux.patch: refresh.
- ppc64le/third_party/use-sysconf-page-size-on-ppc64.patch: refresh.
- fixes/rust-clanglib.patch: add patch to handle new clang deps for rust.
- debianization/clang-version.patch: move from bullseye/lld-13.patch.
- bookworm/typename.patch: more typename fixes needed.
- fixes/variant.patch: add a missing header that libstdc++ needs.
- fixes/vector.patch: add a missing header that libstdc++ needs.
- fixes/null.patch: fix missing namespace for nullptr_t + header fix.
- fixes/size.patch: missing header fix.
- bookworm/brotli.patch: revert upstream change that requires newer brotli.
- bookworm/struct-ctor.patch: add a bunch of explicit struct constructors
to make clang-15 happy.
- fixes/size.patch
- bullseye/stringpiece.patch: drop, since we're bundling re2 now.
- bullseye/downgrade-typescript.patch: newer tsc 5.1 doesn't work with
bullseye's ancient nodejs, so we have to downgrade back to 5.0.
- bullseye/constexpr.patch: add another build fix.
- bullseye/default-equality-op.patch: add another build fix.
* d/rules: automatically detect rust/clang versions & add needed rust args.
But also continue disabling rust for now.
* d/rules: drop use_gnome_keyring=false, upstream has completely removed
libgnome-keyring support in favor of gnome's libsecret.
* Use bundled re2 (for now) instead of libre2-dev due to random crashes
we're seeing. Adjust build-deps, Files-Excluded, d/clean,
and d/scripts/unbundle accordingly.
.
[ Timothy Pearson ]
* d/patches/ppc64le:
- database/0001-Properly-detect-little-endian-PPC64-systems.patch: refresh
for upstream changes
- third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch:
refresh for upstream changes
- third_party/0002-third-party-boringssl-add-generated-files.patch:
refresh, no changes
- third_party/use-sysconf-page-size-on-ppc64.patch: refresh for upstream
changes
- third_party/skia-vsx-instructions.patch: refresh for upstream changes
Checksums-Sha1:
303f605a7d3fd83c174f6da828ac2052a2545d8b 3785 chromium_116.0.5845.96-1~deb11u1.dsc
2ccd6ebff8f82be664cbca2cba762a81301fbb53 648561460 chromium_116.0.5845.96.orig.tar.xz
64865c83b70e073c30d74a9883758c6826f98381 1515080 chromium_116.0.5845.96-1~deb11u1.debian.tar.xz
9adb30561545f24eec3a159e689dded91a611d5f 22989 chromium_116.0.5845.96-1~deb11u1_source.buildinfo
Checksums-Sha256:
d4cf5a07689f7ce48197d001e9169fb76203296753ee6b2f8090582b3889e04b 3785 chromium_116.0.5845.96-1~deb11u1.dsc
4471aa5f94c97edab20ada188ca5e834d43a3769c5252f1cc3097ccf8a8b589a 648561460 chromium_116.0.5845.96.orig.tar.xz
894487071c71b9e79cf028efd209b73891177b4a664b02380e56dd1e8b02275b 1515080 chromium_116.0.5845.96-1~deb11u1.debian.tar.xz
9eda5e9f758a9654955b6b3e6a4df6059c995d4e40d4f3803ffbda240830ca84 22989 chromium_116.0.5845.96-1~deb11u1_source.buildinfo
Files:
fb3e37f60a197e053d6a3a2d841c19d5 3785 web optional chromium_116.0.5845.96-1~deb11u1.dsc
5d756303546456cccf632c5761bd525b 648561460 web optional chromium_116.0.5845.96.orig.tar.xz
36c619d2580f6ca4bd6df5785aa48b72 1515080 web optional chromium_116.0.5845.96-1~deb11u1.debian.tar.xz
b9453ef64bfeca07d4edcc5e66df4ce7 22989 web optional chromium_116.0.5845.96-1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmTck8YUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjeF0g//f5/luHN7KaYdKecXnkz07IY0Gla2
UTIaVxOhExRicz0VptzsT+Env1E2ZsmVU+qHcZFNh3EfQEZm0miGJNiRN758nEdu
1zArKqU0kloDw8METh4JRzhsjMnOBA6GerU1EndJRfIs+gqsdLOUhd0JiKGWZVmV
4xHGaX3AsHXHKYz7++Yfag/AN0OogtrH4OotzDjmwDAVwDMm4C6DHdP++Ju0HnKu
dqgIg5gctKHW9fRt2PNo+hEVGmk3MrAHDU43WcoIYbA9v97yr+VIBkx5PYjTwdG9
FjNF1ZRB4w7OjHnQ62QNwCqcqF4KoQUSuE37upcNLxZzrvuOnp5vDM7oyhgOU0AW
rC+GNNCH3ywWiiwz1k3Ka+4NkTux1L8SeXUdg6067hUFzi0S5Lxzm3TDrNdaZS58
7f6zo77lWSNwBDYIu69YkIAuaHQmDO4Y8Nfs6mewDrrwvpK+x+pPoIY1cQ0SO1XW
oJ0eu5u6kzcRKcGs7T75/UeqE8A1U1tZWPLWpKwmtmtYsXIY6vjKw7u22Bi1vulN
Fcg5ii53u8gdGg9zmWfYxnQq4U/zYkdktgKzFKczDqsRFAom/pUeqiOztonnTFAg
2DsbrxR/lN6SNdNheYrGolovBSGnbBOAQpfuyiBD2xc6YS3NtuxmrSP9QYAwBhyV
oFiVqyCqWlowymc=
=m7h2
-----END PGP SIGNATURE-----
Reply to: