Back to chromium PTS page

Accepted chromium 124.0.6367.60-1~deb12u1 (source) into proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 19 Apr 2024 12:33:38 -0400
Source: chromium
Architecture: source
Version: 124.0.6367.60-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
 chromium (124.0.6367.60-1~deb12u1) bookworm-security; urgency=high
 .
   * New upstream stable release.
     - CVE-2024-3832: Object corruption in V8.
       Reported by Man Yue Mo of GitHub Security Lab.
     - CVE-2024-3833: Object corruption in WebAssembly.
       Reported by Man Yue Mo of GitHub Security Lab.
     - CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang
     - CVE-2024-3837: Use after free in QUIC.
       Reported by {rotiple, dch3ck} of CW Research Inc.
     - CVE-2024-3838: Inappropriate implementation in Autofill.
       Reported by Ardyan Vicky Ramadhan.
     - CVE-2024-3839: Out of bounds read in Fonts.
       Reported by Ronald Crane (Zippenhop LLC).
     - CVE-2024-3840: Insufficient policy enforcement in Site Isolation.
       Reported by Ahmed ElMasry.
     - CVE-2024-3841: Insufficient data validation in Browser Switcher.
       Reported by Oleg.
     - CVE-2024-3843: Insufficient data validation in Downloads.
       Reported by Azur.
     - CVE-2024-3844: Inappropriate implementation in Extensions.
       Reported by Alesandro Ortiz.
     - CVE-2024-3845: Inappropriate implementation in Network.
       Reported by Daniel Baulig.
     - CVE-2024-3846: Inappropriate implementation in Prompts.
       Reported by Ahmed ElMasry.
     - CVE-2024-3847: Insufficient policy enforcement in WebUI.
       Reported by Yan Zhu.
   * d/copyright:
     - delete __pycache__ directories to shut up dpkg warnings.
     - stop deleting bundled libwebp directory.
   * Drop build-dep on libwebp-dev and start building against the bundled
     libwebp. We need to do this because chromium uses features of libavif
     that require libsharpyuv-dev; but that's only available in sid/trixie.
   * d/patches:
     - upstream/std-to-address.patch: drop, merged upstream.
     - fixes/optional2.patch: drop, merged upstream.
     - fixes/blink-fonts-shape-result.patch: drop, merged upstream.
     - bookworm/constexpr-equality.patch: drop, merged upstream.
     - disable/catapult.patch: refresh.
     - disable/google-api-warning.patch: rework to be a smaller patch.
     - bookworm/clang16.patch: refresh.
     - ungoogled/disable-privacy-sandbox.patch: drop hunk related to deprecated
       preference.
     - upstream/mojo-null.patch: pull a (typescript) build fix from upstream.
     - upstream/uint-includes.patch: simple header build fix from upstream.
     - upstream/fps-optional.patch: add header build fix.
     - upstream/span-optional.patch: add header build fix.
     - upstream/extractor-bitset.patch: add header build fix.
     - upstream/atomic.patch: add header build fix.
     - upstream/webgpu-optional.patch: add header build fix.
     - fixes/absl-optional.patch: comment out assert() that caused crash.
       This could be another clang16/libstdc++ miscompilation issue, but
       needs further investigation.
     - fixes/bad-font-gc2.patch: drop a bunch of test-related pieces.
     - fixes/bad-font-gc0000.patch, fixes/bad-font-gc000.patch,
       fixes/bad-font-gc00.patch, fixes/bad-font-gc0.patch,
       fixes/bad-font-gc11.patch, fixes/bad-font-gc3.patch: revert a bunch
       more (new) upstream commits related to bad-font-gc2.patch. When the
       use-after-free bug gets fixed, all this can be dropped.
   * d/patches/ppc64le:
     - third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch,
       third_party/0003-third_party-ffmpeg-Add-ppc64-generated-config.patch,
       workarounds/HACK-third_party-libvpx-use-generic-gnu.patch,
       breakpad/0001-Implement-support-for-ppc64-on-Linux.patch,
       ffmpeg/0001-Add-support-for-ppc64.patch,
       third_party/dawn-fix-typos.patch,
       third_party/use-sysconf-page-size-on-ppc64.patch: refresh.
     - third_party/skia-vsx-instructions.patch: refresh & update for header
       renaming.
     - third_party/0001-Add-PPC64-support-for-boringssl.patch,
       third_party/0002-third-party-boringssl-add-generated-files.patch:
       disable these two until Tim has a chance to look at them.
Checksums-Sha1:
 00d2de3fd82661a01e6545cc20e6b6f8383c4161 3722 chromium_124.0.6367.60-1~deb12u1.dsc
 2cc0dded258c8f3c623e10e330195e1e3f9c40a5 847907384 chromium_124.0.6367.60.orig.tar.xz
 d0f4b7cfcdc8442b755d6e57ddf2477a6ee4cf22 415296 chromium_124.0.6367.60-1~deb12u1.debian.tar.xz
 e2fd8f7f2accb32bca7b5a6c3bbc39c6b8a6cdb9 21670 chromium_124.0.6367.60-1~deb12u1_source.buildinfo
Checksums-Sha256:
 08dd3f6e805116641e18cb9ff47c2aae257cefa07ae9cf4bd25d0d9373c9ae7b 3722 chromium_124.0.6367.60-1~deb12u1.dsc
 b382eaade5057c56ca257bdf6a78c2c59116b56ce6c1ab166220cea1f5d950d2 847907384 chromium_124.0.6367.60.orig.tar.xz
 aa09bace3a2dcecf48483e3accd10407dc25348c5cf3150a54d9f9270b86f358 415296 chromium_124.0.6367.60-1~deb12u1.debian.tar.xz
 3820016cc124945b7ae9d7477dfc3fd8190bd51de7754bae042a1aa02d45977f 21670 chromium_124.0.6367.60-1~deb12u1_source.buildinfo
Files:
 2c846c3d959b3d5fbb420b4ff58fde40 3722 web optional chromium_124.0.6367.60-1~deb12u1.dsc
 c229f60fab61eb4d55c385e2131236e5 847907384 web optional chromium_124.0.6367.60.orig.tar.xz
 c373e959b3b3a0ee3691b6d3fcbdc481 415296 web optional chromium_124.0.6367.60-1~deb12u1.debian.tar.xz
 5d33d7252d269933ef0f8341d0b6429e 21670 web optional chromium_124.0.6367.60-1~deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYjAVwUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8Nudjc7RxAAmYDhjIZM39b1M93g2d5RfxUzI6vV
gpB19mAMPgMlq4ilhIRYk4bUNR8Nytj4Pbi/wa+m5157orkbU7arM7Ke1IcCmEef
2Cbl9rXTYD4sdvZJYeExpxlhUzMp2h07bFkSq4fu25z3UtSdOgjAFHJW39tsAqfB
w5mHqxGbfdVkhJvZXeZ2rbK/8xrHpwvqzx42eZ+APS0halZgnUmsKDhcR4Vn8CPq
VRbrK7E5zHlscBEF2/r4c/ZG/8RG87+1Rszwqf7NluauMfw2mh9QBP4NjJ9VrhI5
zPTLYWcFgXWw8Iafm9yvDc+NFL2vmkcrpHdnBMdYBNWNEW4CVOVe+yrmiktAZODf
oh/zWfaen9M5XVB4AXo9vXsJ8I/IhPzKw03XxYr46qyXIeD/02UfjPaIYsk0lq+u
EizwciZu4em07TPBRomm+hrCeblGEYvouo6s4A2tBF5rP40rkXZFU5pSA2zIgVje
vI5sFBEnvs/cH7Rkd38h0T8j3EWZ3LIwq5lfZFCBwTfv6suI6UyFgQVQ01aCufy3
umA/XjTwbkoLaekOoYgIzbCktP7kOb/CNH/cJG3RLzDNbGxVW2hpFvccT+PbNNX+
GOZVuJgQRBaxcS+BzcgBrJ5wa/d8FyKdaxzsTT0wiAkxWCCO+HRRgo/Op/01rWYt
8p5tMZUvKyvgqlE=
=JUoy
-----END PGP SIGNATURE-----

Attachment: pgpag51JeZ6Tj.pgp
Description: PGP signature