Your message dated Thu, 04 Apr 2024 08:35:35 +0000
with message-id <e1rsizl-0090cs...@fasolo.debian.org>
and subject line Bug#1066910: fixed in chromium 123.0.6312.105-1~deb13u1
has caused the Debian Bug report #1066910,
regarding chromium: downloads non-free component libchromescreenai.so without
asking
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1066910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: chromium
Version: 122.0.6261.128-1
Severity: serious
In recent versions, chromium started downloading a file
~/.config/chromium/screen_ai/*/libchromescreenai.so. Evidently, the
source of this shared object is not in the chromium source package. I
think the chromium package - being in main - should not download a
shared object and run it without user confirmation.
Helmut
--- End Message ---
--- Begin Message ---
Source: chromium
Source-Version: 123.0.6312.105-1~deb13u1
Done: Andres Salomon <dilin...@debian.org>
We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1066...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Salomon <dilin...@debian.org> (supplier of updated chromium package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Apr 2024 20:11:03 +0000
Source: chromium
Architecture: source
Version: 123.0.6312.105-1~deb13u1
Distribution: trixie
Urgency: high
Maintainer: Debian Chromium Team <chrom...@packages.debian.org>
Changed-By: Andres Salomon <dilin...@debian.org>
Closes: 1066235 1066910 1067886
Changes:
chromium (123.0.6312.105-1~deb13u1) trixie; urgency=high
.
* Rebuild for trixie.
.
chromium (123.0.6312.105-1) unstable; urgency=high
.
* New upstream security release.
- CVE-2024-3156: Inappropriate implementation in V8.
Reported by Zhenghang Xiao (@Kipreyyy).
- CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish.
- CVE-2024-3159: Out of bounds memory access in V8. Reported by
Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto
Networks, via Pwn2Own 2024.
.
chromium (123.0.6312.86-1) unstable; urgency=high
.
* New upstream stable release.
- CVE-2024-2883: Use after free in ANGLE.
Reported by Cassidy Kim(@cassidy6564).
- CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz.
- CVE-2024-2886: Use after free in WebCodecs. Reported by
Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024.
- CVE-2024-2887: Type Confusion in WebAssembly.
Reported by Manfred Paul, via Pwn2Own 2024.
* d/patches/ppc64le:
- fixes/fix-clang-selection.patch: select clang on ppc64 platforms
- ppc64le/third_party/0001-Add-PPC64-support-for-boringssl.patch: fix
ARM builds.
.
[ Andres Salomon ]
* d/patches:
- fixes/bad-font-gc1.patch, fixes/bad-font-gc2.patch: revert a pair of
upstream commits that result in blink's garbage collector frequently
deadlocking and crashing (closes: #1067886).
.
chromium (123.0.6312.58-1) unstable; urgency=high
.
* New upstream stable release.
- CVE-2024-2625: Object lifecycle issue in V8.
Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team.
- CVE-2024-2626: Out of bounds read in Swiftshader.
Reported by Cassidy Kim(@cassidy6564).
- CVE-2024-2627: Use after free in Canvas. Reported by Anonymous.
- CVE-2024-2628: Inappropriate implementation in Downloads.
Reported by Ath3r1s.
- CVE-2024-2629: Incorrect security UI in iOS.
Reported by Muneaki Nishimura (nishimunea).
- CVE-2024-2630: Inappropriate implementation in iOS.
Reported by James Lee (@Windowsrcer).
- CVE-2024-2631: Inappropriate implementation in iOS.
Reported by Ramit Gangwar.
* d/patches:
- upstream/bitset.patch: drop, merged upstream.
- upstream/bookmarknode.patch: drop, merged upstream.
- upstream/optional.patch: drop, merged upstream.
- upstream/uniqptr.patch: drop, merged upstream.
- fixes/gcc13-headers.patch: drop, merged upstream.
- fixes/optional.patch: drop, merged upstream.
- fixes/material-utils.patch: drop part that was merged upstream.
- disable/catapult.patch: refresh.
- bookworm/constexpr-equality.patch: include another similar fix.
- bookworm/nvt.patch: refresh.
- bookworm/undo-internal-alloc.patch: drop, as this was fixed upstream.
- ungoogled/disable-privacy-sandbox.patch: update from ungoogled-chromium.
- disable/angle-perftests.patch: drop, replace with a gn build argument.
- bookworm/rust-downgrade-osstr-users.patch: add new patch to downgrade
clap-lex crate, as it's using 1.74 features and we only have 1.70.
- fixes/strlcpy.patch: add strlcpy declaration (closes: #1066235).
- fixes/optional2.patch: add another missing <optional> inclusion.
- fixes/stats-collector.patch: add build fix for wrong header.
- disable/screen-ai-blob.patch: add patch to not register the
ScreenAI component. Previously, if you opened a PDF and clicked
"open in reader mode", it would download a binary blob to
~/.config/chromium/screen_ai/, and do OCR stuff (and who knows
what else) in that opaque blob without warning you. We, uh, don't
want that. (closes: #1066910).
* d/rules: add angle_build_tests=false build argument, which allows us to
drop angle-perftests.patch.
.
[ Timothy Pearson ]
* d/patches:
- fixes/blink-fonts-shape-result.patch: pull in upstream patch for
compilation failure in Blink SameSizeAsShapeResult class
* d/patches/ppc64le:
- ffmpeg/0001-Add-support-for-ppc64.patch: refresh for upstream changes
- third_party/0003-third_party-ffmpeg-Add-ppc64-generated-config.patch:
refresh for upstream changes
- libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh
for upstream changes
- third_party/0001-Add-PPC64-support-for-boringssl.patch: refresh for
upstream changes
- third_party/skia-vsx-instructions.patch: refresh & harden Skia against
timing attacks.
.
chromium (122.0.6261.128-1) unstable; urgency=high
.
* New upstream security release.
- CVE-2024-2400: Use after free in Performance Manager.
Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab.
.
chromium (122.0.6261.111-1) unstable; urgency=high
.
* New upstream security release.
- CVE-2024-2173: Out of bounds memory access in V8.
Reported by 5fceb6172bbf7e2c5a948183b53565b9.
- CVE-2024-2174: Inappropriate implementation in V8.
Reported by 5f46f4ee2e17957ba7b39897fb376be8.
- CVE-2024-2176: Use after free in FedCM. Reported by Anonymous.
.
chromium (122.0.6261.94-1) unstable; urgency=high
.
* New upstream security release.
- Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8.
- Type Confusion in V8. Reported by
Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab.
Checksums-Sha1:
b3838c548a757c3747f4b62c786b1aee39e77b4d 3758
chromium_123.0.6312.105-1~deb13u1.dsc
9a3bcdc0f345b816438d0fc36e5d7a5c998f7397 407280
chromium_123.0.6312.105-1~deb13u1.debian.tar.xz
d72c8ebdae417a81c4a37c24b6a76fe97ed87222 21713
chromium_123.0.6312.105-1~deb13u1_source.buildinfo
Checksums-Sha256:
d3e5c4b46a63ebd54fa847af211ba9c8a8ada2aa558614f0ff8b488a54b760fe 3758
chromium_123.0.6312.105-1~deb13u1.dsc
3fff3529b9746b9fe0ce6c69540b7d04f53633c85c5140af6d08db520e2576ff 407280
chromium_123.0.6312.105-1~deb13u1.debian.tar.xz
8518c25f84cbbe1d80fbc464a3d5fb875d15c9e856d001c6188f29dc1f441ea8 21713
chromium_123.0.6312.105-1~deb13u1_source.buildinfo
Files:
2e8d5ac50c4c1b52f9c837b629f7a9da 3758 web optional
chromium_123.0.6312.105-1~deb13u1.dsc
1b57d22c4a8f971e76cef19bd51be695 407280 web optional
chromium_123.0.6312.105-1~deb13u1.debian.tar.xz
c7416b50a65f65f1c4c51201dc4cefa6 21713 web optional
chromium_123.0.6312.105-1~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYNvUEUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjfhNxAAk4rn8c1MQrtsNcYaRDgMiVBLQILm
2EfArUXT1Wl4xY08bnxNEZ+hBu2aQXATmvsTrLW+q4nZQaCwUY15lD6mwJWZeMiq
FN00zP3d2s5t4tQm4jVTFaQ0N/vdQfe9paZlJOBp3DapWOeoNDbs5GRC2577CdTh
uZ4Zv+1AtMOLJbYIAZuctHH6oY6fn47xJV0CC5bc/yNPX0AaBdMHAYg/KA3IxReN
lRF1bzBFDRfXfMDWXK74NV7jDieIxexa7zVq/n+R9fpKWHsxstkkXAqLvTHzyJz+
L2OZG2tZmEuIfQ9Ok4w35Bai47HdgzvgI8bzUYBEOLrb6GJYgVXRSo+ww0upvZZx
yGWHEx4buXhdpGN11j/3EFwi1k4n8UqygOg+fi6RnpO/9et85D0ITKnU40utD/C3
46GBmT88GxbELpBXSgNAj//60OimMHoBqETdDdOb7uwDueojh//ZZWgydDvmlpq8
K+JOCFZ3ghFwQQl4cmxtregWx9SEdu8jd5hUjuJ6vIeLKZIw11+Hz+iU9SZqaWwo
nif9H2asIhwKi7JzvCeGkqjPSPGyzrTv0uUGsWS9kIpFzC0bt+OstdRKKifkkfI2
p//R43ElSzVXm2RXJHieSmm/kOF6beV12UIh5PiFwVvU+0X4dMc/nz/3Bg3qjp5V
T11FqwB3y+uYkTw=
=xL+l
-----END PGP SIGNATURE-----
pgpW0S3YWBXNu.pgp
Description: PGP signature
--- End Message ---
