Your message dated Sat, 06 Apr 2024 16:32:10 +0000
with message-id <e1rt8xe-0035dw...@fasolo.debian.org>
and subject line Bug#1066910: fixed in chromium 123.0.6312.86-1~deb12u1
has caused the Debian Bug report #1066910,
regarding chromium: downloads non-free component libchromescreenai.so without
asking
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1066910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: chromium
Version: 122.0.6261.128-1
Severity: serious
In recent versions, chromium started downloading a file
~/.config/chromium/screen_ai/*/libchromescreenai.so. Evidently, the
source of this shared object is not in the chromium source package. I
think the chromium package - being in main - should not download a
shared object and run it without user confirmation.
Helmut
--- End Message ---
--- Begin Message ---
Source: chromium
Source-Version: 123.0.6312.86-1~deb12u1
Done: Timothy Pearson <tpear...@debian.org>
We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1066...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timothy Pearson <tpear...@debian.org> (supplier of updated chromium package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 28 Mar 2024 11:57:05 -0400
Source: chromium
Architecture: source
Version: 123.0.6312.86-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chrom...@packages.debian.org>
Changed-By: Timothy Pearson <tpear...@debian.org>
Closes: 1066235 1066910 1067886
Changes:
chromium (123.0.6312.86-1~deb12u1) bookworm-security; urgency=high
.
* New upstream stable release.
- CVE-2024-2883: Use after free in ANGLE.
Reported by Cassidy Kim(@cassidy6564).
- CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz.
- CVE-2024-2886: Use after free in WebCodecs. Reported by
Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024.
- CVE-2024-2887: Type Confusion in WebAssembly.
Reported by Manfred Paul, via Pwn2Own 2024.
* d/patches/ppc64le:
- fixes/fix-clang-selection.patch: select clang on ppc64 platforms
- ppc64le/third_party/0001-Add-PPC64-support-for-boringssl.patch: fix
ARM builds.
.
[ Andres Salomon ]
* d/patches:
- fixes/bad-font-gc1.patch, fixes/bad-font-gc2.patch: revert a pair of
upstream commits that result in blink's garbage collector frequently
deadlocking and crashing (closes: #1067886).
.
chromium (123.0.6312.58-1~deb12u1) bookworm-security; urgency=high
.
* New upstream stable release.
- CVE-2024-2625: Object lifecycle issue in V8.
Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team.
- CVE-2024-2626: Out of bounds read in Swiftshader.
Reported by Cassidy Kim(@cassidy6564).
- CVE-2024-2627: Use after free in Canvas. Reported by Anonymous.
- CVE-2024-2628: Inappropriate implementation in Downloads.
Reported by Ath3r1s.
- CVE-2024-2629: Incorrect security UI in iOS.
Reported by Muneaki Nishimura (nishimunea).
- CVE-2024-2630: Inappropriate implementation in iOS.
Reported by James Lee (@Windowsrcer).
- CVE-2024-2631: Inappropriate implementation in iOS.
Reported by Ramit Gangwar.
* d/patches:
- upstream/bitset.patch: drop, merged upstream.
- upstream/bookmarknode.patch: drop, merged upstream.
- upstream/optional.patch: drop, merged upstream.
- upstream/uniqptr.patch: drop, merged upstream.
- fixes/gcc13-headers.patch: drop, merged upstream.
- fixes/optional.patch: drop, merged upstream.
- fixes/material-utils.patch: drop part that was merged upstream.
- disable/catapult.patch: refresh.
- bookworm/constexpr-equality.patch: include another similar fix.
- bookworm/nvt.patch: refresh.
- bookworm/undo-internal-alloc.patch: drop, as this was fixed upstream.
- ungoogled/disable-privacy-sandbox.patch: update from ungoogled-chromium.
- disable/angle-perftests.patch: drop, replace with a gn build argument.
- bookworm/rust-downgrade-osstr-users.patch: add new patch to downgrade
clap-lex crate, as it's using 1.74 features and we only have 1.70.
- fixes/strlcpy.patch: add strlcpy declaration (closes: #1066235).
- fixes/optional2.patch: add another missing <optional> inclusion.
- fixes/stats-collector.patch: add build fix for wrong header.
- disable/screen-ai-blob.patch: add patch to not register the
ScreenAI component. Previously, if you opened a PDF and clicked
"open in reader mode", it would download a binary blob to
~/.config/chromium/screen_ai/, and do OCR stuff (and who knows
what else) in that opaque blob without warning you. We, uh, don't
want that. (closes: #1066910).
- bookworm/generate-ninja.patch: drop, merged upstream.
- bookworm/bubble-contents.patch: update for renamed header.
- bookworm/eraseif0.patch, eraseif-lambda.patch: drop, upstream merged
a fix for g++-12 compilation.
- bookworm/constexpr.patch: add yet another constexpr g++-12 fix.
- bookworm/sizet.patch: another simple g++-12 build fix.
* d/rules: add angle_build_tests=false build argument, which allows us to
drop angle-perftests.patch.
.
[ Timothy Pearson ]
* d/patches:
- fixes/blink-fonts-shape-result.patch: pull in upstream patch for
compilation failure in Blink SameSizeAsShapeResult class
* d/patches/ppc64le:
- ffmpeg/0001-Add-support-for-ppc64.patch: refresh for upstream changes
- third_party/0003-third_party-ffmpeg-Add-ppc64-generated-config.patch:
refresh for upstream changes
- libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh
for upstream changes
- third_party/0001-Add-PPC64-support-for-boringssl.patch: refresh for
upstream changes
- third_party/skia-vsx-instructions.patch: refresh & harden Skia against
timing attacks.
Checksums-Sha1:
d6790873c1d46559362f30bdf1039491ce62771c 3735
chromium_123.0.6312.86-1~deb12u1.dsc
9f26e9673c8089e234536ef98322c9addbba18f1 835993120
chromium_123.0.6312.86.orig.tar.xz
91e33873454d880ad4793c140da1ec2a4baf7d77 409492
chromium_123.0.6312.86-1~deb12u1.debian.tar.xz
55b894aa9a63868087bb86e1767b47b59f6659b2 21670
chromium_123.0.6312.86-1~deb12u1_source.buildinfo
Checksums-Sha256:
3c5c8390335a7ed0f9dc93357bd581ba42436ad4c1524f83edecb61a6ca35a04 3735
chromium_123.0.6312.86-1~deb12u1.dsc
3409f6dd160e5e1086a844e7193255f5587dbcf553adf2b71ac53fe7ff76a11b 835993120
chromium_123.0.6312.86.orig.tar.xz
740399a1080a46e6f235affcb2277964ed1c5eac6458bc8ab92ee2baa61c9c35 409492
chromium_123.0.6312.86-1~deb12u1.debian.tar.xz
cf57c1bb9c06b7474369df55e2da46369e99bafe7bd400f1f9ca27a964ac37e4 21670
chromium_123.0.6312.86-1~deb12u1_source.buildinfo
Files:
ef307a81f912a20ae71270916f7326d7 3735 web optional
chromium_123.0.6312.86-1~deb12u1.dsc
612349854138f819425af3d05084f2ac 835993120 web optional
chromium_123.0.6312.86.orig.tar.xz
56628174cecdd5ec76d8c0faf9fb0e05 409492 web optional
chromium_123.0.6312.86-1~deb12u1.debian.tar.xz
453b1cf8d36991fbd093646c700eef0f 21670 web optional
chromium_123.0.6312.86-1~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYFnBkUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjcCjw/+K1GdPgnEW0TCQsQhmBM8UVyae+ef
9ByudKoUP0wp6D+Qo5Ol5NDjMy9kRD95C5KhuPyz2K+lG6qZFEpirl4iQwZph7Hm
TVXcxLePinL26apKQbBzhUByknuT8ofo6lZzgmcDso+y4IVLagL4IJJbEBuFWWYs
vJywo+sLksZN3U4Cb283eiRGYvK/xIil8vHIBNK8jkGqBExe1hxUoZi9lz4aQSIb
PnYdKrWvc51m4yrXNB3KZFI8KAHDILhanOoxlieCdYOjKOE8OT87/482gyVpf3jT
7snBt5sXWOI+uw3TqyYwUJSc5m4xKTdtg6tn/pbDcNqatvwP1vXHHCbQQ9ahAj4F
+Rio8iJAQVQXFIkoZi3EeNtWq7XXruQD25fBLQ/SRBjlL24mrvW2MQpqeUNWKYMm
dLRejrVd3rlYdmuBEP/WQdjrPsSuKaOoLv7pKOYQM+c8wbQJe6ALTfrFLaYQdpA+
5cDNIAnbnoixb25I7bFm2VefQGMLkPj1TEq7qmPxzvYbDmDEIOSQ8lAvp29erGMS
eZfjBTRH0HEfqLMK3sHPepGH1dPMdkaEUAZOQIoSkV4lLFICrI/sJPx9hVImu28U
Wqa3JAkhyKwdXNbj30RNt5JR+UioUJbpjfU/4PsHY472CeoicxD/ok8SEw0tf0he
c9mrcnby8HRkHtI=
=IE6k
-----END PGP SIGNATURE-----
pgpnEY7UTPqfE.pgp
Description: PGP signature
--- End Message ---
