[ubuntu/trusty-security] chromium-browser 58.0.3029.81-0ubuntu0.14.04.1172 (Accepted)

Chris Coulson chrisccoulson at ubuntu.com
Wed Apr 26 11:46:34 UTC 2017

chromium-browser (58.0.3029.81-0ubuntu0.14.04.1172) trusty; urgency=medium

  * Upstream release: 58.0.3029.81
    - CVE-2017-5057: Type confusion in PDFium.
    - CVE-2017-5058: Heap use after free in Print Preview.
    - CVE-2017-5059: Type confusion in Blink.
    - CVE-2017-5060: URL spoofing in Omnibox.
    - CVE-2017-5061: URL spoofing in Omnibox.
    - CVE-2017-5062: Use after free in Chrome Apps.
    - CVE-2017-5063: Heap overflow in Skia.
    - CVE-2017-5064: Use after free in Blink.
    - CVE-2017-5065: Incorrect UI in Blink.
    - CVE-2017-5066: Incorrect signature handing in Networking.
    - CVE-2017-5067: URL spoofing in Omnibox.
    - CVE-2017-5069: Cross-origin bypass in Blink.
  * debian/patches/arm.patch: removed, no longer needed
  * debian/patches/gtk-ui-stdmove: removed, no longer needed (upstreamed)
  * debian/patches/screen_capturer: removed, no longer needed (upstreamed)
  * debian/patches/default-allocator: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/enable-chromecast-by-default: refreshed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/snapshot-library-link: refreshed
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/fix-gn-bootstrap.patch: added
  * debian/rules: disable the use of Vulcanize, the required node.js modules
    are not readily available

chromium-browser (57.0.2987.98-0ubuntu1) UNRELEASED; urgency=medium

  * debian/rules: Use gold linker, and not its threads args to avoid
    bfd "missing DSO" bug.
  * Upstream release: 57.0.2987.98.
    - CVE-2017-5030: Memory corruption in V8.
    - CVE-2017-5031: Use after free in ANGLE.
    - CVE-2017-5032: Out of bounds write in PDFium.
    - CVE-2017-5029: Integer overflow in libxslt.
    - CVE-2017-5034: Use after free in PDFium.
    - CVE-2017-5035: Incorrect security UI in Omnibox.
    - CVE-2017-5036: Use after free in PDFium.
    - CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
    - CVE-2017-5039: Use after free in PDFium.
    - CVE-2017-5040: Information disclosure in V8.
    - CVE-2017-5041: Address spoofing in Omnibox.
    - CVE-2017-5033: Bypass of Content Security Policy in Blink.
    - CVE-2017-5042: Incorrect handling of cookies in Cast.
    - CVE-2017-5038: Use after free in GuestView.
    - CVE-2017-5043: Use after free in GuestView.
    - CVE-2017-5044: Heap overflow in Skia.
    - CVE-2017-5045: Information disclosure in XSS Auditor.
    - CVE-2017-5046: Information disclosure in Blink.
  * debian/patches/arm64-support no longer needed
  * debian/patches/stdatomic: Support gcc48.
  * debian/patches/snapshot-library-link: Add missing libsnapshot link
  * debian/patches/gtk-ui-stdmove: fix && pointer return with std::move
  * debian/control: Drop binary arch "any" and explicitly list four.
  * debian/patches/arm64-vpx-alignment: Avoid ARM64 alignment bug on some
  * debian/rules: Fix armhf float ABI and remove unnecessary envvars.
    (LP: #1673276)
  * Upstream release: 56.0.2924.76
    - CVE-2017-5007: Universal XSS in Blink.
    - CVE-2017-5006: Universal XSS in Blink.
    - CVE-2017-5008: Universal XSS in Blink.
    - CVE-2017-5010: Universal XSS in Blink.
    - CVE-2017-5011: Unauthorised file access in Devtools.
    - CVE-2017-5009: Out of bounds memory access in WebRTC.
    - CVE-2017-5012: Heap overflow in V8.
    - CVE-2017-5013: Address spoofing in Omnibox.
    - CVE-2017-5014: Heap overflow in Skia.
    - CVE-2017-5015: Address spoofing in Omnibox.
    - CVE-2017-5019: Use after free in Renderer.
    - CVE-2017-5016: UI spoofing in Blink.
    - CVE-2017-5017: Uninitialised memory access in webm video.
    - CVE-2017-5018: Universal XSS in chrome://apps.
    - CVE-2017-5020: Universal XSS in chrome://downloads.
    - CVE-2017-5021: Use after free in Extensions.
    - CVE-2017-5022: Bypass of Content Security Policy in Blink.
    - CVE-2017-5023: Type confusion in metrics.
    - CVE-2017-5024: Heap overflow in FFmpeg.
    - CVE-2017-5025: Heap overflow in FFmpeg.
    - CVE-2017-5026: UI spoofing.
  * debian/patches/screen_capturer: allow compilation on gcc4
  * debian/patches/arm64-support: reenable arm64
  * debian/patches/memory-free-assertion-failure: discover memory management
    assertion failures.
  * debian/rules: Avoid field trial experiments to get stable code.
    (closes: LP#1667125)
  * debian/patches/enable-chromecast-by-default: (LP: #1621753)
  * debian/rules: no longer use gconf. (LP: #1669100)
  * debian/rules: Build extra codecs as part of main chromium program,
    and libre/crippled/h.264less on its own. Seems to make h.264 work 
    again. Weird.
  * debian/chromium-browser.links: Make link to ./ instead of / to fix
    path problems that codec-using other apps might see.
  * Upstream release of 55.0.2883.87:
    - Change Flash running default to important content only.
  * debian/chromium-browser.sh.in: Insert the Flash version if empty and
  * debian/rules, debian/control: Use gcc/g++ 4.8 to build.
  * Upstream release of 55.0.2883.75:
    - CVE-2016-9651: Private property access in V8.
    - CVE-2016-5208: Universal XSS in Blink.
    - CVE-2016-5207: Universal XSS in Blink.
    - CVE-2016-5206: Same-origin bypass in PDFium.
    - CVE-2016-5205: Universal XSS in Blink.
    - CVE-2016-5204: Universal XSS in Blink.
    - CVE-2016-5209: Out of bounds write in Blink.
    - CVE-2016-5203: Use after free in PDFium.
    - CVE-2016-5210: Out of bounds write in PDFium.
    - CVE-2016-5212: Local file disclosure in DevTools.
    - CVE-2016-5211: Use after free in PDFium.
    - CVE-2016-5213: Use after free in V8.
    - CVE-2016-5214: File download protection bypass.
    - CVE-2016-5216: Use after free in PDFium.
    - CVE-2016-5215: Use after free in Webaudio.
    - CVE-2016-5217: Use of unvalidated data in PDFium.
    - CVE-2016-5218: Address spoofing in Omnibox.
    - CVE-2016-5219: Use after free in V8.
    - CVE-2016-5221: Integer overflow in ANGLE.
    - CVE-2016-5220: Local file access in PDFium.
    - CVE-2016-5222: Address spoofing in Omnibox.
    - CVE-2016-9650: CSP Referrer disclosure.
    - CVE-2016-5223: Integer overflow in PDFium.
    - CVE-2016-5226: Limited XSS in Blink.
    - CVE-2016-5225: CSP bypass in Blink.
    - CVE-2016-5224: Same-origin bypass in SVG
    - CVE-2016-9652: Various fixes from internal audits, fuzzing and other
  * Upstream release of 54.0.2840.100:
    - CVE-2016-5199: Heap corruption in FFmpeg.
    - CVE-2016-5200: Out of bounds memory access in V8.
    - CVE-2016-5201: Info leak in extensions.
    - CVE-2016-5202: Various fixes from internal audits, fuzzing and other
  * Move to using GN to build chromium.
    - debian/known_gn_gen_args
    - debian/rules
  * debian/rules, lintians, installs, script: Move component libs out of
    libs/, to /usr/lib/chromium-browser/ only.
  * debian/patches/do-not-use-bundled-clang: Use clang from path.
  * debian/control: Express that binary packages could be on "any"
  * debian/control: additionally build-dep on libgtk-3-dev
  * debian/patches/arm64-support: Fail nicer if aarch64/arm64 mismatch.
  * Upstrem release of 54.0.2840.59:
    - CVE-2016-5181: Universal XSS in Blink.
    - CVE-2016-5182: Heap overflow in Blink.
    - CVE-2016-5183: Use after free in PDFium.
    - CVE-2016-5184: Use after free in PDFium.
    - CVE-2016-5185: Use after free in Blink.
    - CVE-2016-5187: URL spoofing.
    - CVE-2016-5188: UI spoofing.
    - CVE-2016-5192: Cross-origin bypass in Blink.
    - CVE-2016-5189: URL spoofing.
    - CVE-2016-5186: Out of bounds read in DevTools.
    - CVE-2016-5191: Universal XSS in Bookmarks.
    - CVE-2016-5190: Use after free in Internals.
    - CVE-2016-5193: Scheme bypass.
    - CVE-2016-5194: Various fixes from internal audits, fuzzing and other
  * debian/patches/allow-component-build: Hard-code, override
    release -> no component logic.
  * debian/known_gyp_flags: Remove old GYP known-flags list.
  * debian/default-allocator: Insist on not using tcmalloc allocator.
  * debian/rules: Set LDFLAGS to limit memory usage.
  * debian/control: Remove extraneous dependencies.

Date: 2017-04-24 10:12:23.491570+00:00
Changed-By: Olivier Tilloy <olivier.tilloy at canonical.com>
Signed-By: Chris Coulson <chrisccoulson at ubuntu.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list