diff --git a/chromium.changes b/chromium.changes index 072542d..ad920ee 100644 --- a/chromium.changes +++ b/chromium.changes @@ -1,10 +1,254 @@ ------------------------------------------------------------------- -Fri Dec 14 09:02:01 UTC 2018 - Guillaume GARDET +Fri Jun 7 19:49:23 UTC 2019 - Tomáš Chvátal +- Update to 75.0.3770.80 bsc#1137332: + * CVE-2019-5828: Use after free in ServiceWorker + * CVE-2019-5829: Use after free in Download Manager + * CVE-2019-5830: Incorrectly credentialed requests in CORS + * CVE-2019-5831: Incorrect map processing in V8 + * CVE-2019-5832: Incorrect CORS handling in XHR + * CVE-2019-5833: Inconsistent security UI placemen + * CVE-2019-5835: Out of bounds read in Swiftshader + * CVE-2019-5836: Heap buffer overflow in Angle + * CVE-2019-5837: Cross-origin resources size disclosure in Appcache + * CVE-2019-5838: Overly permissive tab access in Extensions + * CVE-2019-5839: Incorrect handling of certain code points in Blink + * CVE-2019-5840: Popup blocker bypass + * Various fixes from internal audits, fuzzing and other initiatives + * CVE-2019-5834: URL spoof in Omnibox on iOS +- Remove merged patchsets: + * 00-basevalue.patch + * 01-basevalue.patch + * 02-basevalue.patch + * 03-basevalue.patch + * 04-basevalue.patch + * 05-basevalue.patch + * 06-basevalue.patch + * chromium-fix-crc32-for-aarch64.patch + * quic.patch +- Update patches: + * chromium-gcc.patch + * chromium-non-void-return.patch + * chromium-vaapi.patch + * old-libva.patch + +------------------------------------------------------------------- +Tue May 28 07:48:51 UTC 2019 - Tomáš Chvátal + +- Update to 74.0.3729.169: + * Feature fixes update only + +------------------------------------------------------------------- +Sun May 19 09:53:53 UTC 2019 - Andreas Stieger + +- Update to 74.0.3729.157: + * Various security fixes from internal audits, fuzzing and other + initiatives +- includes security fixes from 74.0.3729.131 (boo#1134218): + * CVE-2019-5827: Out-of-bounds access in SQLite + * CVE-2019-5824: Parameter passing error in media player + +------------------------------------------------------------------- +Tue May 7 09:18:05 UTC 2019 - Guillaume GARDET + +- Add patch to fix build on aarch64: + * chromium-fix-crc32-for-aarch64.patch + +------------------------------------------------------------------- +Tue Apr 30 09:04:56 UTC 2019 - Tomáš Chvátal + +- Update to 74.0.3729.108 bsc#1133313: + * CVE-2019-5805: Use after free in PDFium + * CVE-2019-5806: Integer overflow in Angle + * CVE-2019-5807: Memory corruption in V8 + * CVE-2019-5808: Use after free in Blink + * CVE-2019-5809: Use after free in Blink + * CVE-2019-5810: User information disclosure in Autofill + * CVE-2019-5811: CORS bypass in Blink + * CVE-2019-5813: Out of bounds read in V8 + * CVE-2019-5814: CORS bypass in Blink + * CVE-2019-5815: Heap buffer overflow in Blink + * CVE-2019-5818: Uninitialized value in media reader + * CVE-2019-5819: Incorrect escaping in developer tools + * CVE-2019-5820: Integer overflow in PDFium + * CVE-2019-5821: Integer overflow in PDFium + * CVE-2019-5822: CORS bypass in download manager + * CVE-2019-5823: Forced navigation from service worker + * CVE-2019-5812: URL spoof in Omnibox on iOS + * CVE-2019-5816: Exploit persistence extension on Android + * CVE-2019-5817: Heap buffer overflow in Angle on Windows +- Add patches: + * 00-basevalue.patch + * 01-basevalue.patch + * 02-basevalue.patch + * 03-basevalue.patch + * 04-basevalue.patch + * 05-basevalue.patch + * 06-basevalue.patch + * old-libva.patch + * quic.patch +- Remove patches: + * chromium-73.0.3683.75-pipewire-cstring-fix.patch + * chromium-fix_crashpad.patch + * chromium-fix_swiftshader.patch + * chromium-old-libva.patch +- Rebase patches: + * chromium-gcc.patch + * chromium-non-void-return.patch + * chromium-old-glibc.patch + +------------------------------------------------------------------- +Fri Apr 5 08:47:35 UTC 2019 - Tomáš Chvátal + +- Update to 73.0.3686.103: + * Various feature fixes + +------------------------------------------------------------------- +Mon Mar 25 13:49:17 UTC 2019 - Tomáš Chvátal + +- Add patch for pipewire build: + * chromium-73.0.3683.75-pipewire-cstring-fix.patch + +------------------------------------------------------------------- +Mon Mar 25 10:54:06 UTC 2019 - Tomáš Chvátal + +- Update to 73.0.3683.86: + * Just feature fixes around - Refresh patch: * chromium-non-void-return.patch -- Add new patch to fix aarch64 build: + +------------------------------------------------------------------- +Thu Mar 21 11:00:28 UTC 2019 - Tomáš Chvátal + +- Update conditions to use system harfbuzz on TW+ +- Require java during build +- Enable using pipewire when available +- Rebase chromium-vaapi.patch to match up the Fedora one + +------------------------------------------------------------------- +Wed Mar 13 10:19:38 UTC 2019 - Tomáš Chvátal + +- Update to 73.0.3683.75 bsc#1129059: + * CVE-2019-5787: Use after free in Canvas. + * CVE-2019-5788: Use after free in FileAPI. + * CVE-2019-5789: Use after free in WebMIDI. + * CVE-2019-5790: Heap buffer overflow in V8. + * CVE-2019-5791: Type confusion in V8. + * CVE-2019-5792: Integer overflow in PDFium. + * CVE-2019-5793: Excessive permissions for private API in Extensions. + * CVE-2019-5794: Security UI spoofing. + * CVE-2019-5795: Integer overflow in PDFium. + * CVE-2019-5796: Race condition in Extensions. + * CVE-2019-5797: Race condition in DOMStorage. + * CVE-2019-5798: Out of bounds read in Skia. + * CVE-2019-5799: CSP bypass with blob URL. + * CVE-2019-5800: CSP bypass with blob URL. + * CVE-2019-5801: Incorrect Omnibox display on iOS. + * CVE-2019-5802: Security UI spoofing. + * CVE-2019-5803: CSP bypass with Javascript URLs'. + * CVE-2019-5804: Command line command injection on Windows. +- Update patches: + * chromium-buildname.patch + * chromium-non-void-return.patch + * chromium-old-glibc.patch + * chromium-old-libva.patch + * chromium-vaapi.patch +- Removed patches: + * chromium-crashpad-fix_aarch64.patch + * chromium-webrtc-includes.patch +- Added patches: + * chromium-gcc.patch + * chromium-fix_crashpad.patch + +------------------------------------------------------------------- +Mon Mar 4 09:31:41 UTC 2019 - Tomáš Chvátal + +- Drop direct dependency on libgsm, we just need the devel + +------------------------------------------------------------------- +Sat Mar 2 14:46:23 UTC 2019 - Tomáš Chvátal + +- Update to 72.0.3626.121: + * fixes bsc#1127602 CVE-2019-5786 + +------------------------------------------------------------------- +Mon Feb 25 10:25:40 UTC 2019 - Tomáš Chvátal + +- Update to 72.0.3626.119: + * Feature fixes update only + +------------------------------------------------------------------- +Wed Feb 20 14:07:27 UTC 2019 - Tomáš Chvátal + +- Update to 72.0.3626.109: + * This is just feature fixes update + +------------------------------------------------------------------- +Mon Feb 11 08:42:01 UTC 2019 - Tomáš Chvátal + +- Update to 72.0.3626.96 bsc#1124936: + * CVE-2019-5784: Inappropriate implementation in V8 + +------------------------------------------------------------------- +Mon Feb 11 04:35:53 UTC 2019 - Simon Lees + +- Provide web_browser so chromium can be installed instead of firefox. + +------------------------------------------------------------------- +Wed Jan 30 08:58:19 UTC 2019 - Tomáš Chvátal + +- Update to 72.0.3626.81 bsc#1123641: + * CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12 + * CVE-2019-5782: Inappropriate implementation in V8. Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on 2018-11-16 + * CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10 + * CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14 + * CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15 + * CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 + * CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05 + * CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05 + * CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13 + * CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31 + * CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13 + * CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09 + * CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16 + * CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20 + * CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06 + * CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24 + * CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11 + * CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27 + * CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12 + * CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26 + * CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2018-12-24 + * CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract) and Juno Im on 2018-11-11 + * CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 + * CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14 + * CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04 + * CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02 + * CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11 + * CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03 + * CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 +- Added patches: + * chromium-crashpad-fix_aarch64.patch * chromium-fix_swiftshader.patch + * chromium-webrtc-includes.patch +- Obsoleted patches: + * chromium-gcc8-alignof.patch + * chromium-initialize-list.patch +- Updated patches: + * chromium-dma-buf.patch + * chromium-non-void-return.patch + * chromium-skia-system-fontconfig.patch + * chromium-system-icu.patch + * chromium-vaapi.patch +- Try to reduce constraints to avoid being so much just in + scheduled state + + +------------------------------------------------------------------- +Wed Jan 2 08:30:23 UTC 2019 - Tomáš Chvátal + +- Tweak fix_building_widevinecdm_with_chromium.patch to make it + work again bsc#1120429 ------------------------------------------------------------------- Fri Dec 14 08:51:26 UTC 2018 - Guillaume GARDET @@ -13,15 +257,11 @@ Fri Dec 14 08:51:26 UTC 2018 - Guillaume GARDET lots of RAM ------------------------------------------------------------------- -Thu Dec 13 11:21:37 UTC 2018 - Tomáš Chvátal +Thu Dec 13 11:22:25 UTC 2018 - Tomáš Chvátal -- Up to 72.0.3626.14 - -------------------------------------------------------------------- -Wed Dec 12 17:39:51 UTC 2018 - Guillaume GARDET - -- Update chromium-vaapi.patch -- Update chromium-system-icu.patch +- Version update to 71.0.3578.98 bsc#1119364: + * CVE-2018-17481: Use after free in PDFium +- Redo chromium-old-libva.patch ------------------------------------------------------------------- Fri Dec 7 14:32:25 UTC 2018 - Guillaume GARDET @@ -29,222 +269,597 @@ Fri Dec 7 14:32:25 UTC 2018 - Guillaume GARDET - Increase %limit_build value to avoid OOM ------------------------------------------------------------------- -Mon Nov 26 09:03:03 UTC 2018 - Guillaume GARDET +Thu Dec 6 14:13:10 UTC 2018 - Tomáš Chvátal -- Rework aarch64 build requirements +- Add patch to build on Leap 42.x: + * chromium-old-libva.patch ------------------------------------------------------------------- -Thu Nov 22 10:38:45 UTC 2018 - Guillaume GARDET +Thu Dec 6 08:41:53 UTC 2018 - Tomáš Chvátal -- Reduce jumbo_file_merge_limit to 8 for aarch64 to avoid OOM -- Fix again aarch64 skia build: +- Version update to 71.0.3578.80 bsc#1118529: + - CVE-2018-17480: Out of bounds write in V8 + - CVE-2018-17481: Use after frees in PDFium + - CVE-2018-18335: Heap buffer overflow in Skia + - CVE-2018-18336: Use after free in PDFium + - CVE-2018-18337: Use after free in Blink + - CVE-2018-18338: Heap buffer overflow in Canvas + - CVE-2018-18339: Use after free in WebAudio + - CVE-2018-18340: Use after free in MediaRecorder + - CVE-2018-18341: Heap buffer overflow in Blink + - CVE-2018-18342: Out of bounds write in V8 + - CVE-2018-18343: Use after free in Skia + - CVE-2018-18344: Inappropriate implementation in Extensions + - Multiple issues in SQLite via WebSQL + - CVE-2018-18345: Inappropriate implementation in Site Isolation + - CVE-2018-18346: Incorrect security UI in Blink + - CVE-2018-18347: Inappropriate implementation in Navigation + - CVE-2018-18348: Inappropriate implementation in Omnibox + - CVE-2018-18349: Insufficient policy enforcement in Blink + - CVE-2018-18350: Insufficient policy enforcement in Blink + - CVE-2018-18351: Insufficient policy enforcement in Navigation + - CVE-2018-18352: Inappropriate implementation in Media + - CVE-2018-18353: Inappropriate implementation in Network Authentication + - CVE-2018-18354: Insufficient data validation in Shell Integration + - CVE-2018-18355: Insufficient policy enforcement in URL Formatter + - CVE-2018-18356: Use after free in Skia + - CVE-2018-18357: Insufficient policy enforcement in URL Formatter + - CVE-2018-18358: Insufficient policy enforcement in Proxy. + - CVE-2018-18359: Out of bounds read in V8 + - Inappropriate implementation in PDFium + - Use after free in Extensions + - Inappropriate implementation in Navigation + - Insufficient policy enforcement in Navigation + - Insufficient policy enforcement in URL Formatter + - Various fixes from internal audits, fuzzing and other initiatives +- Updated/refreshed patches: + * fix_building_widevinecdm_with_chromium.patch + * chromium-vaapi.patch * chromium-skia-aarch64-buildfix.patch + * chromium-prop-codecs.patch + * chromium-non-void-return.patch +- Removed patches: + * chromium-gcc8-constexpr.patch + * chromium-libva1.patch + * chromium-pdfium-include.patch + * chromium-warnings.patch +- Added patches: + * chromium-initialize-list.patch ------------------------------------------------------------------- -Tue Sep 18 07:33:02 UTC 2018 - Tomáš Chvátal +Wed Nov 21 09:09:28 UTC 2018 - Tomáš Chvátal -- Up to 71.0.3551.3 +- Version update to 70.0.3538.110 bsc#1116608: + * CVE-2018-17479: Use-after-free in GPU ------------------------------------------------------------------- -Wed Aug 22 08:20:49 UTC 2018 - tchvatal@suse.com +Wed Nov 14 09:42:33 UTC 2018 - Tomáš Chvátal -- Up to 70.0.3528.4 +- Version update to 70.0.3538.102 bsc#1115537 CVE-2018-17478 + * CVE-2018-17478: Out of bounds memory access in V8 ------------------------------------------------------------------- -Wed Aug 15 09:05:40 UTC 2018 - tchvatal@suse.com +Sat Nov 3 21:18:07 UTC 2018 - Yunhe Guo -- Up to chromium-70.0.3521.2 -- Add patch trying to build with system icu: +- Remove noto-emoji-fonts recommends. noto-emoji-fonts has been + inactive for a long time. noto-coloremoji-fonts is the current + recommended emoji fonts from noto. And noto-emoji-fonts (monochrome) + disables noto-coloremoji-fonts (colorful). + +------------------------------------------------------------------- +Thu Oct 25 09:07:47 UTC 2018 - Tomáš Chvátal + +- Update to 70.0.3538.77: + * Few feature fixes only +- Do not meintion armv6 and armv7 in the constraints +- Update patch chromium-non-void-return.patch + +------------------------------------------------------------------- +Mon Oct 22 11:43:26 UTC 2018 - Tomáš Chvátal + +- Add patch trying to get the pkg to build with libva 1.x releases: + * chromium-libva1.patch +- Update chromium-old-glibc.patch to contain more tweaked locations + +------------------------------------------------------------------- +Fri Oct 19 12:43:06 UTC 2018 - Tomáš Chvátal + +- Add back chromium-old-glibc.patch to make sure we build on 42.3 +- Reduce the merge number on jumbo files to reduce memory usage bit + +------------------------------------------------------------------- +Fri Oct 19 09:58:46 UTC 2018 - astieger@suse.com + +- remove trigger word from spec that trips up legal-auto + +------------------------------------------------------------------- +Wed Oct 17 08:07:37 UTC 2018 - Tomáš Chvátal + +- Update to 70.0.3538.67 bsc#1112111: + * CVE-2018-17462: Sandbox escape in AppCache + * CVE-2018-17463: Remote code execution in V8 + * CVE to be assigned: Heap buffer overflow in Little CMS in PDFium + * CVE-2018-17464: URL spoof in Omnibox + * CVE-2018-17465: Use after free in V8 + * CVE-2018-17466: Memory corruption in Angle + * CVE-2018-17467: URL spoof in Omnibox + * CVE-2018-17468: Cross-origin URL disclosure in Blink + * CVE-2018-17469: Heap buffer overflow in PDFium + * CVE-2018-17470: Memory corruption in GPU Internals + * CVE-2018-17471: Security UI occlusion in full screen mode + * CVE-2018-17472: iframe sandbox escape on iOS + * CVE-2018-17473: URL spoof in Omnibox + * CVE-2018-17474: Use after free in Blink + * CVE-2018-17475: URL spoof in Omnibox + * CVE-2018-17476: Security UI occlusion in full screen mode + * CVE-2018-5179: Lack of limits on update() in ServiceWorker + * CVE-2018-17477: UI spoof in Extensions +- Added patches: + * chromium-gcc8-constexpr.patch + * chromium-libusb_interrupt_event_handler.patch + * chromium-pdfium-include.patch + * chromium-system-libusb.patch +- Removed patches: + * chromium-old-glibc.patch + * chromium-vpx-aarch64.patch +- Updated patches: + * chromium-gcc8-alignof.patch + * chromium-non-void-return.patch + * chromium-prop-codecs.patch + * chromium-sandbox-pie.patch + * chromium-skia-system-fontconfig.patch + * chromium-vaapi.patch +- Redo the vaapi patch to be default on as there are no reports of + issues with it +- Use system libusb-1.0 +- Use jumbo build to speed things up +- Use bundled harfbuzz because we need newer than latest release +- Disable gnome-keyring as it crashes the chromium quite often + +------------------------------------------------------------------- +Tue Sep 18 09:29:55 UTC 2018 - Tomáš Chvátal + +- Keep blank line after autopatch to make SLE12 rpm macros happy + +------------------------------------------------------------------- +Tue Sep 18 07:27:09 UTC 2018 - Tomáš Chvátal + +- Update to 69.0.3497.100 bsc#1108774 + * Fixes from internal audits, fuzzing and other initiatives + +------------------------------------------------------------------- +Wed Sep 12 12:52:08 UTC 2018 - astieger@suse.com + +- Chromium 69.0.3497.92 (boo#1108114), containing 2 security fixes: + * Function signature mismatch in WebAssembly + * URL Spoofing in Omnibox +- the rpm should not provide swiftshader libs boo#1108175 +- make jumbo build configurable, default off + +------------------------------------------------------------------- +Sat Sep 8 11:12:43 UTC 2018 - tchvatal@suse.com + +- Enable jumbo build to speed things up +- Enable vulkan integration + +------------------------------------------------------------------- +Thu Sep 6 13:27:18 UTC 2018 - tchvatal@suse.com + +- Add patch to fix mojo build on 32bit: + * chromium-gcc8-alignof.patch + +------------------------------------------------------------------- +Thu Sep 6 09:13:49 UTC 2018 - Tomáš Chvátal + +- Split out the gn from this package, obsoletes patches: + * fix-gn-bootstrap.patch + * chromium-last-commit-position-r0.patch + +------------------------------------------------------------------- +Thu Sep 6 09:09:57 UTC 2018 - Tomáš Chvátal + +- Version update to 69.0.3497.81 bsc#1107235: + * CVE-2018-16065: Out of bounds write in V8 + * CVE-2018-16066:Out of bounds read in Blink + * CVE-2018-16067: Out of bounds read in WebAudio + * CVE-2018-16068: Out of bounds write in Mojo + * CVE-2018-16069:Out of bounds read in SwiftShader + * CVE-2018-16070: Integer overflow in Skia + * CVE-2018-16071: Use after free in WebRTC + * CVE-2018-16073: Site Isolation bypass after tab restore + * CVE-2018-16074: Site Isolation bypass using Blob URLS + * Out of bounds read in Little-CMS + * CVE-2018-16075: Local file access in Blink + * CVE-2018-16076: Out of bounds read in PDFium + * CVE-2018-16077: Content security policy bypass in Blink + * CVE-2018-16078: Credit card information leak in Autofill + * CVE-2018-16079: URL spoof in permission dialogs + * CVE-2018-16080: URL spoof in full screen mode + * CVE-2018-16081: Local file access in DevTools + * CVE-2018-16082: Stack buffer overflow in SwiftShader + * CVE-2018-16083: Out of bounds read in WebRTC + * CVE-2018-16084: User confirmation bypass in external protocol handling + * CVE-2018-16085: Use after free in Memory Instrumentation + * CVE-2018-16086: Script injection in New Tab Page. + * CVE-2018-16087: Multiple download restriction bypass. + * CVE-2018-16088: User gesture requirement bypass. +- Added patches: + * chromium-old-glibc.patch * chromium-system-icu.patch + * chromium-warnings.patch +- Removed patches: + * chromium-cors-string.patch + * chromium-crashpad-aarch64-fix.patch + * chromium-ffmpeg.patch + * chromium-gcc.patch + * chromium-gcc7.patch + * chromium-libjpeg.patch + * chromium-libwebp-shim.patch +- Rebased patches: + * chromium-last-commit-position-r0.patch + * chromium-non-void-return.patch + * chromium-sandbox-pie.patch + * chromium-skia-system-fontconfig.patch + * chromium-vaapi.patch ------------------------------------------------------------------- -Sun Aug 5 11:22:37 UTC 2018 - tchvatal@suse.com +Wed Aug 8 21:14:43 UTC 2018 - tchvatal@suse.com -- Up to chromium-70.0.3510.0 +- Update to chromium-68.0.3440.106: + * Various feature fixes ------------------------------------------------------------------- -Thu Aug 2 09:48:34 UTC 2018 - tchvatal@suse.com +Wed Aug 1 10:12:25 UTC 2018 - tchvatal@suse.com -- Up to 69.0.3497.23 +- Version update to 68.0.3440.84: + * Various small feature fixes only ------------------------------------------------------------------- -Fri Jul 27 13:11:50 UTC 2018 - tchvatal@suse.com - -- Up to chromium-69.0.3497.12 - -------------------------------------------------------------------- -Thu Jul 26 12:29:53 UTC 2018 - guillaume.gardet@opensuse.org +Wed Jul 25 15:56:24 UTC 2018 - guillaume.gardet@opensuse.org - Add patch to fix aarch64 build: - * chromium-vpx-aarch64.patch + * chromium-vpx-aarch64.patch ------------------------------------------------------------------- -Wed Jul 25 14:10:47 UTC 2018 - tchvatal@suse.com +Wed Jul 25 14:29:16 UTC 2018 - tchvatal@suse.com -- Up to 69.0.3493.3 +- Add patch trying to build chromium on Leap 42.3: + * chromium-gcc7.patch ------------------------------------------------------------------- -Mon Jul 16 14:47:54 UTC 2018 - tchvatal@suse.com +Wed Jul 25 13:08:17 UTC 2018 - tchvatal@suse.com -- Up to 69.0.3486.0 +- Raise libvpx requirement to match what we really need ------------------------------------------------------------------- -Fri Jun 29 09:03:46 UTC 2018 - tchvatal@suse.com +Wed Jul 25 09:53:23 UTC 2018 - tchvatal@suse.com -- Up to 69.0.3472.3 +- Version update to 68.0.3440.75 bsc#1102530: + * CVE-2018-6153: Stack buffer overflow in Skia. + * CVE-2018-6154: Heap buffer overflow in WebGL. + * CVE-2018-6155: Use after free in WebRTC. + * CVE-2018-6156: Heap buffer overflow in WebRTC. + * CVE-2018-6157: Type confusion in WebRTC. + * CVE-2018-6158: Use after free in Blink. + * CVE-2018-6159: Same origin policy bypass in ServiceWorker. + * CVE-2018-6160: URL spoof in Chrome on iOS. + * CVE-2018-6161: Same origin policy bypass in WebAudio. + * CVE-2018-6162: Heap buffer overflow in WebGL. + * CVE-2018-6163: URL spoof in Omnibox. + * CVE-2018-6164: Same origin policy bypass in ServiceWorker. + * CVE-2018-6165: URL spoof in Omnibox. + * CVE-2018-6166: URL spoof in Omnibox. + * CVE-2018-6167: URL spoof in Omnibox. + * CVE-2018-6168: CORS bypass in Blink. + * CVE-2018-6169: Permissions bypass in extension installation. + * CVE-2018-6170: Type confusion in PDFium. + * CVE-2018-6171: Use after free in WebBluetooth. + * CVE-2018-6172: URL spoof in Omnibox. + * CVE-2018-6173: URL spoof in Omnibox. + * CVE-2018-6174: Integer overflow in SwiftShader. + * CVE-2018-6175: URL spoof in Omnibox. + * CVE-2018-6176: Local user privilege escalation in Extensions. + * CVE-2018-6177: Cross origin information leak in Blink. + * CVE-2018-6178: UI spoof in Extensions. + * CVE-2018-6179: Local file information leak in Extensions. + * CVE-2018-6044: Request privilege escalation in Extensions. + * CVE-2018-4117: Cross origin information leak in Blink. +- Rebase patches: + * chromium-master-prefs-path.patch + * chromium-non-void-return.patch + * chromium-vaapi.patch +- Add patches: + * chromium-cors-string.patch + * chromium-gcc.patch + * chromium-libjpeg.patch + * chromium-libwebp-shim.patch +- Remove patches: + * chromium-gcc8.patch ------------------------------------------------------------------- -Sun Jun 10 09:52:42 UTC 2018 - tchvatal@suse.com +Tue Jul 10 11:40:21 UTC 2018 - tchvatal@suse.com -- Up to 69.0.3452.0 +- Version update to 67.0.3396.99: + * Various small feature fixes, no security ------------------------------------------------------------------- -Sun Jun 10 09:24:57 UTC 2018 - tchvatal@suse.com +Fri Jun 15 19:51:32 UTC 2018 - tchvatal@suse.com -- Up to 68.0.3440.17 +- Add patch to build under gcc8: + * chromium-gcc8.patch ------------------------------------------------------------------- -Mon May 28 10:33:56 UTC 2018 - tchvatal@suse.com +Wed Jun 13 09:26:43 UTC 2018 - security@suse.com -- Up to 68.0.3438.3 +- Chromium 67.0.3396.87: + * CVE-2018-6149: Out of bounds write in V8 (boo#1097452) ------------------------------------------------------------------- -Fri May 18 14:06:56 UTC 2018 - tchvatal@suse.com +Thu Jun 7 12:23:26 UTC 2018 - astieger@suse.com -- Up to 68.0.3432.3 +- Chromium 67.0.3396.79: + * CVE-2018-6148: Incorrect handling of CSP header (boo#1096508) ------------------------------------------------------------------- -Tue May 15 13:53:14 UTC 2018 - guillaume.gardet@opensuse.org +Fri Jun 1 17:45:46 UTC 2018 - tchvatal@suse.com -- Fix AArch64 build with chromium-crashpad-aarch64-fix.patch +- Require ffmpeg >= 4.0 bsc#1095545 ------------------------------------------------------------------- -Wed May 9 09:11:46 UTC 2018 - tchvatal@suse.com +Wed May 30 11:18:13 UTC 2018 - tchvatal@suse.com -- Up to 68.0.3423.2 -- Refresh patch chromium-master-prefs-path.patch +- Update to 67.0.3396.62 bsc#1095163 + * CVE-2018-6123: Use after free in Blink. + * CVE-2018-6124: Type confusion in Blink. + * CVE-2018-6125: Overly permissive policy in WebUSB. + * CVE-2018-6126: Heap buffer overflow in Skia. + * CVE-2018-6127: Use after free in indexedDB. + * CVE-2018-6128: uXSS in Chrome on iOS. + * CVE-2018-6129: Out of bounds memory access in WebRTC. + * CVE-2018-6130: Out of bounds memory access in WebRTC. + * CVE-2018-6131: Incorrect mutability protection in WebAssembly. + * CVE-2018-6132: Use of uninitialized memory in WebRTC. + * CVE-2018-6133: URL spoof in Omnibox. + * CVE-2018-6134: Referrer Policy bypass in Blink. + * CVE-2018-6135: UI spoofing in Blink. + * CVE-2018-6136: Out of bounds memory access in V8. + * CVE-2018-6137: Leak of visited status of page in Blink. + * CVE-2018-6138: Overly permissive policy in Extensions. + * CVE-2018-6139: Restrictions bypass in the debugger extension API. + * CVE-2018-6140: Restrictions bypass in the debugger extension API. + * CVE-2018-6141: Heap buffer overflow in Skia. + * CVE-2018-6142: Out of bounds memory access in V8. + * CVE-2018-6143: Out of bounds memory access in V8. + * CVE-2018-6144: Out of bounds memory access in PDFium. + * CVE-2018-6145: Incorrect escaping of MathML in Blink. + * CVE-2018-6147: Password fields not taking advantage of OS protections in Views. +- Add patches to build on aarch and remove obsolete one: + * chromium-crashpad-aarch64-fix.patch + * chromium-skia-aarch64-buildfix.patch + * chromium-65.0.3325.162-skia-aarch64-buildfix.patch + * chromium-skia-neon.patch +- Remove no longer needed gcc patch: + * chromium-gcc7.patch +- Rebase patches: + * chromium-non-void-return.patch + * chromium-vaapi.patch + * exclude_ymp.patch + * fix_building_widevinecdm_with_chromium.patch ------------------------------------------------------------------- -Wed May 9 08:38:02 UTC 2018 - guillaume.gardet@opensuse.org +Sat May 26 23:01:20 UTC 2018 - astieger@suse.com -- Fix AArch64 build with chromium-skia-aarch64-buildfix.patch +- on SLE 12 with SUSE PackageHub 12, do not require the SDK for + libwebpmux1 (bsc#1070421) ------------------------------------------------------------------- -Wed May 9 08:34:37 UTC 2018 - tchvatal@suse.com +Sat May 26 07:08:04 UTC 2018 - astieger@suse.com -- Add patch chromium-skia-system-fontconfig.patch bsc#1092272 -- Up to 67.0.3393.30 +- Fix installation issue on SUSE PackageHub 12 with libminizip1 + (bsc#1093031) ------------------------------------------------------------------- -Wed May 9 07:53:48 UTC 2018 - guillaume.gardet@opensuse.org +Wed May 16 07:05:32 UTC 2018 - astieger@suse.com + +- Chromium 66.0.3359.181: + * Autoplay: Force enable on desktop for Web Audio + +------------------------------------------------------------------- +Fri May 11 12:10:44 UTC 2018 - astieger@suse.com + +- Chromium 66.0.3359.170 (bsc#1092923): + * Chain leading to sandbox escape: + CVE-2018-6121: Privilege Escalation in extensions + CVE-2018-6122: Type confusion in V8 + * CVE-2018-6120: Heap buffer overflow in PDFium + * Various fixes from internal audits, fuzzing and other + initiatives + +------------------------------------------------------------------- +Wed May 9 08:36:30 UTC 2018 - tchvatal@suse.com + +- Add patch chromium-skia-system-fontconfig.patch to fix + bsc#1092272 + +------------------------------------------------------------------- +Fri May 4 06:53:49 UTC 2018 - guillaume.gardet@opensuse.org - Enable build on AArch64 - Fix build on AArch64: * set target_cpu to arm64 * disable tcmalloc and swiftshader for aarch64 + * Add new patches: + - chromium-65.0.3325.162-skia-aarch64-buildfix.patch + - chromium-skia-neon.patch ------------------------------------------------------------------- -Wed Apr 25 14:59:25 UTC 2018 - tchvatal@suse.com +Fri Apr 27 08:22:18 UTC 2018 - tchvatal@suse.com -- Up to chromium-67.0.3396.18 +- chromium 66.0.3359.139: + * CVE-2018-6118: Use after free in Media Cache (bsc#1091288) + * drop add-missing-blink-tools.patch, now in tarball again ------------------------------------------------------------------- -Thu Apr 12 09:10:48 UTC 2018 - tchvatal@suse.com +Wed Apr 18 09:14:21 UTC 2018 - tchvatal@suse.com -- Up to 67.0.3393.4 -- Refresh patch exclude_ymp.patch +- Version bump to chromium 66.0.3359.117 bsc#1090000: + * CVE-2018-6085: Use after free in Disk Cache + * CVE-2018-6086: Use after free in Disk Cache + * CVE-2018-6087: Use after free in WebAssembly + * CVE-2018-6088: Use after free in PDFium + * CVE-2018-6089: Same origin policy bypass in Service Worker + * CVE-2018-6090: Heap buffer overflow in Skia + * CVE-2018-6091: Incorrect handling of plug-ins by Service Worker + * CVE-2018-6092: Integer overflow in WebAssembly + * CVE-2018-6093: Same origin bypass in Service Worker + * CVE-2018-6094: Exploit hardening regression in Oilpan + * CVE-2018-6095: Lack of meaningful user interaction requirement before file upload + * CVE-2018-6096: Fullscreen UI spoof + * CVE-2018-6097: Fullscreen UI spoof + * CVE-2018-6098: URL spoof in Omnibox + * CVE-2018-6099: CORS bypass in ServiceWorker + * CVE-2018-6100: URL spoof in Omnibox + * CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools + * CVE-2018-6102: URL spoof in Omnibox + * CVE-2018-6103: UI spoof in Permissions + * CVE-2018-6104: URL spoof in Omnibox + * CVE-2018-6105: URL spoof in Omnibox + * CVE-2018-6106: Incorrect handling of promises in V8 + * CVE-2018-6107: URL spoof in Omnibox + * CVE-2018-6108: URL spoof in Omnibox + * CVE-2018-6109: Incorrect handling of files by FileAPI + * CVE-2018-6110: Incorrect handling of plaintext files via file:// + * CVE-2018-6111: Heap-use-after-free in DevTools + * CVE-2018-6112: Incorrect URL handling in DevTools + * CVE-2018-6113: URL spoof in Navigation + * CVE-2018-6114: CSP bypass + * CVE-2018-6115: SmartScreen bypass in downloads + * CVE-2018-6116: Incorrect low memory handling in WebAssembly + * CVE-2018-6117: Confusing autofill settings + * Various fixes from internal audits, fuzzing and other initiatives +- Remove obsolete patches: + * chromium-compiler.patch + * chromium-glibc-2.27.patch + * chromium-vaapi-init.patch + * exclude_ymp.diff + * fix-gn-bootstrap.diff + * fix_network_api_crash.patch + * mojo.patch +- Add new patches: + * chromium-ffmpeg.patch + * chromium-gcc7.patch + * exclude_ymp.patch + * fix-gn-bootstrap.patch +- Rebase patches: + * chromium-master-prefs-path.patch + * chromium-non-void-return.patch + * chromium-sandbox-pie.patch + * chromium-vaapi.patch +- Add patch to fix missing folder from tarball: + * add-missing-blink-tools.patch ------------------------------------------------------------------- -Wed Apr 4 11:49:20 UTC 2018 - tchvatal@suse.com +Sun Apr 8 10:49:06 UTC 2018 - tchvatal@suse.com -- Bump to 67.0.3386.1 +- Add vaapi patches: + * chromium-vaapi-init.patch + * chromium-vaapi.patch ------------------------------------------------------------------- -Wed Mar 28 12:37:50 UTC 2018 - tchvatal@suse.com +Fri Apr 6 12:54:24 UTC 2018 - tchvatal@suse.com -- Bump to 67.0.3381.1 +- Use memory-constraints package to limit threads as needed ------------------------------------------------------------------- -Fri Mar 23 12:01:52 UTC 2018 - tchvatal@suse.com +Wed Mar 21 06:31:27 UTC 2018 - astieger@suse.com -- Bump to 67.0.3377.1 +- Update to Chromium 65.0.3325.181: + * Various security relevant fixes from internal audits, fuzzing + and other initiatives (boo#1086124) ------------------------------------------------------------------- -Tue Mar 20 10:19:55 UTC 2018 - tchvatal@suse.com +Tue Mar 20 12:33:53 UTC 2018 - tchvatal@suse.com -- Bump to 67.0.3371.0 -- Remove no longer needed chromium-gcc7.patch -- Rebase fix_building_widevinecdm_with_chromium.patch to allow - widevine builds +- Use both freetype and harfbuzz either bundled or system ------------------------------------------------------------------- -Tue Mar 20 10:14:15 UTC 2018 - tchvatal@suse.com +Wed Mar 14 14:18:35 UTC 2018 - tchvatal@suse.com -- Bump to 66.0.3359.33 +- Version update to 65.0.3325.162: + * Various stability fixes only ------------------------------------------------------------------- -Wed Mar 14 14:19:21 UTC 2018 - tchvatal@suse.com +Wed Mar 14 09:00:37 UTC 2018 - tchvatal@suse.com -- Version bump to 66.0.3359.26 +- Bundle the harfbuzz on < 15.0 release as we would have to + use requires_ge for the library itself later on otherwise ------------------------------------------------------------------- -Wed Mar 14 13:32:18 UTC 2018 - tchvatal@suse.com +Fri Mar 9 09:10:01 UTC 2018 - tchvatal@suse.com -- Bump the requirement for the clang version +- Make sure to require gcc7 +- Add patch chromium-drm.patch to make sure to build with Leap 42.3 + variant of libdrm ------------------------------------------------------------------- -Wed Mar 14 09:01:33 UTC 2018 - tchvatal@suse.com +Thu Mar 8 09:00:54 UTC 2018 - tchvatal@suse.com -- Conditionalize harfbuzz switch +- Version update to 65.0.3325.146 bsc#1084296: + * High CVE-2017-11215: Use after free in Flash. + * High CVE-2017-11225: Use after free in Flash. + * High CVE-2018-6060: Use after free in Blink. + * High CVE-2018-6061: Race condition in V8. + * High CVE-2018-6062: Heap buffer overflow in Skia. + * High CVE-2018-6057: Incorrect permissions on shared memory. + * High CVE-2018-6063: Incorrect permissions on shared memory. + * High CVE-2018-6064: Type confusion in V8. + * High CVE-2018-6065: Integer overflow in V8. + * Medium CVE-2018-6066: Same Origin Bypass via canvas. + * Medium CVE-2018-6067: Buffer overflow in Skia. + * Medium CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. + * Medium CVE-2018-6069: Stack buffer overflow in Skia. + * Medium CVE-2018-6070: CSP bypass through extensions. + * Medium CVE-2018-6071: Heap bufffer overflow in Skia. + * Medium CVE-2018-6072: Integer overflow in PDFium. + * Medium CVE-2018-6073: Heap bufffer overflow in WebGL. + * Medium CVE-2018-6074: Mark-of-the-Web bypass. + * Medium CVE-2018-6075: Overly permissive cross origin downloads. + * Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. + * Medium CVE-2018-6077: Timing attack using SVG filters. + * Medium CVE-2018-6078: URL Spoof in OmniBox. + * Medium CVE-2018-6079: Information disclosure via texture data in WebGL. + * Medium CVE-2018-6080: Information disclosure in IPC call. + * Low CVE-2018-6081: XSS in interstitials. + * Low CVE-2018-6082: Circumvention of port blocking. + * Low CVE-2018-6083: Incorrect processing of AppManifests. +- Add new patches: + * chromium-compiler.patch + * chromium-glibc-2.27.patch + * mojo.patch +- Drop patches: + * chromium-angle.patch + * chromium-memcpy.patch +- Update constraints +- Refresh patch chromium-non-void-return.patch to include more + fixes ------------------------------------------------------------------- -Mon Mar 12 10:18:18 UTC 2018 - tchvatal@suse.com +Sat Feb 24 19:02:51 UTC 2018 - astieger@suse.com -- Update to 66.0.3359.22 +- Chromium 64.0.3282.186: + * Various minor bug fixes ------------------------------------------------------------------- -Fri Mar 9 11:20:35 UTC 2018 - tchvatal@suse.com +Wed Feb 14 08:16:34 UTC 2018 - astieger@suse.com -- Apply patches using %autopatch -- Add patch to build with gcc7 properly chromium-gcc7.patch -- Drop patch chromium-sandbox-pie.patch as we have pie default now -- Add patch to build with leap variant of drm chromium-drm.patch +- update to 64.0.3282.167 (bsc#1080920): + * CVE-2018-6056: Incorrect derived class instantiation in V8 ------------------------------------------------------------------- -Wed Mar 7 12:11:45 UTC 2018 - tchvatal@suse.com +Fri Feb 2 11:16:23 UTC 2018 - tchvatal@suse.com -- Add patch to build ffmpeg from system chromium-ffmpeg.patch - -------------------------------------------------------------------- -Wed Mar 7 10:30:24 UTC 2018 - tchvatal@suse.com - -- Up to 66.0.3355.0 -- Disable clang by default again - -------------------------------------------------------------------- -Tue Feb 27 09:35:21 UTC 2018 - tchvatal@suse.com - -- Up to 66.0.3350.0 - -------------------------------------------------------------------- -Thu Feb 15 09:08:22 UTC 2018 - tchvatal@suse.com - -- Drop patch fix_network_api_crash.patch - -------------------------------------------------------------------- -Mon Feb 12 10:10:58 UTC 2018 - tchvatal@suse.com - -- Bump to 66.0.3343.3 - -------------------------------------------------------------------- -Wed Feb 7 13:58:33 UTC 2018 - tchvatal@suse.com - -- Bump to 65.0.3325.51 - -------------------------------------------------------------------- -Tue Feb 6 12:00:36 UTC 2018 - tchvatal@suse.com - -- Disable gconf support +- Version update to 64.0.3282.140 bsc#1079021: + * Various asan fixes bsc#1078463 CVE-2018-6406 ------------------------------------------------------------------- Fri Feb 2 10:43:48 UTC 2018 - dimstar@opensuse.org @@ -255,9 +870,9 @@ Fri Feb 2 10:43:48 UTC 2018 - dimstar@opensuse.org /proc/meminfo. ------------------------------------------------------------------- -Wed Jan 31 09:45:45 UTC 2018 - tchvatal@suse.com +Mon Jan 29 13:07:38 UTC 2018 - tchvatal@suse.com -- Bump to 65.0.3325.31 +- Fix default page to not point to 404 ------------------------------------------------------------------- Mon Jan 29 12:36:31 UTC 2018 - tchvatal@suse.com @@ -265,296 +880,319 @@ Mon Jan 29 12:36:31 UTC 2018 - tchvatal@suse.com - Install swiftshader objects too as they are needed ------------------------------------------------------------------- -Fri Jan 26 10:12:22 UTC 2018 - tchvatal@suse.com +Fri Jan 26 10:11:22 UTC 2018 - tchvatal@suse.com -- Update to 65.0.3325.18 -- Try to have automatic ozone platform detection +- Disable ozone stuff conditions for now as the headless mode + breaks up runtime bsc#1077722 ------------------------------------------------------------------- -Wed Jan 17 14:28:37 UTC 2018 - tchvatal@suse.com +Thu Jan 25 09:51:59 UTC 2018 - tchvatal@suse.com -- Bump to 65.0.3322.3 +- Switch to gcc7 on Leap builds ------------------------------------------------------------------- -Mon Jan 8 20:12:43 UTC 2018 - tchvatal@suse.com +Thu Jan 25 09:42:51 UTC 2018 - tchvatal@suse.com -- Bump to 65.0.3311.3 -- Drop chromium-63.0.3289.84-fix-ft-hb-unbundle.patch +- Version update to 64.0.3282.119 bsc#1077571: + * High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01 + * High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20 + * High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09 + * Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12 + * Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23 + * Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK's National Cyber Security Centre (NCSC) on 2017-11-30 + * Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09 + * Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12 + * Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17 + * Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26 + * Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29 + * Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12 + * Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16 + * Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23 + * Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31 + * Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08 + * Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08 + * Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05 + * Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13 + * Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15 + * Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11 + * Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28 + * Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23 + * Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24 +- Add patches: + * chromium-angle.patch + * chromium-memcpy.patch +- Drop patch: + * chromium-gcc.patch +- Change desktop file name to fit bellow the icon on ie KDE desktop ------------------------------------------------------------------- -Tue Jan 2 13:14:43 UTC 2018 - tchvatal@suse.com +Thu Jan 4 20:59:31 UTC 2018 - astieger@suse.com -- add chromium-63.0.3289.84-fix-ft-hb-unbundle.patch to make sure - we use system freetype/harfbuzz +- Chromium 63.0.3239.132: + * DevTools: do not report raw headers and cookies for protected + subresources + * Various other fixes and updates ------------------------------------------------------------------- -Thu Dec 28 18:00:12 UTC 2017 - tchvatal@suse.com +Fri Dec 15 09:28:07 UTC 2017 - tchvatal@suse.com -- Make sure to use system freetype too +- Version update to 63.0.3239.108 bsc#1072976: + * CVE-2017-15429: UXSS in V8 + * Various fuzzing fixes ------------------------------------------------------------------- -Wed Dec 20 15:38:09 UTC 2017 - tchvatal@suse.com +Thu Dec 7 09:41:13 UTC 2017 - tchvatal@suse.com -- Bump 65.0.3298.3 +- Version update to 63.0.3239.84 bsc#1071691: + * bsc#1106341 CVE-2017-15430 Unsafe navigation in Chromecast + * Critical CVE-2017-15407: Out of bounds write in QUIC. + * High CVE-2017-15408: Heap buffer overflow in PDFium. + * High CVE-2017-15409: Out of bounds write in Skia. + * High CVE-2017-15410: Use after free in PDFium. + * High CVE-2017-15411: Use after free in PDFium. + * High CVE-2017-15412: Use after free in libXML. + * High CVE-2017-15413: Type confusion in WebAssembly. + * Medium CVE-2017-15415: Pointer information disclosure in IPC call. + * Medium CVE-2017-15416: Out of bounds read in Blink. + * Medium CVE-2017-15417: Cross origin information disclosure in Skia. + * Medium CVE-2017-15418: Use of uninitialized value in Skia. + * Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. + * Medium CVE-2017-15420: URL spoofing in Omnibox. + * Medium CVE-2017-15422: Integer overflow in ICU. + * Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. + * Low CVE-2017-15424: URL Spoof in Omnibox. + * Low CVE-2017-15425: URL Spoof in Omnibox. + * Low CVE-2017-15426: URL Spoof in Omnibox. + * Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. +- Rebase fix-gn-bootstrap.diff +- Drop merged patches: + * chromium-gcc5.patch + * chromium-60.0.3112.113-breakpad-ucontext.patch + * chromium-62.0.3202.62-correct-cplusplus-check.patch +- Add new patches: + * chromium-non-void-return.patch + * chromium-gcc.patch ------------------------------------------------------------------- -Tue Dec 19 09:43:19 UTC 2017 - tchvatal@suse.com - -- Drop chromium-memcpy.patch - -------------------------------------------------------------------- -Mon Dec 18 10:46:25 UTC 2017 - tchvatal@suse.com - -- Drop minizip conditional (was about 42.1) - -------------------------------------------------------------------- -Sun Dec 17 22:52:29 UTC 2017 - tchvatal@suse.com - -- Bump to 65.0.3294.5 - -------------------------------------------------------------------- -Thu Dec 14 14:55:27 UTC 2017 - tchvatal@suse.com - -- Explicitely describe what ozone parts we want - -------------------------------------------------------------------- -Wed Dec 13 09:47:33 UTC 2017 - tchvatal@suse.com - -- Bump to 64.0.3282.24 -- Enable system icu again -- Tweak the deps to match current setup -- Add patch chromium-memcpy.patch - -------------------------------------------------------------------- -Tue Dec 12 12:55:52 UTC 2017 - tchvatal@suse.com - -- Minimize desktop name to not take so much space - -------------------------------------------------------------------- -Sat Dec 9 12:54:27 UTC 2017 - tchvatal@suse.com - -- Bumpyty to 64.0.3282.14 - -------------------------------------------------------------------- -Thu Nov 30 14:32:41 UTC 2017 - tchvatal@suse.com - -- Bumpy to 64.0.3278.0 - -------------------------------------------------------------------- -Wed Nov 22 11:06:47 UTC 2017 - idonmez@suse.com +Wed Nov 22 11:05:42 UTC 2017 - idonmez@suse.com - BuildRequire nodejs8 instead of nodejs6 for suse_version >= 1330 ------------------------------------------------------------------- -Sun Nov 19 11:25:52 UTC 2017 - tchvatal@suse.com - -- Drop chromium-64.0.3253.3-gpu_lists_version.h.patch -- Drop chromium-gcc.patch - -------------------------------------------------------------------- -Sun Nov 19 11:20:20 UTC 2017 - tchvatal@suse.com - -- Up to 64.0.3269.3 - -------------------------------------------------------------------- -Wed Nov 15 14:42:55 UTC 2017 - astieger@suse.com +Wed Nov 15 14:56:24 UTC 2017 - astieger@suse.com +- Update to 62.0.3202.94: + * multiple minor rendering related fixes - fix rebuilds in same chroot ------------------------------------------------------------------- -Wed Nov 8 21:33:56 UTC 2017 - tchvatal@suse.com +Tue Nov 7 10:12:28 UTC 2017 - tchvatal@suse.com -- Add patch chromium-non-void-return.patch +- Version update to 62.0.3202.89 bsc#1066851: + * CVE-2017-15398: Stack buffer overflow in QUIC + * CVE-2017-15399: Use after free in V8 +- Drop upstream merged chromium-sandbox.patch ------------------------------------------------------------------- -Tue Nov 7 09:41:07 UTC 2017 - tchvatal@suse.com +Fri Nov 3 12:40:33 UTC 2017 - tchvatal@suse.com -- Add patch chromium-64.0.3253.3-gpu_lists_version.h.patch +- Restrict the version on jpeg to not waste build power ------------------------------------------------------------------- -Sat Nov 4 09:38:27 UTC 2017 - tchvatal@suse.com +Sun Oct 29 08:18:37 UTC 2017 - tchvatal@suse.com -- Bump to 64.0.3253.3 +- Add patch to fix sandbox crashes wrt bsc#1064298 + * chromium-sandbox.patch ------------------------------------------------------------------- -Fri Nov 3 11:41:40 UTC 2017 - tchvatal@suse.com +Fri Oct 27 09:17:02 UTC 2017 - tchvatal@suse.com -- Update to 64.0.3251.0 +- Version update to 62.0.3202.75 bsc#1065405 CVE-2017-15396 + * CVE-2017-15396: Stack overflow in V8 ------------------------------------------------------------------- -Thu Nov 2 20:46:57 UTC 2017 - tchvatal@suse.com +Thu Oct 26 12:09:53 UTC 2017 - astieger@suse.com -- Fix the tarball unpacking to unroll all the required content -- Update to 63.0.3239.30 +- BuildRequire nodejs6 required for polymer-bundler.js ------------------------------------------------------------------- -Wed Oct 25 18:24:16 UTC 2017 - tchvatal@suse.com +Thu Oct 26 09:19:09 UTC 2017 - tchvatal@suse.com -- Drop patch chromium-60.0.3112.113-breakpad-ucontext.patch -- Drop patch chromium-sysroot.patch +- Try to export properly CXX/CC variable to fix leap builds ------------------------------------------------------------------- -Wed Oct 11 09:04:46 UTC 2017 - tchvatal@suse.com +Wed Oct 25 17:52:44 UTC 2017 - tchvatal@suse.com -- Bump to 63.0.3236.0 +- Apply patch to fix building crc32 with gcc7: + * chromium-62.0.3202.62-correct-cplusplus-check.patch ------------------------------------------------------------------- -Mon Oct 9 11:42:16 UTC 2017 - tchvatal@suse.com +Thu Oct 19 03:29:56 UTC 2017 - tchvatal@suse.com -- Bump to 63.0.3230.0 - -------------------------------------------------------------------- -Mon Oct 2 10:10:10 UTC 2017 - tchvatal@suse.com - -- Update to 63.0.3223.8 -- Rebase fix-gn-boostrap.diff -- Remove chromium-gcc5.patch - -------------------------------------------------------------------- -Sat Sep 16 15:51:04 UTC 2017 - tchvatal@suse.com - -- Bump to 63.0.3218.0 -- Rebase fix-gn-bootstrap.diff -- Add chromium-sysroot.patch - -------------------------------------------------------------------- -Wed Sep 13 07:51:50 UTC 2017 - tchvatal@suse.com - -- Version update to 62.0.3202.18 - -------------------------------------------------------------------- -Sun Sep 10 09:46:36 UTC 2017 - tchvatal@suse.com - -- Update to latest -- Switch to system libxml again -- Add more folders to be kept in archive - -------------------------------------------------------------------- -Wed Sep 6 13:16:14 UTC 2017 - tchvatal@suse.com - -- Build with gcc6 on leap as we now require --stdc-14 - -------------------------------------------------------------------- -Wed Sep 6 12:55:30 UTC 2017 - tchvatal@suse.com - -- Add patch to build with new glibc: - * chromium-60.0.3112.113-breakpad-ucontext.patch - -------------------------------------------------------------------- -Mon Sep 4 12:11:32 UTC 2017 - tchvatal@suse.com - -- Bump to 62.0.3198.0: - * fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Wed Aug 23 12:40:57 UTC 2017 - tchvatal@suse.com - -- Bump to 62.0.3192.0 -- Rebase patch chromium-prop-codecs.patch - -------------------------------------------------------------------- -Mon Aug 21 09:29:23 UTC 2017 - tchvatal@suse.com - -- Bump to 62.0.3188.2 -- Rebase fix-gn-bootstrap.diff -- Remove arm patches as we exclude it for now: +- Update to 62.0.3202.62 bsc#1064066: + * CVE-2017-5124: UXSS with MHTML. + * CVE-2017-5125: Heap overflow in Skia. + * CVE-2017-5126: Use after free in PDFium. + * CVE-2017-5127: Use after free in PDFium. + * CVE-2017-5128: Heap overflow in WebGL. + * CVE-2017-5129: Use after free in WebAudio. + * CVE-2017-5132: Incorrect stack manipulation in WebAssembly. + * CVE-2017-5130: Heap overflow in libxml2. + * CVE-2017-5131: Out of bounds write in Skia. + * CVE-2017-5133: Out of bounds write in Skia. + * CVE-2017-15386: UI spoofing in Blink. + * CVE-2017-15387: Content security bypass. + * CVE-2017-15388: Out of bounds read in Skia. + * CVE-2017-15389: URL spoofing in OmniBox. + * CVE-2017-15390: URL spoofing in OmniBox. + * CVE-2017-15391: Extension limitation bypass in Extensions. + * CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. + * CVE-2017-15393: Referrer leak in Devtools. + * CVE-2017-15394: URL spoofing in extensions UI. + * CVE-2017-15395: Null pointer dereference in ImageCapture. +- Drop unused patches: * arm-webrtc-fix.patch * arm_use_right_compiler.patch -- Add patch chromium-gcc5.patch - -------------------------------------------------------------------- -Fri Aug 11 09:37:10 UTC 2017 - tchvatal@suse.com - -- Bump to 62.0.3178.0 -- Add patch chromium-system-zlib.patch -- Rebase patch fix-gn-bootstrap.diff -- Rebase exclude_ymp.diff -- Drop gcc60-fixes.diff as the toolchain was changed - -------------------------------------------------------------------- -Sun Aug 6 07:18:26 UTC 2017 - tchvatal@suse.com - -- Bump to 62.0.3175.4 - -------------------------------------------------------------------- -Sun Aug 6 07:12:01 UTC 2017 - tchvatal@suse.com - -- Bump to 61.0.3163.31 -- Remove condition for gtk3, hard on from now on -- Bump version requirement on nodejs - -------------------------------------------------------------------- -Thu Jul 27 19:42:42 UTC 2017 - tchvatal@suse.com - -- Bump to 61.0.3163.13 -- Rebase fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Thu Jul 20 12:33:20 UTC 2017 - tchvatal@suse.com - -- Refresh patches: - * fix-gn-bootstrap.diff + * chromium-46.0.2490.71-fix-missing-i18n_process_css_test.patch + * chromium-atk.patch + * chromium-mojo-dep.patch * gcc60-fixes.diff +- Refresh patches: + * chromium-gcc5.patch + * chromium-prop-codecs.patch + * exclude_ymp.diff + * fix-gn-bootstrap.diff ------------------------------------------------------------------- -Wed Jul 19 15:14:56 UTC 2017 - tchvatal@suse.com +Fri Sep 22 14:50:40 UTC 2017 - astieger@suse.com -- Bump to 61.0.3159.5 -- Use system libcxx -- Refresh patch fix-gn-bootstrap.diff +- Update to 61.0.3163.100 (boo#1060019): + * CVE-2017-5121: Out-of-bounds access in V8 + * CVE-2017-5122: Out-of-bounds access in V8 + * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- -Mon Jul 17 07:53:34 UTC 2017 - tchvatal@suse.com +Sat Sep 16 15:50:19 UTC 2017 - tchvatal@suse.com -- Recommend emoji fonts for various communicators to not display +- Update to 61.0.3163.91: + * Various bugfixes + +------------------------------------------------------------------- +Mon Sep 11 08:45:35 UTC 2017 - tchvatal@suse.com + +- Update to 61.0.3163.79 bsc#1057364: + * CVE-2017-5111: Use after free in PDFium. + * CVE-2017-5112: Heap buffer overflow in WebGL. + * CVE-2017-5113: Heap buffer overflow in Skia. + * CVE-2017-5114: Memory lifecycle issue in PDFium. + * CVE-2017-5115: Type confusion in V8. + * CVE-2017-5116: Type confusion in V8. + * CVE-2017-5117: Use of uninitialized value in Skia. + * CVE-2017-5118: Bypass of Content Security Policy in Blink. + * CVE-2017-5119: Use of uninitialized value in Skia. + * CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. +- Rebase patch: + * fix-gn-bootstrap.diff +- Remove patches: + * chromium-gcc7.patch + * chromium-override.patch +- Add new patches: + * chromium-atk.patch + * chromium-gcc5.patch + * chromium-mojo-dep.patch +- Gtk3 is hard required from now on +- Version some of the required dependencies + +------------------------------------------------------------------- +Mon Aug 28 22:57:05 UTC 2017 - astieger@suse.com + +- fix build with Factory glibc: + add chromium-60.0.3112.113-breakpad-ucontext.patch + +------------------------------------------------------------------- +Fri Aug 25 09:17:27 UTC 2017 - tchvatal@suse.com + +- Version update to 60.0.3112.113: + * Various bugfixes + +------------------------------------------------------------------- +Tue Aug 15 15:17:00 UTC 2017 - tchvatal@suse.com + +- Version update to 60.0.3112.101: + * various usability bugfixes + +------------------------------------------------------------------- +Thu Aug 3 13:25:33 UTC 2017 - tchvatal@suse.com + +- Version update to 60.0.3112.90: + * Various usability bugfixes + +------------------------------------------------------------------- +Wed Jul 26 13:27:55 UTC 2017 - tchvatal@suse.com + +- Version update to 60.0.3112.78 bsc#1050537: + * CVE-2017-5091: Use after free in IndexedDB + * CVE-2017-5092: Use after free in PPAPI + * CVE-2017-5093: UI spoofing in Blink + * CVE-2017-5094: Type confusion in extensions + * CVE-2017-5095: Out-of-bounds write in PDFium + * CVE-2017-5096: User information leak via Android intents + * CVE-2017-5097: Out-of-bounds read in Skia + * CVE-2017-5098: Use after free in V8 + * CVE-2017-5099: Out-of-bounds write in PPAPI + * CVE-2017-5100: Use after free in Chrome Apps + * CVE-2017-5101: URL spoofing in OmniBox + * CVE-2017-5102: Uninitialized use in Skia + * CVE-2017-5103: Uninitialized use in Skia + * CVE-2017-5104: UI spoofing in browser + * CVE-2017-7000: Pointer disclosure in SQLite + * CVE-2017-5105: URL spoofing in OmniBox + * CVE-2017-5106: URL spoofing in OmniBox + * CVE-2017-5107: User information leak via SVG + * CVE-2017-5108: Type confusion in PDFium + * CVE-2017-5109: UI spoofing in browser + * CVE-2017-5110: UI spoofing in payments dialog + * Various fixes from internal audits, fuzzing and other initiatives +- Add patch chromium-override.patch +- Remove patches chromium-fpermissive.patch chromium-system-ffmpeg-r3.patch +- Rebase patches: + * chromium-dma-buf.patch + * chromium-gcc7.patch + * chromium-last-commit-position-r0.patch + * fix-gn-bootstrap.diff + +------------------------------------------------------------------- +Mon Jul 24 09:01:07 UTC 2017 - tchvatal@suse.com + +- Recommend emoji fonts to make sure major web chats do not show questionmarks -------------------------------------------------------------------- -Thu Jul 13 07:52:52 UTC 2017 - tchvatal@suse.com +------------------------------------------------------------------ +Wed Jun 28 19:27:55 UTC 2017 - tchvatal@suse.com -- Bump to 61.0.3153.4 -- Refresh patch fix-gn-bootstrap.diff +- Update to 59.0.3071.115: + * Various small fixes all around ------------------------------------------------------------------- -Thu Jun 29 07:07:53 UTC 2017 - tchvatal@suse.com +Fri Jun 23 07:46:48 UTC 2017 - astieger@suse.com -- Remove already applied patch chromium-gcc7.patch +- Update to 59.0.3071.109: + * ozone/drm: Only reuse ScanoutBuffers with compatible modifiers + * Fixing mouse focus on WebView + * Remove gtk dependency from gles tests + * Set build flag when using own FreeType + * Revert of [scheduler] Move some task types to suspendable task runner + * Fix an incorrect method name on the chrome://site-engagement WebUI page + * Linux/Windows: Removing Guest menu item for supervised profile ------------------------------------------------------------------- -Tue Jun 27 17:59:45 UTC 2017 - tchvatal@suse.com +Fri Jun 16 12:12:56 UTC 2017 - astieger@suse.com -- require nss >= 3.26 -- Update to 61.0.3141.7 -- Refresh fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Thu Jun 22 08:46:57 UTC 2017 - tchvatal@suse.com - -- Drop merged patch chromium-system-icu.patch -- Refresh patch fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Wed Jun 21 17:06:27 UTC 2017 - tchvatal@suse.com - -- Version update to 61.0.3135.4 - -------------------------------------------------------------------- -Thu Jun 15 08:26:29 UTC 2017 - tchvatal@suse.com - -- Update to 61.0.3128.3 -- Add patch chromium-system-icu.patch - -------------------------------------------------------------------- -Sat Jun 10 14:05:13 UTC 2017 - tchvatal@suse.com - -- Update to 61.0.3124.4 -- Refresh patch fix-gn-bootstrap.diff -- Drop patch chromium-override.patch merged upstream - -------------------------------------------------------------------- -Fri Jun 9 12:11:47 UTC 2017 - tchvatal@suse.com - -- Bump to 60.0.3112.24 +- Update to 59.0.3071.104 (bsc#1044690): + * CVE-2017-5087: Sandbox Escape in IndexedDB + * CVE-2017-5088: Out of bounds read in V8 + * CVE-2017-5089: Domain spoofing in Omnibox + * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Jun 8 14:56:42 UTC 2017 - tchvatal@suse.com @@ -562,104 +1200,56 @@ Thu Jun 8 14:56:42 UTC 2017 - tchvatal@suse.com - Add patch chromium-buildname.patch bsc#1043420 ------------------------------------------------------------------- -Wed Jun 7 09:10:40 UTC 2017 - tchvatal@suse.com +Tue Jun 6 07:53:53 UTC 2017 - tchvatal@suse.com -- Update to 60.0.3112.20 - -------------------------------------------------------------------- -Tue Jun 6 10:56:24 UTC 2017 - tchvatal@suse.com - -- Drop patch chromium-system-icu.patch - * Use bundled icu as system is unbuildable at the moment - -------------------------------------------------------------------- -Mon Jun 5 12:23:26 UTC 2017 - tchvatal@suse.com - -- Bump to 60.0.3112.7 -- Add patch for gcc7 chromium-gcc7.patch -- Add patch to build with gcc chromium-override.patch -- Add patch to build with system icu 59 chromium-system-icu.patch - -------------------------------------------------------------------- -Wed May 31 14:23:42 UTC 2017 - tchvatal@suse.com - -- Update to upstream 60.0.3112.7 - * Refresh patch fix-gn-bootstrap.diff -- Remove upstream merged chromium-system-harfbuzz.patch - -------------------------------------------------------------------- -Wed May 24 12:22:27 UTC 2017 - tchvatal@suse.com - -- Update 60.0.3107.4 -- Refresh patch chromium-last-commit-position-r0.patch -- Remove upstreamed chromium-system-ffmpeg-r3.patch -- Remove upstreamed chromium-system-opus.patch -- Remove upstreamed chromium-system-libpng.patch -- Remove upstreamed chromium-system-libwebp.patch -- Update fix-gn-bootstrap.diff -- Add patch chromium-system-harfbuzz.patch - -------------------------------------------------------------------- -Thu May 18 10:31:53 UTC 2017 - tchvatal@suse.com - -- Version update to 60.0.3100.0 -- Add patches: - * chromium-system-libpng.patch - * chromium-system-libwebp.patch - -------------------------------------------------------------------- -Wed May 17 09:22:27 UTC 2017 - tchvatal@suse.com - -- Export gcc standard version to fix build on older releases - * Needed for vulcan - -------------------------------------------------------------------- -Fri May 12 11:25:49 UTC 2017 - tchvatal@suse.com - -- Update to 60.0.3095.5 -- Update patch: - * fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Sat May 6 08:50:17 UTC 2017 - tchvatal@suse.com - -- Switch to system opus and yasm - -------------------------------------------------------------------- -Fri May 5 12:11:38 UTC 2017 - tchvatal@suse.com - -- Update to 60.0.3088.3 -- Update patch: - * fix-gn-bootstrap.diff - * chromium-dma-buf.patch - -------------------------------------------------------------------- -Thu May 4 12:52:01 UTC 2017 - tchvatal@suse.com - -- Version update to 60.0.3080.5 -- Refresh patch: +- Update to 59.0.3071.86 bsc#1042833: + * CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16 + * CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26 + * CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07 + * CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28 + * CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09 + * CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05 + * CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16 + * CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06 + * CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28 + * CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12 + * CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20 + * CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05 + * CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07 + * CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11 + * CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24 + * CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15 +- Add patch to fix build with system dma: * chromium-dma-buf.patch +- Drop no longer needed patches: + * chromium-linker-memory.patch + * chromium-system-jinja-r13.patch +- Refresh patches: + * chromium-gcc7.patch + * chromium-system-ffmpeg-r3.patch * fix-gn-bootstrap.diff +- Use bundled libxml + * Upstream unfortunately uses git snapshot that is not api/abi compatible ------------------------------------------------------------------- -Fri Apr 28 18:40:01 UTC 2017 - tchvatal@suse.com +Mon Jun 5 12:55:22 UTC 2017 - tchvatal@suse.com -- Use bundled libxml (they have git snapshot :/) +- Add patch to build with gcc7: + * chromium-gcc7.patch +- Add patch for fpermissive build error: + * chromium-fpermissive.patch ------------------------------------------------------------------- -Fri Apr 28 18:21:44 UTC 2017 - tchvatal@suse.com +Wed May 10 07:43:46 UTC 2017 - tchvatal@suse.com -- Add more bundled folders +- Version update to 58.0.3029.110: + * Various small bugfixes ------------------------------------------------------------------- -Fri Apr 28 06:03:50 UTC 2017 - tchvatal@suse.com +Thu May 4 12:40:32 UTC 2017 - tchvatal@suse.com -- Also drop patch chromium-system-jinja-r13.patch - -------------------------------------------------------------------- -Fri Apr 28 05:55:11 UTC 2017 - tchvatal@suse.com - -- Bump to 59.0.3071.29 +- Version update to 58.0.3029.96: + * Fixes bsc#1037594 CVE-2017-5068 ------------------------------------------------------------------- Tue Apr 25 13:24:42 UTC 2017 - tchvatal@suse.com @@ -668,56 +1258,34 @@ Tue Apr 25 13:24:42 UTC 2017 - tchvatal@suse.com * It is at least used only during build ------------------------------------------------------------------- -Fri Apr 21 19:16:32 UTC 2017 - tchvatal@suse.com +Fri Apr 21 09:57:49 UTC 2017 - tchvatal@suse.com -- Refresh patch chromium-system-ffmpeg-r3.patch -- Delete patch chromium-system-libjpeg.patch - -------------------------------------------------------------------- -Fri Apr 21 18:58:53 UTC 2017 - tchvatal@suse.com - -- Update to 59.0.3071.15 - -------------------------------------------------------------------- -Fri Apr 21 09:01:47 UTC 2017 - tchvatal@suse.com - -- Drop exif dep, unused -- Pass no-clean option to bootstrap.py for debugging purposes - -------------------------------------------------------------------- -Wed Apr 19 13:21:37 UTC 2017 - tchvatal@suse.com - -- Version update to 59.0.3071.9 - -------------------------------------------------------------------- -Thu Apr 13 08:22:25 UTC 2017 - tchvatal@suse.com - -- Update to 59.0.3067.0 -- Sort out the harfbuzz bundling conditional to be together with minizip - -------------------------------------------------------------------- -Wed Apr 12 11:20:22 UTC 2017 - tchvatal@suse.com - -- Bump harfbuzz and icu requirements - -------------------------------------------------------------------- -Tue Apr 11 11:52:32 UTC 2017 - tchvatal@suse.com - -- Add patch chromium-dma-buf.patch -- Add patch chromium-system-libjpeg.patch - -------------------------------------------------------------------- -Fri Apr 7 08:49:05 UTC 2017 - tchvatal@suse.com - -- Version update to 59.0.3063.4 +- Version update to 58.0.3029.81 bsc#1035103: + * High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360 + * High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani + * High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro's Zero Day Initiative + * Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng + * Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah) + * Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous + * Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip + * Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar + * Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani + * Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to chenchu + * Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani + * Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman - Refresh patch fix-gn-bootstrap.diff -- Refresh patch chromium-system-ffmpeg-r3.patch +- Refresh patch chromium-system-jinja-r13.patch +- Remove obsolete patch chromium-57-gcc4.patch ------------------------------------------------------------------- -Thu Mar 30 13:02:21 UTC 2017 - tchvatal@suse.com +Thu Mar 30 13:07:50 UTC 2017 - tchvatal@suse.com -- Update to 59.0.3053.3 -- Refresh patch fix-gn-bootstrap.diff +- Version update to 57.0.2987.133 bsc#1031677: + * Critical CVE-2017-5055: Use after free in printing. Credit to Wadih Matar + * High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs + * High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin + * High CVE-2017-5056: Use after free in Blink. Credit to anonymous + * High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587) ------------------------------------------------------------------- Fri Mar 24 15:22:38 UTC 2017 - tchvatal@suse.com @@ -725,238 +1293,167 @@ Fri Mar 24 15:22:38 UTC 2017 - tchvatal@suse.com - Drop the browser(npapi) provide which is not true ------------------------------------------------------------------- -Wed Mar 22 10:57:21 UTC 2017 - tchvatal@suse.com +Sun Mar 19 11:04:47 UTC 2017 - tchvatal@suse.com -- Drop patch chromium-linker-memory.patch as with i586 dropped it - should not be required -- Update patch fix-gn-bootstrap.diff +- Add patch to build with gcc4 + * chromium-57-gcc4.patch ------------------------------------------------------------------- -Wed Mar 22 10:56:09 UTC 2017 - tchvatal@suse.com +Thu Mar 16 20:45:00 UTC 2017 - tchvatal@suse.com -- Version update to chromium-59.0.3047.0 +- Do not use gcc5 and newer as the compat was fixed again +- Update to 57.0.2987.110 with various other small tweaks ------------------------------------------------------------------- -Tue Mar 21 12:41:00 UTC 2017 - tchvatal@suse.com +Fri Mar 10 10:55:23 UTC 2017 - tchvatal@suse.com -- Few tweaks around clang switch to be viable +- Version update to 57.0.2987.98 bsc#1028848: + CVE-2017-5030 CVE-2017-5031 CVE-2017-5032 CVE-2017-5029 CVE-2017-5034 + CVE-2017-5035 CVE-2017-5036 CVE-2017-5037 CVE-2017-5039 CVE-2017-5040 + CVE-2017-5041 CVE-2017-5033 CVE-2017-5042 CVE-2017-5038 CVE-2017-5043 + CVE-2017-5044 CVE-2017-5045 CVE-2017-5046 +- Refresh patches + * fix-gn-bootstrap.diff + * chromium-linker-memory.patch +- Remove obsolete patches: + * chromium-sandbox.patch + * chromium-54-ffmpeg2compat.patch +- Remove vaapi patch which broke rendering on non-intel cards: + * chromium-enable-vaapi-on-suse.patch +- From this release onwards i586 build is disabled ------------------------------------------------------------------- -Sat Mar 18 19:13:16 UTC 2017 - tchvatal@suse.com - -- Update to 59.0.3043.0 -- Refresh patch fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Wed Mar 15 10:14:35 UTC 2017 - tchvatal@suse.com - -- Update to 58.0.3029.19 - -------------------------------------------------------------------- -Wed Mar 15 09:34:48 UTC 2017 - tchvatal@suse.com - -- Reduce the requirement on gcc to be 4.8 only again - -------------------------------------------------------------------- -Mon Mar 13 12:20:56 UTC 2017 - tchvatal@suse.com - -- Version update to 58.0.3029.14 - -------------------------------------------------------------------- -Mon Mar 13 11:41:34 UTC 2017 - tchvatal@suse.com - -- Disable system vpx for now, needs symbols that will be in 1.6.2 - -------------------------------------------------------------------- -Fri Mar 10 13:03:15 UTC 2017 - tchvatal@suse.com - -- Update fix-gn-bootstrap.diff to build again - -------------------------------------------------------------------- -Wed Mar 8 11:26:35 UTC 2017 - tchvatal@suse.com - -- Version update to 58.0.3029.6 - -------------------------------------------------------------------- -Thu Mar 2 15:19:25 UTC 2017 - tchvatal@suse.com - -- Update to 58.0.3026.3 -- Empty fix-gn-bootstrap.diff again as it was merged upstream - -------------------------------------------------------------------- -Mon Feb 27 11:22:10 UTC 2017 - tchvatal@suse.com - -- Drop patch chromium-enable-vaapi-on-suse.patch as it breaks on - radeon and nvidia cards - -------------------------------------------------------------------- -Fri Feb 24 07:58:48 UTC 2017 - tchvatal@suse.com - -- Update to 58.0.3018.3 -- Update patch fix-gn-bootstrap.diff to match what is needed now -- Refresh patch chromium-system-jinja-r13.patch - -------------------------------------------------------------------- -Fri Feb 17 12:14:06 UTC 2017 - tchvatal@suse.com - -- Version update to 58.0.3013.3 - -------------------------------------------------------------------- -Wed Feb 15 12:15:52 UTC 2017 - idonmez@suse.com +Wed Feb 15 12:02:32 UTC 2017 - idonmez@suse.com - Also add harfbuzz-ng to keeplibs for SLE -------------------------------------------------------------------- -Wed Feb 8 12:39:54 UTC 2017 - tchvatal@suse.com - -- Update to 58.0.3004.3 - -------------------------------------------------------------------- -Wed Feb 8 12:32:46 UTC 2017 - tchvatal@suse.com - -- Try to properly set up nodejs for build - -------------------------------------------------------------------- -Mon Feb 6 20:39:24 UTC 2017 - tchvatal@suse.com - -- Version update to 58.3000.4 next dev channel -- Drop patch chromium-54-ffmpeg2compat.patch as we require ffmpeg3 now - ------------------------------------------------------------------- Mon Feb 6 20:29:52 UTC 2017 - tchvatal@suse.com - Add condition for system harfbuzz to be disabled on SLE ------------------------------------------------------------------- -Mon Feb 6 12:16:45 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net +Mon Feb 6 12:21:34 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net + +- Fixed a typo in the build requirements for system minizip. + +------------------------------------------------------------------- +Fri Feb 3 12:23:34 UTC 2017 - tchvatal@suse.com + +- Version update to 56.0.2924.87: + * Various small fixes + * Disabled option to enable/disable plugins in the chrome://plugins + +------------------------------------------------------------------- +Thu Feb 2 20:01:27 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net + +- Added the package 'chromium-privacy' with multiple patches + sourced from the release version on https://github.com/ + u4qo60z73t1c4hurv3ny/privacy_patches-oS_cr, which, when enabled + with the build option 'privacy', builds a version of Chromium + with less privacy implications due to Google services + integration. + +------------------------------------------------------------------- +Wed Feb 1 09:48:35 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net - Changed the build requirement of libavformat to library version 57.41.100, as included in ffmpeg 3.1.1, as only this version properly supports the public AVStream API 'codecpar'. + +------------------------------------------------------------------- +Tue Jan 31 14:08:26 UTC 2017 - tchvatal@suse.com + +- Version update to 56.0.2924.76 bsc#1022049: + - CVE-2017-5007: Universal XSS in Blink + - CVE-2017-5006: Universal XSS in Blink + - CVE-2017-5008: Universal XSS in Blink + - CVE-2017-5010: Universal XSS in Blink + - CVE-2017-5011: Unauthorised file access in Devtools + - CVE-2017-5009: Out of bounds memory access in WebRTC + - CVE-2017-5012: Heap overflow in V8 + - CVE-2017-5013: Address spoofing in Omnibox + - CVE-2017-5014: Heap overflow in Skia + - CVE-2017-5015: Address spoofing in Omnibox + - CVE-2017-5019: Use after free in Renderer + - CVE-2017-5016: UI spoofing in Blink + - CVE-2017-5017: Uninitialised memory access in webm video + - CVE-2017-5018: Universal XSS in chrome://apps + - CVE-2017-5020: Universal XSS in chrome://downloads + - CVE-2017-5021: Use after free in Extensions + - CVE-2017-5022: Bypass of Content Security Policy in Blink + - CVE-2017-5023: Type confusion in metrics + - CVE-2017-5024: Heap overflow in FFmpeg + - CVE-2017-5025: Heap overflow in FFmpeg + - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing +- Add conditional to switch between system and bundled icu +- Raise dependency on harfbuzz to 1.3.1 +- Also refresh patches: + chromium-prop-codecs.patch chromium-linker-memory.patch + +------------------------------------------------------------------- +Sat Jan 28 11:31:18 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net + - Added patch chromium-enable-vaapi-on-suse.patch to enable VAAPI hardware accelerated video decoding. - * chromium-enable-vaapi-on-suse.patch -- Fixed a typo in the build requirements for system minizip. ------------------------------------------------------------------- -Fri Feb 3 10:38:16 UTC 2017 - tchvatal@suse.com +Wed Dec 21 20:19:42 UTC 2016 - astieger@suse.com -- Update to 57.0.2987.21 +- Chromium 55.0.2883.87: + * various fixes for crashes and specific wesites + * update Google pinned certificates ------------------------------------------------------------------- -Wed Feb 1 12:44:58 UTC 2017 - tchvatal@suse.com +Wed Dec 21 10:02:52 UTC 2016 - tchvatal@suse.com -- Update to 57.0.2987.19 +- Disable system icu on Factory, crashes autofill ------------------------------------------------------------------- -Sun Jan 29 17:58:34 UTC 2017 - tchvatal@suse.com - -- Version update to 57.0.2987.13 - -------------------------------------------------------------------- -Wed Jan 25 13:47:13 UTC 2017 - tchvatal@suse.com - -- Update to 57.0.2987.8 - -------------------------------------------------------------------- -Tue Jan 24 10:43:32 UTC 2017 - tchvatal@suse.com - -- Update to 57.0.2986.0 - -------------------------------------------------------------------- -Thu Jan 19 10:40:36 UTC 2017 - tchvatal@suse.com - -- Version update to 57.0.2984.0 - -------------------------------------------------------------------- -Fri Jan 13 09:13:44 UTC 2017 - tchvatal@suse.com - -- Drop the support code for builtin ffmpeg and rely on the system one always - -------------------------------------------------------------------- -Fri Jan 6 11:53:25 UTC 2017 - tchvatal@suse.com - -- Exclude i586 arch as the resources to build are not there - -------------------------------------------------------------------- -Wed Jan 4 12:36:34 UTC 2017 - tchvatal@suse.com - -- Add toolchain definition hopefully allowing us to build on Leap - with older gcc - * This also exposes more of our suse CFLAGS to the compilation - -------------------------------------------------------------------- -Wed Jan 4 12:07:26 UTC 2017 - tchvatal@suse.com - -- Version update to 57.0.2970.0 -- Refresh patch: - * fix-gn-bootstrap.diff -- Drop patch: - * chromium-sandbox.patch - -------------------------------------------------------------------- -Tue Dec 20 14:55:38 UTC 2016 - tchvatal@suse.com - -- Use gcc5 on leap - -------------------------------------------------------------------- -Mon Dec 19 10:30:45 UTC 2016 - tchvatal@suse.com - -- Update to 57.0.2946.4 - -------------------------------------------------------------------- -Wed Dec 14 10:45:26 UTC 2016 - tchvatal@suse.com - -- Allow building with non-system icu on older systems -- Refresh patch fix-gn-bootstrap.diff -- Disable system icu again, fails to build even on factory - -------------------------------------------------------------------- -Tue Dec 13 14:42:30 UTC 2016 - idonmez@suse.com +Tue Dec 13 14:38:08 UTC 2016 - idonmez@suse.com - python-html5lib now depends on six, so preserve that too for SLE builds. ------------------------------------------------------------------- -Sun Dec 11 13:12:44 UTC 2016 - tchvatal@suse.com +Fri Dec 9 12:07:10 UTC 2016 - astieger@suse.com -- Version update to 57.0.2946.0 +- Obsolete ffmpeg and ffmpegsumo package in addition to conflict ------------------------------------------------------------------- -Sun Dec 11 13:04:36 UTC 2016 - tchvatal@suse.com +Mon Dec 5 17:08:45 UTC 2016 - astieger@suse.com -- Version update to 56.0.2924.21 +- record minimum version for harfbuzz, incuding runtime + Chromium will crash with harfbuzz < 1.3.0 ------------------------------------------------------------------- -Thu Dec 8 08:33:17 UTC 2016 - tchvatal@suse.com +Sat Dec 3 09:59:21 UTC 2016 - tchvatal@suse.com -- Version update to 56.0.2924.18 +- Chromium 55.0.2883.75 bnc#1013236: + CVE-2016-9651 CVE-2016-5208 CVE-2016-5207 CVE-2016-5206 CVE-2016-5205 + CVE-2016-5204 CVE-2016-5209 CVE-2016-5203 CVE-2016-5210 CVE-2016-5212 + CVE-2016-5211 CVE-2016-5213 CVE-2016-5214 CVE-2016-5216 CVE-2016-5215 + CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5221 CVE-2016-5220 + CVE-2016-5222 CVE-2016-9650 CVE-2016-5223 CVE-2016-5226 CVE-2016-5225 + CVE-2016-5224 CVE-2016-9652 +- Switch to system libraries: harfbuzz, zlib, ffmpeg, ... +- Refreshed patches: + * chromium-system-ffmpeg-r3.patch + * chromium-system-jinja-r13.patch +- Use system ffmpeg unless on 13.2 that didn't include it + * chromium-54-ffmpeg2compat.patch + * Remove upstreamed chromium-more-codec-aliases.patch +- Remove bookmarks override as discussed with artwork simply just set + homepage to our openSUSE one and that is all ------------------------------------------------------------------- -Sat Dec 3 12:03:04 UTC 2016 - tchvatal@suse.com +Sat Nov 12 08:20:05 UTC 2016 - astieger@suse.com -- Version update to 56.0.2924.14 - -------------------------------------------------------------------- -Tue Nov 29 21:13:49 UTC 2016 - tchvatal@suse.com - -- Version update to 56.0.2924.10 - -------------------------------------------------------------------- -Tue Nov 22 07:40:21 UTC 2016 - tchvatal@suse.com - -- Version update to 56.0.2922.1 - -------------------------------------------------------------------- -Fri Nov 18 08:35:30 UTC 2016 - tchvatal@suse.com - -- Version update to 56.0.2920.0 - -------------------------------------------------------------------- -Mon Nov 14 13:13:16 UTC 2016 - tchvatal@suse.com - -- Version update to 56.0.2914.3: - * refresh patch chromium-prop-codecs.patch +- Chromium 54.0.2840.100: + * CVE-2016-5199: Heap corruption in FFmpeg (boo#1009892) + * CVE-2016-5200: out of bounds memory access in v8 (boo#1009893) + * CVE-2016-5201: info leak in extensions (boo#1009894) + * CVE-2016-5202: various fixes from internal audits (boo#1009895) ------------------------------------------------------------------- Mon Nov 7 20:02:46 UTC 2016 - tchvatal@suse.com @@ -966,96 +1463,63 @@ Mon Nov 7 20:02:46 UTC 2016 - tchvatal@suse.com bnc#1008725 ------------------------------------------------------------------- -Sun Nov 6 09:41:28 UTC 2016 - tchvatal@suse.com +Wed Nov 2 07:32:27 UTC 2016 - tchvatal@suse.com -- Put chromium-flags at the end to allow user to override various - variables +- Update to 54.0.2840.90: + * Few fixes and tweaks + * Fixes CVE-2016-5198 bsc#1008274 ------------------------------------------------------------------- -Wed Nov 2 07:36:15 UTC 2016 - tchvatal@suse.com +Fri Oct 21 10:27:16 UTC 2016 - tchvatal@suse.com -- Update to 56.0.2906.0 +- Update to 54.0.2840.71: + * Few fixes around ------------------------------------------------------------------- -Fri Oct 28 16:59:28 UTC 2016 - tchvatal@suse.com +Thu Oct 13 10:19:03 UTC 2016 - tchvatal@suse.com -- Update to 56.0.2902.0 - * Update fix-gn-bootstrap.diff +- Version update to 54.0.2840.59 bnc#1004465: + - CVE-2016-5181: Universal XSS in Blink (Anonymous) + - CVE-2016-5182: Heap overflow in Blink (Giwan Go of STEALIEN) + - CVE-2016-5183: Use after free in PDFium (Anonymous) + - CVE-2016-5184: Use after free in PDFium (Anonymous) + - CVE-2016-5185: Use after free in Blink (cloudfuzzer) + - CVE-2016-5187: URL spoofing (Luan Herrera) + - CVE-2016-5188: UI spoofing (Luan Herrera) + - CVE-2016-5192: Cross-origin bypass in Blink (haojunhou at gmail) + - CVE-2016-5189: URL spoofing (xisigr of Tencent's Xuanwu Lab) + - CVE-2016-5186: Out of bounds read in DevTools (Abdulrahman Alqabandi) + - CVE-2016-5191: Universal XSS in Bookmarks (Gareth Hughes) + - CVE-2016-5190: Use after free in Internals (Atte Kettunen of OUSPG) + - CVE-2016-5193: Scheme bypass (Yuyang ZHOUmartinzhou96) +- packaging changes: + * disable build for chromium-beta on %arm. + * Make linker use less memory by tweaking its options: + chromium-linker-memory.patch + * obsolete desktop subpackages + * Switch to gold to reduce memory use use during build + * fix build on 4.5+ kernels with systemlibs: + chromium-sandbox.patch + * various compiler and linker flag adjustments + * enable gtk3 ui, add patch gtk3-missing-define.patch + * switch from some bundled libraries to the system versions + chromium-system-ffmpeg-r3.patch + chromium-system-jinja-r13.patch + fix-gn-bootstrap.diff + * remove service file covered by download_files +- run time bug fixes: + * Add --ui-disable-partial-swap to the launcher bnc#1000019 + * Use default chromium values from master_preferences on first run + rather than pseudo-duplicating in shellscript +- added features: + * hangouts extension ------------------------------------------------------------------- -Mon Oct 24 13:06:07 UTC 2016 - tchvatal@suse.com +Fri Sep 30 08:00:45 UTC 2016 - tchvatal@suse.com -- Update to 56.0.2897.0 - * Refresh patch chromium-linker-memory.patch - * Update fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Mon Oct 24 11:44:08 UTC 2016 - tchvatal@suse.com - -- Try to make package buildable on SLE12 Backports project - -------------------------------------------------------------------- -Fri Oct 21 10:34:39 UTC 2016 - tchvatal@suse.com - -- Update to 55.0.2883.21 -- Add switch between bundled and system icu as on old distributions - we simply have too old ICU -- Add switch for bundled/system minizip as it is not available on 42.1 - -------------------------------------------------------------------- -Thu Oct 20 07:52:26 UTC 2016 - tchvatal@suse.com - -- Version update to 55.0.2883.18 - -------------------------------------------------------------------- -Mon Oct 17 12:06:03 UTC 2016 - tchvatal@suse.com - -- Version update to 55.0.2883.11 -- Drop chromium-system-zlib.patch -- Add Requires on specified browser for chromedriver wrt bnc#1004839 - -------------------------------------------------------------------- -Sun Oct 9 18:16:49 UTC 2016 - tchvatal@suse.com - -- Version update to 55.0.2882.0: - * Rebase fix-gn-bootstrap.diff - * Remove upstreamed chromium-more-codec-aliases.patch - -------------------------------------------------------------------- -Sat Oct 8 09:51:35 UTC 2016 - mailaender@opensuse.org - -- Add appdata.xml for https://en.opensuse.org/openSUSE:AppStore - -------------------------------------------------------------------- -Fri Sep 30 07:12:16 UTC 2016 - dmueller@suse.com - -- disable build for chromium-beta on %arm. while it does build, - it takes two days, in which we can build roughly 600 other packages, - and I rather build 600 other packages than chromium-beta. - -------------------------------------------------------------------- -Wed Sep 28 17:32:17 UTC 2016 - tchvatal@suse.com - -- Version update to 55.0.2873.0: - * refresh fix-gn-bootstrap.diff - -------------------------------------------------------------------- -Tue Sep 27 08:08:38 UTC 2016 - tchvatal@suse.com - -- Do not install default_bookmarks.html file, just set homepage - and that's it -- Drop chromium-rpmlintrc not really needed - -------------------------------------------------------------------- -Mon Sep 26 14:07:58 UTC 2016 - tchvatal@suse.com - -- Drop chrome-wrapper file it is unused - -------------------------------------------------------------------- -Mon Sep 26 12:29:52 UTC 2016 - tchvatal@suse.com - -- Add --ui-disable-partial-swap to the launcher bnc#1000019 - cr#628168 +- Version update to 53.0.2785.143 bnc#1002140: + * CVE-2016-5177: Use after free in V8 + * CVE-2016-5178: Various fixes from internal audits ------------------------------------------------------------------- Mon Sep 26 12:22:41 UTC 2016 - dimstar@opensuse.org @@ -1064,153 +1528,50 @@ Mon Sep 26 12:22:41 UTC 2016 - dimstar@opensuse.org it's started as an Xwayland client (boo#1001135). ------------------------------------------------------------------- -Mon Sep 26 08:18:16 UTC 2016 - tchvatal@suse.com +Sat Sep 17 11:36:18 UTC 2016 - tchvatal@suse.com -- Update to 55.0.2868.3: - * remove patch gtk3-missing-define.patch - * update patch fix-gn-bootstrap.diff - * add patch chromium-system-zlib.patch -- Use system icu, upstream bug was fixed - -------------------------------------------------------------------- -Wed Sep 21 09:50:26 UTC 2016 - tchvatal@suse.com - -- Enable system libs again as it works for now -- Disable system vpx on < Factory as the vpx there is too old -- Now stable -> enable tcmalloc again - -------------------------------------------------------------------- -Tue Sep 20 09:00:29 UTC 2016 - tchvatal@suse.com - -- Make linker use less memory by tweaking its options: - * chromium-linker-memory.patch -- Update constraints for arm a bit to build -- Use system ffmpeg unless on 13.2 that didn't include it - * chromium-54-ffmpeg2compat.patch - -------------------------------------------------------------------- -Fri Sep 16 09:12:17 UTC 2016 - tchvatal@suse.com - -- Fix obsoletes for the desktop thingies - -------------------------------------------------------------------- -Thu Sep 15 12:02:32 UTC 2016 - tchvatal@suse.com - -- Gtk3 is still buggy -> disable -- Remove systemlibs for now except ffmpeg as it causes tons of problems - -------------------------------------------------------------------- -Wed Sep 14 14:57:42 UTC 2016 - tchvatal@suse.com - -- Switch to component build - solves issue with linking and not - enough memory -- Document in defaults how to actually enable debugging -- Remove noop conditions and empty variables from .sh script - launching chromium - -------------------------------------------------------------------- -Wed Sep 14 07:31:47 UTC 2016 - tchvatal@suse.com - -- Enable aarch64 to see how it goes -- Version update to 55.0.2859.0 - -------------------------------------------------------------------- -Tue Sep 13 17:13:47 UTC 2016 - tchvatal@suse.com - -- Do not bother with widevine installation, we need to build the - connectors, but later need to use the one bundled with chrome to - work with drm anyway - -------------------------------------------------------------------- -Tue Sep 13 12:53:23 UTC 2016 - tchvatal@suse.com - -- Switch to gold, we need to use less memory when linking -- Expand constraints for the debug symbols -- Use default chromium values from master_preferences on first run - rather than pseudo-duplicating in shellscript, bugs should be - fixed in the masterprefs -- Add patch to fix build on 4.5+ kernels with systemlibs: +- Apply sandbox patch to fix crashers on tumbleweed bnc#999091 * chromium-sandbox.patch ------------------------------------------------------------------- -Mon Sep 12 17:21:26 UTC 2016 - tchvatal@suse.com +Thu Sep 15 13:09:21 UTC 2016 - tchvatal@suse.com -- Collapse the ninja calls to run only once, no need to start 3x -- Remove g0 from cflags, that is something we never want, at least - some symbols for tracing are useful -- Sync more the options that are available for the build +- Version update stable channel 53.0.2785.116 + * Just smal bugfixes around ------------------------------------------------------------------- -Mon Sep 12 08:55:09 UTC 2016 - tchvatal@suse.com +Wed Sep 14 07:35:09 UTC 2016 - tchvatal@suse.com -- Enable more switches that are found in the gn files -- Try to enable gtk3 ui again - * add patch gtk3-missing-define.patch +- Version update to 53.0.2785.113 bnc#998743: + * CVE-2016-5170 Use after free in Blink + * CVE-2016-5171 Use after free in Blink + * CVE-2016-5172 Arbitrary Memory Read in v8 + * CVE-2016-5173 Extension resource access + * CVE-2016-5174 Popup not correctly suppressed + * CVE-2016-5175 Various fixes from internal audits ------------------------------------------------------------------- -Sun Sep 11 09:14:14 UTC 2016 - tchvatal@suse.com +Mon Sep 12 08:31:59 UTC 2016 - tchvatal@suse.com -- Move widevine to subpackage so user have choice between the built - one and the chrome one +- Reenable widevine build again bnc#998328 ------------------------------------------------------------------- -Sat Sep 10 11:02:42 UTC 2016 - tchvatal@suse.com +Sat Sep 10 09:13:37 UTC 2016 - tchvatal@suse.com -- Version update to dev chanel 55.0.2853.0 -- Refresh patches: - * chromium-system-ffmpeg-r3.patch - * chromium-system-jinja-r13.patch -- Correctly detect system ffmpeg and set branding to allow all codecs - that the ffmpeg can work with (eg we simply passover all the data - and do not bother with blacklist/whitelist) +- Stable channel update to 53.0.2785.101 + * SPDY crasher fixes + * Disable NV12 DXGI video on AMD + * Forward --password-store switch to os_crypt + * Tell the kernel to discard USB requests when they time out. ------------------------------------------------------------------- -Sat Sep 10 08:58:20 UTC 2016 - tchvatal@suse.com +Wed Sep 7 14:50:44 UTC 2016 - astieger@suse.com -- Update to 54.0.2840.16 -- Expand provides/obsoletes for the desktop subpackages to remove - them all - -------------------------------------------------------------------- -Thu Sep 8 13:23:30 UTC 2016 - tchvatal@suse.com - -- Enable hangouts extension -- Try to build widevine drm extension instead of using the one from - packman bnc#998328 -- Go back to normal malloc from bundled tcmalloc, switch back when - we can use system one - -------------------------------------------------------------------- -Wed Sep 7 06:36:15 UTC 2016 - tchvatal@suse.com - -- Update to 54.0.2840.14 -- Switch back to gcc on factory -- Switch some bundled libraries off courtesy of gentoo build system -- Try to use system ffmpeg if possible -- Remove useless service file, "osc service localrun download_files" - works fine enough even without it -- Add patches for system jinja and ffmpeg (gentoo): - * chromium-system-ffmpeg-r3.patch - * chromium-system-jinja-r13.patch -- Add back gcc compat patch: - * gcc60-fixes.diff - -------------------------------------------------------------------- -Tue Sep 6 08:32:06 UTC 2016 - tchvatal@suse.com - -- Switch to compile using clang as google has default - * Only for factory on 1320 and older use gcc -- Obsolete kde/gnome subpackages, useless nowdays -- Determine paralelism based on how much memory we have -- Disable gtk3 it seems to be really messy with rendering nowdays - * Stick with gtk2 for time being -- Enable tcmalloc as memory manager -- Sort out with spec-cleaner -- Drop unused patches: - * fix-older-gcc.patch - * gcc60-fixes.diff -- Do not install chromium-generic to libdir just directly go to bindir -- Remove empty pre function +- Update to Chromium 53.0.2785.92: + * Revert of support relocatable RPM packages + * disallow WKBackForwardListItem navigations for pushState pages + * arc: bluetooth: Fix advertised uuid + * fix conflicting PendingIntent for stop button and swipe away ------------------------------------------------------------------- Thu Sep 1 04:04:13 UTC 2016 - tittiatcoke@gmail.com diff --git a/chromium.spec b/chromium.spec index 6528570..09a8341 100644 --- a/chromium.spec +++ b/chromium.spec @@ -47,7 +47,7 @@ %bcond_with system_vpx %bcond_with clang %bcond_with wayland -Name: chromium-beta +Name: chromium Version: 75.0.3770.80 Release: 0 Summary: Google's open source browser project @@ -113,6 +113,7 @@ BuildRequires: libgsm-devel BuildRequires: libjpeg-devel >= 8.1 BuildRequires: libpng-devel BuildRequires: memory-constraints +BuildRequires: nasm BuildRequires: ncurses-devel BuildRequires: ninja >= 1.7.2 BuildRequires: nodejs >= 8.0 @@ -122,7 +123,6 @@ BuildRequires: python BuildRequires: snappy-devel BuildRequires: update-desktop-files BuildRequires: util-linux -BuildRequires: nasm BuildRequires: wdiff BuildRequires: yasm BuildRequires: perl(Switch) @@ -199,12 +199,12 @@ Provides: web_browser Obsoletes: %{name}-suid-helper < %{version} Obsoletes: chromium-browser < %{version} Provides: %{name}-suid-helper = %{version} -Obsoletes: chromium-desktop-kde -Obsoletes: chromium-desktop-gnome -Obsoletes: chromium-beta-desktop-kde Obsoletes: chromium-beta-desktop-gnome -Obsoletes: chromium-dev-desktop-kde +Obsoletes: chromium-beta-desktop-kde +Obsoletes: chromium-desktop-gnome +Obsoletes: chromium-desktop-kde Obsoletes: chromium-dev-desktop-gnome +Obsoletes: chromium-dev-desktop-kde Obsoletes: chromium-ffmpeg Obsoletes: chromium-ffmpegsumo # no 32bit supported and it takes ages to build