Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: chromium | Distribution: SUSE Linux Enterprise 15 SP5 |
Version: 113.0.5672.126 | Vendor: openSUSE |
Release: bp155.1.2 | Build date: Tue May 23 00:14:10 2023 |
Group: Unspecified | Build host: lamb76 |
Size: 313934220 | Source RPM: chromium-113.0.5672.126-bp155.1.2.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://www.chromium.org/ | |
Summary: Google's open source browser project |
Chromium is the open-source project behind Google Chrome. We invite you to join us in our effort to help build a safer, faster, and more stable way for all Internet users to experience the web, and to create a powerful platform for developing a new generation of web applications.
BSD-3-Clause AND LGPL-2.1-or-later
* Tue May 16 2023 Andreas Stieger <Andreas.Stieger@gmx.de> - Chromium 113.0.5672.126 (boo#1211442): * CVE-2023-2721: Use after free in Navigation * CVE-2023-2722: Use after free in Autofill UI * CVE-2023-2723: Use after free in DevTools * CVE-2023-2724: Type Confusion in V8 * CVE-2023-2725: Use after free in Guest View * CVE-2023-2726: Inappropriate implementation in WebApp Installs * Various fixes from internal audits, fuzzing and other initiatives * Tue May 09 2023 Andreas Stieger <Andreas.Stieger@gmx.de> - Chromium 113.0.5672.92 (boo#1211211) - Multiple security fixes (boo#1211036): * CVE-2023-2459: Inappropriate implementation in Prompts * CVE-2023-2460: Insufficient validation of untrusted input in Extensions * CVE-2023-2461: Use after free in OS Inputs * CVE-2023-2462: Inappropriate implementation in Prompts * CVE-2023-2463: Inappropriate implementation in Full Screen Mode * CVE-2023-2464: Inappropriate implementation in PictureInPicture * CVE-2023-2465: Inappropriate implementation in CORS * CVE-2023-2466: Inappropriate implementation in Prompts * CVE-2023-2467: Inappropriate implementation in Prompts * CVE-2023-2468: Inappropriate implementation in PictureInPicture - drop chromium-94-sql-no-assert.patch - drop no-location-leap151.patch - add chromium-113-webview-namespace.patch - add chromium-113-webauth-include-variant.patch - add chromium-113-typename.patch - add chromium-113-workaround_clang_bug-structured_binding.patch * Wed Apr 19 2023 Andreas Stieger <Andreas.Stieger@gmx.de> - Chromium 112.0.5615.165 (boo#1210618): * CVE-2023-2133: Out of bounds memory access in Service Worker API * CVE-2023-2134: Out of bounds memory access in Service Worker API * CVE-2023-2135: Use after free in DevTools * CVE-2023-2136: Integer overflow in Skia * CVE-2023-2137: Heap buffer overflow in sqlite - drop chromium-112-feed_protos.patch * Sun Apr 16 2023 Andreas Stieger <andreas.stieger@gmx.de> - Fix Leap 15.4 build failures from default comparison operators defined outside of the class definition, a C++20 feature adding chromium-112-default-comparison-operators.patch * Sat Apr 15 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 112.0.5615.121: * CVE-2023-2033: Type Confusion in V8 (boo#1210478) * Fri Apr 07 2023 Andreas Stieger <andreas.stieger@gmx.de> - Revert a breaking change with chromium-112-feed_protos.patch * Tue Apr 04 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 112.0.5615.49 * CSS now supports nesting rules. * The algorithm to set the initial focus on <dialog> elements was updated. * No-op fetch() handlers on service workers are skipped from now on to make navigations faster * The setter for document.domain is now deprecated. * The recorder in devtools can now record with pierce selectors. * Security fixes (boo#1210126): * CVE-2023-1810: Heap buffer overflow in Visuals * CVE-2023-1811: Use after free in Frames * CVE-2023-1812: Out of bounds memory access in DOM Bindings * CVE-2023-1813: Inappropriate implementation in Extensions * CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing * CVE-2023-1815: Use after free in Networking APIs * CVE-2023-1816: Incorrect security UI in Picture In Picture * CVE-2023-1817: Insufficient policy enforcement in Intents * CVE-2023-1818: Use after free in Vulkan * CVE-2023-1819: Out of bounds read in Accessibility * CVE-2023-1820: Heap buffer overflow in Browser History * CVE-2023-1821: Inappropriate implementation in WebShare * CVE-2023-1822: Incorrect security UI in Navigation * CVE-2023-1823: Inappropriate implementation in FedCM * Mon Mar 27 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 111.0.5563.147: * nth-child() validation performance regression for SAP apps * Thu Mar 23 2023 Guillaume GARDET <guillaume.gardet@opensuse.org> - Update gcc13-fix.patch with few fixes required for aarch64, borrowed from Fedora's gcc13 patch * Wed Mar 22 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 111.0.5563.110 (boo#1209598) * CVE-2023-1528: Use after free in Passwords * CVE-2023-1529: Out of bounds memory access in WebHID * CVE-2023-1530: Use after free in PDF * CVE-2023-1531: Use after free in ANGLE * CVE-2023-1532: Out of bounds read in GPU Video * CVE-2023-1533: Use after free in WebProtect * CVE-2023-1534: Out of bounds read in ANGLE * Mon Mar 20 2023 Martin Liška <mliska@suse.cz> - Add gcc13-fix.patch in order to support GCC 13. * Thu Mar 09 2023 Callum Farmer <gmbr3@opensuse.org> - Revert back to GCC 11 on 15.4 as Clang 13 doesn't support GCC 12 * Thu Mar 09 2023 Callum Farmer <gmbr3@opensuse.org> - Bump Leap's GCC to 12 as Chromium really likes newer standards * Thu Mar 09 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 111.0.5563.64 * New View Transitions API * CSS Color Level 4 * New developer tools in style panel for color functionality * CSS added trigonometric functions, additional root font units and extended the n-th child pseudo selector. * previousslide and nextslide actions are now part of the Media Session API * A number of security fixes (boo#1209040) * CVE-2023-1213: Use after free in Swiftshader * CVE-2023-1214: Type Confusion in V8 * CVE-2023-1215: Type Confusion in CSS * CVE-2023-1216: Use after free in DevTools * CVE-2023-1217: Stack buffer overflow in Crash reporting * CVE-2023-1218: Use after free in WebRTC * CVE-2023-1219: Heap buffer overflow in Metrics * CVE-2023-1220: Heap buffer overflow in UMA * CVE-2023-1221: Insufficient policy enforcement in Extensions API * CVE-2023-1222: Heap buffer overflow in Web Audio API * CVE-2023-1223: Insufficient policy enforcement in Autofill * CVE-2023-1224: Insufficient policy enforcement in Web Payments API * CVE-2023-1225: Insufficient policy enforcement in Navigation * CVE-2023-1226: Insufficient policy enforcement in Web Payments API * CVE-2023-1227: Use after free in Core * CVE-2023-1228: Insufficient policy enforcement in Intents * CVE-2023-1229: Inappropriate implementation in Permission prompts * CVE-2023-1230: Inappropriate implementation in WebApp Installs * CVE-2023-1231: Inappropriate implementation in Autofill * CVE-2023-1232: Insufficient policy enforcement in Resource Timing * CVE-2023-1233: Insufficient policy enforcement in Resource Timing * CVE-2023-1234: Inappropriate implementation in Intents * CVE-2023-1235: Type Confusion in DevTools * CVE-2023-1236: Inappropriate implementation in Internals - drop patches: * chromium-86-ImageMemoryBarrierData-init.patch * chromium-93-InkDropHost-crash.patch * chromium-110-NativeThemeBase-fabs.patch * chromium-110-CredentialUIEntry-const.patch * chromium-110-DarkModeLABColorSpace-pow.patch * v8-move-the-Stack-object-from-ThreadLocalTop.patch * chromium-icu72-1.patch * Thu Feb 23 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 110.0.5481.177 (boo#1208589) * CVE-2023-0927: Use after free in Web Payments API * CVE-2023-0928: Use after free in SwiftShader * CVE-2023-0929: Use after free in Vulkan * CVE-2023-0930: Heap buffer overflow in Video * CVE-2023-0931: Use after free in Video * CVE-2023-0932: Use after free in WebRTC * CVE-2023-0933: Integer overflow in PDF * CVE-2023-0941: Use after free in Prompts * Various fixes from internal audits, fuzzing and other initiatives * Thu Feb 16 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 110.0.5481.100 * fix regression on SAP Business Objects web UI * fix date formatting behavior change from ICU 72 * Wed Feb 08 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 110.0.5481.77 (boo#1208029): * CVE-2023-0696: Type Confusion in V8 * CVE-2023-0697: Inappropriate implementation in Full screen mode * CVE-2023-0698: Out of bounds read in WebRTC * CVE-2023-0699: Use after free in GPU * CVE-2023-0700: Inappropriate implementation in Download * CVE-2023-0701: Heap buffer overflow in WebUI * CVE-2023-0702: Type Confusion in Data Transfer * CVE-2023-0703: Type Confusion in DevTools * CVE-2023-0704: Insufficient policy enforcement in DevTools * CVE-2023-0705: Integer overflow in Core * Various fixes from internal audits, fuzzing and other initiatives - build with bundled libavif - dropped patches: * chromium-109-compiler.patch * chromium-icu72-3.patch - added patches: * chromium-110-compiler.patch * chromium-110-system-libffi.patch * chromium-110-NativeThemeBase-fabs.patch * chromium-110-CredentialUIEntry-const.patch * chromium-110-DarkModeLABColorSpace-pow.patch * v8-move-the-Stack-object-from-ThreadLocalTop.patch * Wed Jan 25 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 109.0.5414.119 (boo#1207512): * CVE-2023-0471: Use after free in WebTransport * CVE-2023-0472: Use after free in WebRTC * CVE-2023-0473: Type Confusion in ServiceWorker API * CVE-2023-0474: Use after free in GuestView * Various fixes from internal audits, fuzzing and other initiatives * Tue Jan 17 2023 Callum Farmer <gmbr3@opensuse.org> - Added patches: * chromium-icu72-1.patch: ensure TextCodecCJK doesn't conflict with system icu (bsc#1207147) * chromium-icu72-2.patch: align default characters for old icu with that of ICU 72 * chromium-icu72-3.patch: make V8 aware of space in ICU 72 time format * Tue Jan 10 2023 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 109.0.5414.74: * Add support for MathML Core * CSS: Auto range support for font descriptors inside @font-face rule * CSS: Add lh length unit * CSS: Add hyphenate-limit-chars property * CSS: Snap border, outline and column-rule widths before layout * API: Improved screen sharing and web conferencing: hints for suppressing local audio playback, and Conditional Focus * API: HTTP response status code in the Resource Timing API * API: Same-site cross-origin prerendering triggered by the speculation rules API * Remove Event.path API * CVE-2023-0128: Use after free in Overview Mode * CVE-2023-0129: Heap buffer overflow in Network Service * CVE-2023-0130: Inappropriate implementation in Fullscreen API * CVE-2023-0131: Inappropriate implementation in iframe Sandbox * CVE-2023-0132: Inappropriate implementation in Permission prompts * CVE-2023-0133: Inappropriate implementation in Permission prompts * CVE-2023-0134: Use after free in Cart * CVE-2023-0135: Use after free in Cart * CVE-2023-0136: Inappropriate implementation in Fullscreen API * CVE-2023-0137: Heap buffer overflow in Platform Apps * CVE-2023-0138: Heap buffer overflow in libphonenumber * CVE-2023-0139: Insufficient validation of untrusted input in Downloads * CVE-2023-0140: Inappropriate implementation in File System API * CVE-2023-0141: Insufficient policy enforcement in CORS * Various fixes from internal audits, fuzzing and other initiatives - drop patches: * chromium-gcc11.patch - not needed * chromium-107-system-zlib.patch - upstream * chromium-108-compiler.patch - add patches: * chromium-109-compiler.patch * chromium-109-clang-lp154.patch * Sun Dec 18 2022 Callum Farmer <gmbr3@opensuse.org> - Add chromium-disable-GlobalMediaControlsCastStartStop.patch: disable GlobalMediaControlsCastStartStop to fix crashes occurring when interacting with the Media UI (bsc#1198124) * Wed Dec 14 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.124 (boo#1206403): * CVE-2022-4436: Use after free in Blink Media * CVE-2022-4437: Use after free in Mojo IPC * CVE-2022-4438: Use after free in Blink Frames * CVE-2022-4439: Use after free in Aura * CVE-2022-4440: Use after free in Profiles * Wed Dec 07 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.98 * Fix regression in computing <select> visibility * Sat Dec 03 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.94: * CVE-2022-4262: Type Confusion in V8 (boo#1205999) * Wed Nov 30 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.71 (boo#1205871): * CVE-2022-4174: Type Confusion in V8 * CVE-2022-4175: Use after free in Camera Capture * CVE-2022-4176: Out of bounds write in Lacros Graphics * CVE-2022-4177: Use after free in Extensions * CVE-2022-4178: Use after free in Mojo * CVE-2022-4179: Use after free in Audio * CVE-2022-4180: Use after free in Mojo * CVE-2022-4181: Use after free in Forms * CVE-2022-4182: Inappropriate implementation in Fenced Frames * CVE-2022-4183: Insufficient policy enforcement in Popup Blocker * CVE-2022-4184: Insufficient policy enforcement in Autofill * CVE-2022-4185: Inappropriate implementation in Navigation * CVE-2022-4186: Insufficient validation of untrusted input in Downloads * CVE-2022-4187: Insufficient policy enforcement in DevTools * CVE-2022-4188: Insufficient validation of untrusted input in CORS * CVE-2022-4189: Insufficient policy enforcement in DevTools * CVE-2022-4190: Insufficient data validation in Directory * CVE-2022-4191: Use after free in Sign-In * CVE-2022-4192: Use after free in Live Caption * CVE-2022-4193: Insufficient policy enforcement in File System API * CVE-2022-4194: Use after free in Accessibility * CVE-2022-4195: Insufficient policy enforcement in Safe Browsing - drop chromium-105-wayland-1.20.patch, upstream - drop chromium-107-compiler.patch - add chromium-108-compiler.patch - drop chromium-98-EnumTable-crash.patch * Thu Nov 24 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 107.0.5304.121 (boo#1205736) * CVE-2022-4135: Heap buffer overflow in GPU * Thu Nov 17 2022 Andreas Stieger <andreas.stieger@gmx.de> - Build with llvm15 on openSUSE:Backports:SLE-15-SP5 and up * Wed Nov 09 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 107.0.5304.110 (boo#1205221) * CVE-2022-3885: Use after free in V8 * CVE-2022-3886: Use after free in Speech Recognition * CVE-2022-3887: Use after free in Web Workers * CVE-2022-3888: Use after free in WebCodecs * CVE-2022-3889: Type Confusion in V8 * CVE-2022-3890: Heap buffer overflow in Crashpad * Fri Oct 28 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 107.0.5304.87 (boo#1204819) * CVE-2022-3723: Type Confusion in V8 * Thu Oct 27 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 107.0.5304.68 (boo#1204732) * CVE-2022-3652: Type Confusion in V8 * CVE-2022-3653: Heap buffer overflow in Vulkan * CVE-2022-3654: Use after free in Layout * CVE-2022-3655: Heap buffer overflow in Media Galleries * CVE-2022-3656: Insufficient data validation in File System * CVE-2022-3657: Use after free in Extensions * CVE-2022-3658: Use after free in Feedback service on Chrome OS * CVE-2022-3659: Use after free in Accessibility * CVE-2022-3660: Inappropriate implementation in Full screen mode * CVE-2022-3661: Insufficient data validation in Extensions - Added patches: * chromium-107-compiler.patch * chromium-107-system-zlib.patch - Removed patches: * chromium-105-compiler.patch * chromium-105-Bitmap-include.patch * chromium-106-AutofillPopupControllerImpl-namespace.patch - Unbundle libyuv and libavif on TW - Prepare 15.5 - Use qt on 15.4+ (15.3 too old) * Wed Oct 12 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 106.0.5249.119 (boo#1204223) * CVE-2022-3445: Use after free in Skia * CVE-2022-3446: Heap buffer overflow in WebSQL * CVE-2022-3447: Inappropriate implementation in Custom Tabs * CVE-2022-3448: Use after free in Permissions API * CVE-2022-3449: Use after free in Safe Browsing * CVE-2022-3450: Use after free in Peer Connection * Thu Oct 06 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 106.0.5249.103: * fix possible cache manager deadlock * Fix right-click menu appearing unexpectedly affecting screen readers * Sat Oct 01 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 106.0.5249.91 (boo#1203808): * CVE-2022-3370: Use after free in Custom Elements * CVE-2022-3373: Out of bounds write in V8 - includes changes from 106.0.5249.61: * CVE-2022-3304: Use after free in CSS * CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools * CVE-2022-3305: Use after free in Survey * CVE-2022-3306: Use after free in Survey * CVE-2022-3307: Use after free in Media * CVE-2022-3308: Insufficient policy enforcement in Developer Tools * CVE-2022-3309: Use after free in Assistant * CVE-2022-3310: Insufficient policy enforcement in Custom Tabs * CVE-2022-3311: Use after free in Import * CVE-2022-3312: Insufficient validation of untrusted input in VPN * CVE-2022-3313: Incorrect security UI in Full Screen * CVE-2022-3314: Use after free in Logging * CVE-2022-3315: Type confusion in Blink * CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing * CVE-2022-3317: Insufficient validation of untrusted input in Intents * CVE-2022-3318: Use after free in ChromeOS Notifications - drop patches: * chromium-104-tflite-system-zlib.patch * chromium-105-AdjustMaskLayerGeometry-ceilf.patch * chromium-105-Trap-raw_ptr.patch * chromium-105-browser_finder-include.patch * chromium-105-raw_ptr-noexcept.patch - add patches * chromium-106-ffmpeg-duration.patch * chromium-106-AutofillPopupControllerImpl-namespace.patch * Wed Sep 14 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 105.0.5195.127 (boo#1203419): * CVE-2022-3195: Out of bounds write in Storage * CVE-2022-3196: Use after free in PDF * CVE-2022-3197: Use after free in PDF * CVE-2022-3198: Use after free in PDF * CVE-2022-3199: Use after free in Frames * CVE-2022-3200: Heap buffer overflow in Internals * CVE-2022-3201: Insufficient validation of untrusted input in DevTools * Various fixes from internal audits, fuzzing and other initiatives * Thu Sep 08 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 105.0.5195.102 (boo#1203102): * CVE-2022-3075: Insufficient data validation in Mojo - Chromium 105.0.5195.52 (boo#1202964): * CVE-2022-3038: Use after free in Network Service * CVE-2022-3039: Use after free in WebSQL * CVE-2022-3040: Use after free in Layout * CVE-2022-3041: Use after free in WebSQL * CVE-2022-3042: Use after free in PhoneHub * CVE-2022-3043: Heap buffer overflow in Screen Capture * CVE-2022-3044: Inappropriate implementation in Site Isolation * CVE-2022-3045: Insufficient validation of untrusted input in V8 * CVE-2022-3046: Use after free in Browser Tag * CVE-2022-3071: Use after free in Tab Strip * CVE-2022-3047: Insufficient policy enforcement in Extensions API * CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen * CVE-2022-3049: Use after free in SplitScreen * CVE-2022-3050: Heap buffer overflow in WebUI * CVE-2022-3051: Heap buffer overflow in Exosphere * CVE-2022-3052: Heap buffer overflow in Window Manager * CVE-2022-3053: Inappropriate implementation in Pointer Lock * CVE-2022-3054: Insufficient policy enforcement in DevTools * CVE-2022-3055: Use after free in Passwords * CVE-2022-3056: Insufficient policy enforcement in Content Security Policy * CVE-2022-3057: Inappropriate implementation in iframe Sandbox * CVE-2022-3058: Use after free in Sign-In Flow - Added patches: * chromium-105-AdjustMaskLayerGeometry-ceilf.patch * chromium-105-Bitmap-include.patch * chromium-105-browser_finder-include.patch * chromium-105-raw_ptr-noexcept.patch * chromium-105-Trap-raw_ptr.patch * chromium-105-wayland-1.20.patch * chromium-105-compiler.patch - Removed patches: * chromium-104-compiler.patch * chromium-104-ContentRendererClient-type.patch * chromium-78-protobuf-RepeatedPtrField-export.patch * Thu Sep 01 2022 Paolo Stivanin <info@paolostivanin.com> - Update chromium-symbolic.svg: this fixes bsc#1202403. * Mon Aug 22 2022 Andreas Schwab <schwab@suse.de> - Fix quoting in chrome-wrapper, don't put cwd on LD_LIBRARY_PATH * Thu Aug 18 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 104.0.5112.101 (boo#1202509): * CVE-2022-2852: Use after free in FedCM * CVE-2022-2854: Use after free in SwiftShader * CVE-2022-2855: Use after free in ANGLE * CVE-2022-2857: Use after free in Blink * CVE-2022-2858: Use after free in Sign-In Flow * CVE-2022-2853: Heap buffer overflow in Downloads * CVE-2022-2856: Insufficient validation of untrusted input in Intents * CVE-2022-2859: Use after free in Chrome OS Shell * CVE-2022-2860: Insufficient policy enforcement in Cookies * CVE-2022-2861: Inappropriate implementation in Extensions API * Tue Aug 16 2022 Callum Farmer <gmbr3@opensuse.org> - Re-enable our version of chrome-wrapper - Set no sandbox if root is being used (https://crbug.com/638180) * Tue Aug 09 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 104.0.5112.79 (boo#1202075) * CVE-2022-2603: Use after free in Omnibox * CVE-2022-2604: Use after free in Safe Browsing * CVE-2022-2605: Out of bounds read in Dawn * CVE-2022-2606: Use after free in Managed devices API * CVE-2022-2607: Use after free in Tab Strip * CVE-2022-2608: Use after free in Overview Mode * CVE-2022-2609: Use after free in Nearby Share * CVE-2022-2610: Insufficient policy enforcement in Background Fetch * CVE-2022-2611: Inappropriate implementation in Fullscreen API * CVE-2022-2612: Side-channel information leakage in Keyboard input * CVE-2022-2613: Use after free in Input * CVE-2022-2614: Use after free in Sign-In Flow * CVE-2022-2615: Insufficient policy enforcement in Cookies * CVE-2022-2616: Inappropriate implementation in Extensions API * CVE-2022-2617: Use after free in Extensions API * CVE-2022-2618: Insufficient validation of untrusted input in Internals * CVE-2022-2619: Insufficient validation of untrusted input in Settings * CVE-2022-2620: Use after free in WebUI * CVE-2022-2621: Use after free in Extensions * CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing * CVE-2022-2623: Use after free in Offline * CVE-2022-2624: Heap buffer overflow in PDF - Added patches: * chromium-104-compiler.patch * chromium-104-ContentRendererClient-type.patch * chromium-104-tflite-system-zlib.patch - Removed patches: * chromium-103-SubstringSetMatcher-packed.patch * chromium-103-FrameLoadRequest-type.patch * chromium-103-compiler.patch - Use FFmpeg 5.1 on TW * Sat Jul 23 2022 Callum Farmer <gmbr3@opensuse.org> - Switch back to Clang so that we can use BTI on aarch64 * Gold is too old - doesn't understand BTI * LD crashes on aarch64 - Re-enable LTO - Prepare move to FFmpeg 5 for new channel layout (requires 5.1+) * Wed Jul 20 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 103.0.5060.134 (boo#1201679): * CVE-2022-2477 : Use after free in Guest View * CVE-2022-2478 : Use after free in PDF * CVE-2022-2479 : Insufficient validation of untrusted input in File * CVE-2022-2480 : Use after free in Service Worker API * CVE-2022-2481: Use after free in Views * CVE-2022-2163: Use after free in Cast UI and Toolbar * Various fixes from internal audits, fuzzing and other initiatives * Sat Jul 09 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 103.0.5060.114 (boo#1201216) * CVE-2022-2294: Heap buffer overflow in WebRTC * CVE-2022-2295: Type Confusion in V8 * CVE-2022-2296: Use after free in Chrome OS Shell * Thu Jul 07 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 103.0.5060.66 * no upstream release notes * Sat Jun 25 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 103.0.5060.53 (boo#1200783) * CVE-2022-2156: Use after free in Base * CVE-2022-2157: Use after free in Interest groups * CVE-2022-2158: Type Confusion in V8 * CVE-2022-2160: Insufficient policy enforcement in DevTools * CVE-2022-2161: Use after free in WebApp Provider * CVE-2022-2162: Insufficient policy enforcement in File System API * CVE-2022-2163: Use after free in Cast UI and Toolbar * CVE-2022-2164: Inappropriate implementation in Extensions API * CVE-2022-2165: Insufficient data validation in URL formatting - Added patches: * chromium-103-FrameLoadRequest-type.patch * chromium-103-SubstringSetMatcher-packed.patch * chromium-103-VirtualCursor-std-layout.patch * chromium-103-compiler.patch - Removed patches: * chromium-102-compiler.patch * chromium-91-sql-standard-layout-type.patch * chromium-101-libxml-unbundle.patch * chromium-102-fenced_frame_utils-include.patch * chromium-102-swiftshader-template-instantiation.patch * chromium-102-symbolize-include.patch * chromium-97-arm-tflite-cast.patch * chromium-97-ScrollView-reference.patch * Fri Jun 10 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 102.0.5005.115 (boo#1200423) * CVE-2022-2007: Use after free in WebGPU * CVE-2022-2008: Out of bounds memory access in WebGL * CVE-2022-2010: Out of bounds read in compositing * CVE-2022-2011: Use after free in ANGLE * Wed Jun 08 2022 Callum Farmer <gmbr3@opensuse.org> - Switch to GTK4 on TW and Leap 15.4+ (boo#1200139) * Wed Jun 01 2022 Callum Farmer <gmbr3@opensuse.org> - Disable ARM control flow integrity, it causes build issues at the moment - Try a different SVG (black logo on GNOME) - Removed patches: * chromium-third_party-symbolize-missing-include.patch (replaced by chromium-102-symbolize-include.patch) * Fri May 27 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 102.0.5001.61 (boo#1199893) * CVE-2022-1853: Use after free in Indexed DB * CVE-2022-1854: Use after free in ANGLE * CVE-2022-1855: Use after free in Messaging * CVE-2022-1856: Use after free in User Education * CVE-2022-1857: Insufficient policy enforcement in File System API * CVE-2022-1858: Out of bounds read in DevTools * CVE-2022-1859: Use after free in Performance Manager * CVE-2022-1860: Use after free in UI Foundations * CVE-2022-1861: Use after free in Sharing * CVE-2022-1862: Inappropriate implementation in Extensions * CVE-2022-1863: Use after free in Tab Groups * CVE-2022-1864: Use after free in WebApp Installs * CVE-2022-1865: Use after free in Bookmarks * CVE-2022-1866: Use after free in Tablet Mode * CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer * CVE-2022-1868: Inappropriate implementation in Extensions API * CVE-2022-1869: Type Confusion in V8 * CVE-2022-1870: Use after free in App Service * CVE-2022-1871: Insufficient policy enforcement in File System API * CVE-2022-1872: Insufficient policy enforcement in Extensions API * CVE-2022-1873: Insufficient policy enforcement in COOP * CVE-2022-1874: Insufficient policy enforcement in Safe Browsing * CVE-2022-1875: Inappropriate implementation in PDF * CVE-2022-1876: Heap buffer overflow in DevTools - Added patches: * chromium-102-compiler.patch * chromium-102-fenced_frame_utils-include.patch * chromium-102-regex_pattern-array.patch * chromium-102-swiftshader-template-instantiation.patch * chromium-102-symbolize-include.patch * ffmpeg-new-channel-layout.patch - Removed patches: * chromium-100-compiler.patch * chromium-80-QuicStreamSendBuffer-deleted-move-constructor.patch * chromium-95-quiche-include.patch * chromium-fix-swiftshader-template.patch * chromium-missing-include-tuple.patch * chromium-webrtc-stats-missing-vector.patch * chromium-101-segmentation_platform-type.patch * Sun May 15 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 101.0.4951.67 * fixes for other platforms * Wed May 11 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 101.0.4951.64 (boo#1199409) * CVE-2022-1633: Use after free in Sharesheet * CVE-2022-1634: Use after free in Browser UI * CVE-2022-1635: Use after free in Permission Prompts * CVE-2022-1636: Use after free in Performance APIs * CVE-2022-1637: Inappropriate implementation in Web Contents * CVE-2022-1638: Heap buffer overflow in V8 Internationalization * CVE-2022-1639: Use after free in ANGLE * CVE-2022-1640: Use after free in Sharing * CVE-2022-1641: Use after free in Web UI Diagnostics * Wed May 04 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 101.0.4951.54 (boo#1199118) - Chromium 101.0.4951.41 (boo#1198917) * CVE-2022-1477: Use after free in Vulkan * CVE-2022-1478: Use after free in SwiftShader * CVE-2022-1479: Use after free in ANGLE * CVE-2022-1480: Use after free in Device API * CVE-2022-1481: Use after free in Sharing * CVE-2022-1482: Inappropriate implementation in WebGL * CVE-2022-1483: Heap buffer overflow in WebGPU * CVE-2022-1484: Heap buffer overflow in Web UI Settings * CVE-2022-1485: Use after free in File System API * CVE-2022-1486: Type Confusion in V8 * CVE-2022-1487: Use after free in Ozone * CVE-2022-1488: Inappropriate implementation in Extensions API * CVE-2022-1489: Out of bounds memory access in UI Shelf * CVE-2022-1490: Use after free in Browser Switcher * CVE-2022-1491: Use after free in Bookmarks * CVE-2022-1492: Insufficient data validation in Blink Editing * CVE-2022-1493: Use after free in Dev Tools * CVE-2022-1494: Insufficient data validation in Trusted Types * CVE-2022-1495: Incorrect security UI in Downloads * CVE-2022-1496: Use after free in File Manager * CVE-2022-1497: Inappropriate implementation in Input * CVE-2022-1498: Inappropriate implementation in HTML Parser * CVE-2022-1499: Inappropriate implementation in WebAuthentication * CVE-2022-1500: Insufficient data validation in Dev Tools * CVE-2022-1501: Inappropriate implementation in iframe - Added patches: * chromium-101-libxml-unbundle.patch * chromium-101-segmentation_platform-type.patch - Removed patches: * chromium-100-SCTHashdanceMetadata-move.patch * chromium-100-GLImplementationParts-constexpr.patch * chromium-100-macro-typo.patch * Thu Apr 21 2022 Callum Farmer <gmbr3@opensuse.org> - Fixes for go 1.18 * Fri Apr 15 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 100.0.4896.127 (boo#1198509) * CVE-2022-1364: Type Confusion in V8 * Various fixes from internal audits, fuzzing and other initiatives * Tue Apr 12 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 100.0.4896.88 (boo#1198361) * CVE-2022-1305: Use after free in storage * CVE-2022-1306: Inappropriate implementation in compositing * CVE-2022-1307: Inappropriate implementation in full screen * CVE-2022-1308: Use after free in BFCache * CVE-2022-1309: Insufficient policy enforcement in developer tools * CVE-2022-1310: Use after free in regular expressions * CVE-2022-1311: Use after free in Chrome OS shell * CVE-2022-1312: Use after free in storage * CVE-2022-1313: Use after free in tab groups * CVE-2022-1314: Type Confusion in V8 * Various fixes from internal audits, fuzzing and other initiatives * Sun Apr 10 2022 Callum Farmer <gmbr3@opensuse.org> - Patches for GCC 12: * chromium-fix-swiftshader-template.patch * chromium-missing-include-tuple.patch * chromium-webrtc-stats-missing-vector.patch * Tue Apr 05 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 100.0.4896.75: * CVE-2022-1232: Type Confusion in V8 (boo#1198053) * Wed Mar 30 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 100.0.4896.60 (boo#1197680) * CVE-2022-1125: Use after free in Portals * CVE-2022-1127: Use after free in QR Code Generator * CVE-2022-1128: Inappropriate implementation in Web Share API * CVE-2022-1129: Inappropriate implementation in Full Screen Mode * CVE-2022-1130: Insufficient validation of untrusted input in WebOTP * CVE-2022-1131: Use after free in Cast UI * CVE-2022-1132: Inappropriate implementation in Virtual Keyboard * CVE-2022-1133: Use after free in WebRTC * CVE-2022-1134: Type Confusion in V8 * CVE-2022-1135: Use after free in Shopping Cart * CVE-2022-1136: Use after free in Tab Strip * CVE-2022-1137: Inappropriate implementation in Extensions * CVE-2022-1138: Inappropriate implementation in Web Cursor * CVE-2022-1139: Inappropriate implementation in Background Fetch API * CVE-2022-1141: Use after free in File Manager * CVE-2022-1142: Heap buffer overflow in WebUI * CVE-2022-1143: Heap buffer overflow in WebUI * CVE-2022-1144: Use after free in WebUI * CVE-2022-1145: Use after free in Extensions * CVE-2022-1146: Inappropriate implementation in Resource Timing - Added patches: * chromium-100-compiler.patch * chromium-100-GLImplementationParts-constexpr.patch * chromium-100-InMilliseconds-constexpr.patch * chromium-100-SCTHashdanceMetadata-move.patch * chromium-100-macro-typo.patch - Removed patches: * chromium-98-compiler.patch * chromium-86-nearby-explicit.patch * chromium-glibc-2.34.patch * chromium-v8-missing-utility-include.patch * chromium-99-AutofillAssistantModelExecutor-NoDestructor.patch * Tue Mar 29 2022 Andreas Schwab <schwab@suse.de> - Update disk constraints * Sat Mar 26 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 99.0.4844.84: * CVE-2022-1096: Type Confusion in V8 (boo#1197552) * Mon Mar 21 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 99.0.4844.82: * Fix potential problem in Hangouts (boo#1197332) * Wed Mar 16 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 99.0.4844.74 (boo#1197163) * CVE-2022-0971: Use after free in Blink Layout * CVE-2022-0972: Use after free in Extensions * CVE-2022-0973: Use after free in Safe Browsing * CVE-2022-0974: Use after free in Splitscreen * CVE-2022-0975: Use after free in ANGLE * CVE-2022-0976: Heap buffer overflow in GPU * CVE-2022-0977: Use after free in Browser UI * CVE-2022-0978: Use after free in ANGLE * CVE-2022-0979: Use after free in Safe Browsing * CVE-2022-0980: Use after free in New Tab Page * Various fixes from internal audits, fuzzing and other initiatives * Fri Mar 04 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 99.0.4844.51 (boo#1196641) * CVE-2022-0789: Heap buffer overflow in ANGLE * CVE-2022-0790: Use after free in Cast UI * CVE-2022-0791: Use after free in Omnibox * CVE-2022-0792: Out of bounds read in ANGLE * CVE-2022-0793: Use after free in Views * CVE-2022-0794: Use after free in WebShare * CVE-2022-0795: Type Confusion in Blink Layout * CVE-2022-0796: Use after free in Media * CVE-2022-0797: Out of bounds memory access in Mojo * CVE-2022-0798: Use after free in MediaStream * CVE-2022-0799: Insufficient policy enforcement in Installer * CVE-2022-0800: Heap buffer overflow in Cast UI * CVE-2022-0801: Inappropriate implementation in HTML parser * CVE-2022-0802: Inappropriate implementation in Full screen mode * CVE-2022-0803: Inappropriate implementation in Permissions * CVE-2022-0804: Inappropriate implementation in Full screen mode * CVE-2022-0805: Use after free in Browser Switcher * CVE-2022-0806: Data leak in Canvas * CVE-2022-0807: Inappropriate implementation in Autofill * CVE-2022-0808: Use after free in Chrome OS Shell * CVE-2022-0809: Out of bounds memory access in WebXR - Removed patches: * chromium-96-EnumTable-crash.patch * chromium-89-missing-cstring-header.patch * chromium-95-libyuv-aarch64.patch * chromium-95-libyuv-arm.patch * chromium-98-MiraclePtr-gcc-ice.patch * chromium-98-WaylandFrameManager-check.patch - Added patches: * chromium-97-arm-tflite-cast.patch * chromium-98-gtk4-build.patch * chromium-99-AutofillAssistantModelExecutor-NoDestructor.patch * chromium-98-EnumTable-crash.patch * chromium-third_party-symbolize-missing-include.patch * chromium-v8-missing-utility-include.patch * Tue Feb 15 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 98.0.4758.102 (boo#1195986) * CVE-2022-0603: Use after free in File Manager * CVE-2022-0604: Heap buffer overflow in Tab Groups * CVE-2022-0605: Use after free in Webstore API * CVE-2022-0606: Use after free in ANGLE * CVE-2022-0607: Use after free in GPU * CVE-2022-0608: Integer overflow in Mojo * CVE-2022-0609: Use after free in Animation * CVE-2022-0610: Inappropriate implementation in Gamepad API * Various fixes from internal audits, fuzzing and other initiatives * Thu Feb 03 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 98.0.4758.80 (boo#1195420) * CVE-2022-0452: Use after free in Safe Browsing * CVE-2022-0453: Use after free in Reader Mode * CVE-2022-0454: Heap buffer overflow in ANGLE * CVE-2022-0455: Inappropriate implementation in Full Screen Mode * CVE-2022-0456: Use after free in Web Search * CVE-2022-0457: Type Confusion in V8 * CVE-2022-0459: Use after free in Screen Capture * CVE-2022-0460: Use after free in Window Dialog * CVE-2022-0461: Policy bypass in COOP * CVE-2022-0462: Inappropriate implementation in Scroll * CVE-2022-0463: Use after free in Accessibility * CVE-2022-0464: Use after free in Accessibility * CVE-2022-0465: Use after free in Extensions * CVE-2022-0466: Inappropriate implementation in Extensions Platform * CVE-2022-0467: Inappropriate implementation in Pointer Lock * CVE-2022-0468: Use after free in Payments * CVE-2022-0469: Use after free in Cast * CVE-2022-0470: Out of bounds memory access in V8 * Various fixes from internal audits, fuzzing and other initiatives - drop upstreamed patches: * chromium-97-Point-constexpr.patch - add patches: * chromium-98-MiraclePtr-gcc-ice.patch * chromium-98-WaylandFrameManager-check.patch - change chromium-97-compiler.patch to chromium-98-compiler.patch * Fri Jan 21 2022 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 97.0.4692.99 (boo#1194919): * CVE-2022-0289: Use after free in Safe browsing * CVE-2022-0290: Use after free in Site isolation * CVE-2022-0291: Inappropriate implementation in Storage * CVE-2022-0292: Inappropriate implementation in Fenced Frames * CVE-2022-0293: Use after free in Web packaging * CVE-2022-0294: Inappropriate implementation in Push messaging * CVE-2022-0295: Use after free in Omnibox * CVE-2022-0296: Use after free in Printing * CVE-2022-0297: Use after free in Vulkan * CVE-2022-0298: Use after free in Scheduling * CVE-2022-0300: Use after free in Text Input Method Editor * CVE-2022-0301: Heap buffer overflow in DevTools * CVE-2022-0302: Use after free in Omnibox * CVE-2022-0303: Race in GPU Watchdog * CVE-2022-0304: Use after free in Bookmarks * CVE-2022-0305: Inappropriate implementation in Service Worker API * CVE-2022-0306: Heap buffer overflow in PDFium * CVE-2022-0307: Use after free in Optimization Guide * CVE-2022-0308: Use after free in Data Transfer * CVE-2022-0309: Inappropriate implementation in Autofill * CVE-2022-0310: Heap buffer overflow in Task Manager * CVE-2022-0311: Heap buffer overflow in Task Manager * Various fixes from internal audits, fuzzing and other initiatives - drop upstreamed patches: * fix-tag-dragging-in-Mutter.patch * fix-tag-dragging-in-KWin.patch * Thu Jan 20 2022 Callum Farmer <gmbr3@opensuse.org> - Revert chromium-94-ffmpeg-roll.patch on TW: fix moved to FFmpeg * Tue Jan 11 2022 Callum Farmer <gmbr3@opensuse.org> - Chromium 97.0.4692.71 (boo#1194331): * CVE-2022-0096: Use after free in Storage * CVE-2022-0097: Inappropriate implementation in DevTools * CVE-2022-0098: Use after free in Screen Capture * CVE-2022-0099: Use after free in Sign-in * CVE-2022-0100: Heap buffer overflow in Media streams API * CVE-2022-0101: Heap buffer overflow in Bookmarks * CVE-2022-0102: Type Confusion in V8 * CVE-2022-0103: Use after free in SwiftShader * CVE-2022-0104: Heap buffer overflow in ANGLE * CVE-2022-0105: Use after free in PDF * CVE-2022-0106: Use after free in Autofill * CVE-2022-0107: Use after free in File Manager API * CVE-2022-0108: Inappropriate implementation in Navigation * CVE-2022-0109: Inappropriate implementation in Autofill * CVE-2022-0110: Incorrect security UI in Autofill * CVE-2022-0111: Inappropriate implementation in Navigation * CVE-2022-0112: Incorrect security UI in Browser UI * CVE-2022-0113: Inappropriate implementation in Blink * CVE-2022-0114: Out of bounds memory access in Web Serial * CVE-2022-0115: Uninitialized Use in File API * CVE-2022-0116: Inappropriate implementation in Compositing * CVE-2022-0117: Policy bypass in Service Workers * CVE-2022-0118: Inappropriate implementation in WebShare * CVE-2022-0120: Inappropriate implementation in Passwords - Removed patches: * chromium-96-CommandLine-include.patch * chromium-96-RestrictedCookieManager-tuple.patch * chromium-96-DrmRenderNodePathFinder-include.patch * chromium-96-CouponDB-include.patch * chromium-96-freetype-unbundle.patch * chromium-96-compiler.patch * chromium-vaapi.patch * chromium-86-nearby-include.patch - Added patches: * chromium-97-compiler.patch * chromium-97-Point-constexpr.patch * chromium-97-ScrollView-reference.patch * chromium-95-libyuv-arm.patch * fix-tag-dragging-in-KWin.patch * fix-tag-dragging-in-Mutter.patch * Thu Dec 30 2021 Callum Farmer <gmbr3@opensuse.org> - Revert wayland fixes because it doesn't handle GPU correctly (boo#1194182) * Thu Dec 30 2021 Martin Liška <mliska@suse.cz> - Use GCC 11, but disable LTO (boo#1194055). * Wed Dec 29 2021 Callum Farmer <gmbr3@opensuse.org> - Use our own copy of the wrapper so that we can use the fixes for Wayland * Sun Dec 26 2021 Callum Farmer <gmbr3@opensuse.org> - Define GNU_SOURCE and fix the below patched issues - Removed patches: * chromium-86-f_seal.patch * chromium-90-fseal.patch * Fri Dec 24 2021 Callum Farmer <gmbr3@opensuse.org> - Added patches: * chromium-96-freetype-unbundle.patch * chromium-96-EnumTable-crash.patch - Unbundle freetype on TW - Unbundle icu on 15.4 - Disable lto and update _constraints on aarch64 - Remove MEIPreload: it gets installed through component updater * Wed Dec 15 2021 Callum Farmer <gmbr3@opensuse.org> - Revert to gcc10 on TW: gcc11 is entirely broken - No auto thread LTO: linker crash on ARM * Tue Dec 14 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 96.0.4664.110 (boo#1193713): * CVE-2021-4098: Insufficient data validation in Mojo * CVE-2021-4099: Use after free in Swiftshader * CVE-2021-4100: Object lifecycle issue in ANGLE * CVE-2021-4101: Heap buffer overflow in Swiftshader * CVE-2021-4102: Use after free in V8 * Thu Dec 09 2021 Callum Farmer <gmbr3@opensuse.org> - Lord of the Browsers: The Two Compilers: * Go back to GCC * GCC: LTO removes needed assembly symbols * Clang: issues with libstdc++ - Chromium 96.0.4664.93 (boo#1193519): * CVE-2021-4052: Use after free in web apps * CVE-2021-4053: Use after free in UI * CVE-2021-4079: Out of bounds write in WebRTC * CVE-2021-4054: Incorrect security UI in autofill * CVE-2021-4078: Type confusion in V8 * CVE-2021-4055: Heap buffer overflow in extensions * CVE-2021-4056: Type Confusion in loader * CVE-2021-4057: Use after free in file API * CVE-2021-4058: Heap buffer overflow in ANGLE * CVE-2021-4059: Insufficient data validation in loader * CVE-2021-4061: Type Confusion in V8 * CVE-2021-4062: Heap buffer overflow in BFCache * CVE-2021-4063: Use after free in developer tools * CVE-2021-4064: Use after free in screen capture * CVE-2021-4065: Use after free in autofill * CVE-2021-4066: Integer underflow in ANGLE * CVE-2021-4067: Use after free in window manager * CVE-2021-4068: Insufficient validation of untrusted input in new tab page - Chromium 96.0.4664.45 (boo#1192734): * CVE-2021-38007: Type Confusion in V8 * CVE-2021-38008: Use after free in media * CVE-2021-38009: Inappropriate implementation in cache * CVE-2021-38006: Use after free in storage foundation * CVE-2021-38005: Use after free in loader * CVE-2021-38010: Inappropriate implementation in service workers * CVE-2021-38011: Use after free in storage foundation * CVE-2021-38012: Type Confusion in V8 * CVE-2021-38013: Heap buffer overflow in fingerprint recognition * CVE-2021-38014: Out of bounds write in Swiftshader * CVE-2021-38015: Inappropriate implementation in input * CVE-2021-38016: Insufficient policy enforcement in background fetch * CVE-2021-38017: Insufficient policy enforcement in iframe sandbox * CVE-2021-38018: Inappropriate implementation in navigation * CVE-2021-38019: Insufficient policy enforcement in CORS * CVE-2021-38020: Insufficient policy enforcement in contacts picker * CVE-2021-38021: Inappropriate implementation in referrer * CVE-2021-38022: Inappropriate implementation in WebAuthentication - Removed old patches: * chromium-95-compiler.patch * chromium-95-BitstreamReader-namespace.patch * chromium-95-system-zlib.patch * chromium-older-harfbuzz.patch * pipewire-do-not-typecheck-the-portal-session_handle.patch - Removed build breaking patches: * chromium-93-EnumTable-crash.patch - Added patches: * chromium-96-compiler.patch * chromium-96-CommandLine-include.patch * chromium-96-RestrictedCookieManager-tuple.patch * chromium-96-DrmRenderNodePathFinder-include.patch * chromium-96-CouponDB-include.patch - Changed patches: * gcc-enable-lto.patch: see above * Fri Nov 19 2021 Callum Farmer <gmbr3@opensuse.org> - Ensure newer libs and LLVM is used on Leap (boo#1192310) * Wed Nov 17 2021 Steve Kowalik <steven.kowalik@suse.com> - Explicitly BuildRequire python3-six. * Sun Oct 31 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 95.0.4638.69 (boo#1192184): * CVE-2021-37997: Use after free in Sign-In * CVE-2021-37998: Use after free in Garbage Collection * CVE-2021-37999: Insufficient data validation in New Tab Page * CVE-2021-38000: Insufficient validation of untrusted input in Intents * CVE-2021-38001: Type Confusion in V8 * CVE-2021-38002: Use after free in Web Transport * CVE-2021-38003: Inappropriate implementation in V8 * Sun Oct 24 2021 Callum Farmer <gmbr3@opensuse.org> - Chromium 95.0.4638.54 (boo#1191844): * CVE-2021-37981: Heap buffer overflow in Skia * CVE-2021-37982: Use after free in Incognito * CVE-2021-37983: Use after free in Dev Tools * CVE-2021-37984: Heap buffer overflow in PDFium * CVE-2021-37985: Use after free in V8 * CVE-2021-37986: Heap buffer overflow in Settings * CVE-2021-37987: Use after free in Network APIs * CVE-2021-37988: Use after free in Profiles * CVE-2021-37989: Inappropriate implementation in Blink * CVE-2021-37990: Inappropriate implementation in WebView * CVE-2021-37991: Race in V8 * CVE-2021-37992: Out of bounds read in WebAudio * CVE-2021-37993: Use after free in PDF Accessibility * CVE-2021-37996: Insufficient validation of untrusted input in Downloads * CVE-2021-37994: Inappropriate implementation in iFrame Sandbox * CVE-2021-37995: Inappropriate implementation in WebApp Installer - Added patches: * chromium-95-BitstreamReader-namespace.patch * chromium-95-compiler.patch * chromium-95-libyuv-aarch64.patch * chromium-95-quiche-include.patch * chromium-95-system-zlib.patch - Removed patches: * chromium-94-compiler.patch * chromium-91-libyuv-aarch64.patch * chromium-90-ruy-include.patch * chromium-94-CustomSpaces-include.patch * Sat Oct 16 2021 Callum Farmer <gmbr3@opensuse.org> - Remove Python 2 requirement * Sat Oct 09 2021 Callum Farmer <gmbr3@opensuse.org> - Disable DCHECK(): that's for debug only * Sat Oct 09 2021 Callum Farmer <gmbr3@opensuse.org> - Add pipewire-do-not-typecheck-the-portal-session_handle.patch: fix WebRTC with xdg-desktop-portal 1.10 * Fri Oct 08 2021 Callum Farmer <gmbr3@opensuse.org> - Chromium 94.0.4606.81 (boo#1191463): * CVE-2021-37977: Use after free in Garbage Collection * CVE-2021-37978: Heap buffer overflow in Blink * CVE-2021-37979: Heap buffer overflow in WebRTC * CVE-2021-37980: Inappropriate implementation in Sandbox - Re-add after accidental deletion: * chromium-93-InkDropHost-crash.patch * Sun Oct 03 2021 Callum Farmer <gmbr3@opensuse.org> - Chromium 94.0.4606.54 (boo#1190765): * CVE-2021-37956: Use after free in Offline use * CVE-2021-37957: Use after free in WebGPU * CVE-2021-37958: Inappropriate implementation in Navigation * CVE-2021-37959: Use after free in Task Manager * CVE-2021-37960: Inappropriate implementation in Blink graphics * CVE-2021-37961: Use after free in Tab Strip * CVE-2021-37962: Use after free in Performance Manager * CVE-2021-37963: Side-channel information leakage in DevTools * CVE-2021-37964: Inappropriate implementation in ChromeOS Networking * CVE-2021-37965: Inappropriate implementation in Background Fetch API * CVE-2021-37966: Inappropriate implementation in Compositing * CVE-2021-37967: Inappropriate implementation in Background Fetch API * CVE-2021-37968: Inappropriate implementation in Background Fetch API * CVE-2021-37969: Inappropriate implementation in Google Updater * CVE-2021-37970: Use after free in File System API * CVE-2021-37971: Incorrect security UI in Web Browser UI * CVE-2021-37972: Out of bounds read in libjpeg-turbo - Chromium 94.0.4606.61 (boo#1191166): * CVE-2021-37973: Use after free in Portals - Chromium 94.0.4606.71 (boo#1191204): * CVE-2021-37974 : Use after free in Safe Browsing * CVE-2021-37975 : Use after free in V8 * CVE-2021-37976 : Information leak in core - Added patches: * chromium-94-CustomSpaces-include.patch * chromium-94-sql-no-assert.patch * chromium-older-harfbuzz.patch * chromium-94-ffmpeg-roll.patch * chromium-94-compiler.patch - Removed patches: * chromium-freetype-2.11.patch * chromium-93-ContextSet-permissive.patch * chromium-93-ClassProperty-include.patch * chromium-93-BluetoothLowEnergyScanFilter-include.patch * chromium-93-HashPasswordManager-include.patch * chromium-93-pdfium-include.patch * chromium-93-DevToolsEmbedderMessageDispatcher-include.patch * chromium-93-FormForest-constexpr.patch * chromium-93-ScopedTestDialogAutoConfirm-include.patch * chromium-93-InkDropHost-crash.patch * chromium-91-compiler.patch * chromium-glibc-2.33.patch * chromium-shim_headers.patch * Sat Sep 18 2021 Callum Farmer <gmbr3@opensuse.org> - Add patch to fix Leap 15.2 build: * chromium-ffmpeg-lp152.patch - Change system-libdrm.patch: add to unbundle instead of changing header path * Wed Sep 15 2021 Callum Farmer <gmbr3@opensuse.org> - Chromium 93.0.4577.63 (boo#1190096): * CVE-2021-30606: Use after free in Blink * CVE-2021-30607: Use after free in Permissions * CVE-2021-30608: Use after free in Web Share * CVE-2021-30609: Use after free in Sign-In * CVE-2021-30610: Use after free in Extensions API * CVE-2021-30611: Use after free in WebRTC * CVE-2021-30612: Use after free in WebRTC * CVE-2021-30613: Use after free in Base internals * CVE-2021-30614: Heap buffer overflow in TabStrip * CVE-2021-30615: Cross-origin data leak in Navigation * CVE-2021-30616: Use after free in Media * CVE-2021-30617: Policy bypass in Blink * CVE-2021-30618: Inappropriate implementation in DevTools * CVE-2021-30619: UI Spoofing in Autofill * CVE-2021-30620: Insufficient policy enforcement in Blink * CVE-2021-30621: UI Spoofing in Autofill * CVE-2021-30622: Use after free in WebApp Installs * CVE-2021-30623: Use after free in Bookmarks * CVE-2021-30624: Use after free in Autofill - Chromium 93.0.4577.82 (boo#1190476): * CVE-2021-30625: Use after free in Selection API * CVE-2021-30626: Out of bounds memory access in ANGLE * CVE-2021-30627: Type Confusion in Blink layout * CVE-2021-30628: Stack buffer overflow in ANGLE * CVE-2021-30629: Use after free in Permissions * CVE-2021-30630: Inappropriate implementation in Blink * CVE-2021-30631: Type Confusion in Blink layout * CVE-2021-30632: Out of bounds write in V8 * CVE-2021-30633: Use after free in Indexed DB API - Removed patches: * chromium-88-gcc-fix-swiftshader-libEGL-visibility.patch * chromium-92-v8-constexpr.patch * chromium-no-writeprotection.patch * chromium-92-EnumTable-crash.patch - Added patches: * chromium-93-ContextSet-permissive.patch * chromium-93-ClassProperty-include.patch * chromium-93-BluetoothLowEnergyScanFilter-include.patch * chromium-93-HashPasswordManager-include.patch * chromium-93-pdfium-include.patch * chromium-93-DevToolsEmbedderMessageDispatcher-include.patch * chromium-93-FormForest-constexpr.patch * chromium-93-ScopedTestDialogAutoConfirm-include.patch * chromium-93-InkDropHost-crash.patch * chromium-93-ffmpeg-4.4.patch * chromium-93-EnumTable-crash.patch * Sun Aug 29 2021 Callum Farmer <gmbr3@opensuse.org> - Updated chromium-glibc-2.34.patch: Fix PTHREAD_STACK_MIN errors with glibc 2.34 * Tue Aug 17 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 92.0.4515.159 (boo#1189490): * CVE-2021-30598: Type Confusion in V8 * CVE-2021-30599: Type Confusion in V8 * CVE-2021-30600: Use after free in Printing * CVE-2021-30601: Use after free in Extensions API * CVE-2021-30602: Use after free in WebRTC * CVE-2021-30603: Race in WebAudio * CVE-2021-30604: Use after free in ANGLE * Various fixes from internal audits, fuzzing and other initiatives * Sun Aug 15 2021 Callum Farmer <gmbr3@opensuse.org> - Add missing crashpad_handler (boo#1189254) * Fri Aug 06 2021 Callum Farmer <gmbr3@opensuse.org> - Chromium 92.0.4515.131 (boo#1189006) * CVE-2021-30590: Heap buffer overflow in Bookmarks * CVE-2021-30591: Use after free in File System API * CVE-2021-30592: Out of bounds write in Tab Groups * CVE-2021-30593: Out of bounds read in Tab Strip * CVE-2021-30594: Use after free in Page Info UI * CVE-2021-30596: Incorrect security UI in Navigation * CVE-2021-30597: Use after free in Browser UI - Removed patches: * chromium-92-GetUsableSize-nullptr.patch - Added patches: * chromium-no-writeprotection.patch * chromium-glibc-2.34.patch * Sun Aug 01 2021 Callum Farmer <gmbr3@opensuse.org> - Chromium 92.0.4515.107 (boo#1188590) * CVE-2021-30565: Out of bounds write in Tab Groups * CVE-2021-30566: Stack buffer overflow in Printing * CVE-2021-30567: Use after free in DevTools * CVE-2021-30568: Heap buffer overflow in WebGL * CVE-2021-30569: Use after free in sqlite * CVE-2021-30571: Insufficient policy enforcement in DevTools * CVE-2021-30572: Use after free in Autofill * CVE-2021-30573: Use after free in GPU * CVE-2021-30574: Use after free in protocol handling * CVE-2021-30575: Out of bounds read in Autofill * CVE-2021-30576: Use after free in DevTools * CVE-2021-30577: Insufficient policy enforcement in Installer * CVE-2021-30578: Uninitialized Use in Media * CVE-2021-30579: Use after free in UI framework * CVE-2021-30581: Use after free in DevTools * CVE-2021-30582: Inappropriate implementation in Animation * CVE-2021-30584: Incorrect security UI in Downloads * CVE-2021-30585: Use after free in sensor handling * CVE-2021-30588: Type Confusion in V8 * CVE-2021-30589: Insufficient validation of untrusted input in Sharing - Switched from GCC+LTO to Clang+ThinLTO due to errors - Removed patches: * chromium-90-compiler.patch * chromium-89-EnumTable-crash.patch * chromium-86-ConsumeDurationNumber-constexpr.patch * chromium-lp152-missing-includes.patch * chromium-91-GCC_fix_vector_types_in_pcscan.patch * chromium-91-system-icu.patch * chromium-91-1190561-boo1186948.patch - Added patches: * chromium-91-compiler.patch * chromium-92-EnumTable-crash.patch * chromium-92-v8-constexpr.patch * chromium-92-GetUsableSize-nullptr.patch * chromium-freetype-2.11.patch * chromium-clang-nomerge.patch * Sat Jul 17 2021 Andreas Stieger <andreas.stieger@gmx.de> - chromium 91.0.4472.164 (boo#1188373) * CVE-2021-30559: Out of bounds write in ANGLE * CVE-2021-30541: Use after free in V8 * CVE-2021-30560: Use after free in Blink XSLT * CVE-2021-30561: Type Confusion in V8 * CVE-2021-30562: Use after free in WebSerial * CVE-2021-30563: Type Confusion in V8 * CVE-2021-30564: Heap buffer overflow in WebXR * Various fixes from internal audits, fuzzing and other initiatives * Mon Jul 05 2021 Callum Farmer <gmbr3@opensuse.org> - Add chromium-91-sql-standard-layout-type.patch: to fix SQL being incorrect with libstdc++ 11 * Mon Jun 21 2021 Andreas Stieger <andreas.stieger@gmx.de> - fix crash upon exit boo#1186948 add chromium-91-1190561-boo1186948.patch * Fri Jun 18 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.114 (boo#1187481) * CVE-2021-30554: Use after free in WebGL * CVE-2021-30555: Use after free in Sharing * CVE-2021-30556: Use after free in WebAudio * CVE-2021-30557: Use after free in TabGroups * Wed Jun 16 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.106 * Fix use-after-free in SendTabToSelfSubMenuModel * Destroy system-token NSSCertDatabase on the IO thread * Wed Jun 09 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.101 (boo#1187141) * CVE-2021-30544: Use after free in BFCache * CVE-2021-30545: Use after free in Extensions * CVE-2021-30546: Use after free in Autofill * CVE-2021-30547: Out of bounds write in ANGLE * CVE-2021-30548: Use after free in Loader * CVE-2021-30549: Use after free in Spell check * CVE-2021-30550: Use after free in Accessibility * CVE-2021-30551: Type Confusion in V8 * CVE-2021-30552: Use after free in Extensions * CVE-2021-30553: Use after free in Network service * Various fixes from internal audits, fuzzing and other initiatives * Thu Jun 03 2021 Callum Farmer <gmbr3@opensuse.org> - Add README.SUSE - Fix aarch64 build: * chromium-91-libyuv-aarch64.patch * Update highway to 0.12.2 (arm only) - Add -flax-vector-conversions to build flags * Thu May 27 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.77 (boo#1186458): * Support Managed configuration API for Web Applications * WebOTP API: cross-origin iframe support * CSS custom counter styles * Support JSON Modules * Clipboard: read-only files support * Remove webkitBeforeTextInserted & webkitEditableCOntentChanged JS events * Honor media HTML attribute for link icon * Import Assertions * Class static initializer blocks * Ergonomic brand checks for private fields * Expose WebAssembly SIMD * New Feature: WebTransport * ES Modules for service workers ('module' type option) * Suggested file name and location for the File System Access API * adaptivePTime property for RTCRtpEncodingParameters * Block HTTP port 10080 - mitigation for NAT Slipstream 2.0 attack * Support WebSockets over HTTP/2 * Support 103 Early Hints for Navigation * CVE-2021-30521: Heap buffer overflow in Autofill * CVE-2021-30522: Use after free in WebAudio * CVE-2021-30523: Use after free in WebRTC * CVE-2021-30524: Use after free in TabStrip * CVE-2021-30525: Use after free in TabGroups * CVE-2021-30526: Out of bounds write in TabStrip * CVE-2021-30527: Use after free in WebUI * CVE-2021-30528: Use after free in WebAuthentication * CVE-2021-30529: Use after free in Bookmarks * CVE-2021-30530: Out of bounds memory access in WebAudio * CVE-2021-30531: Insufficient policy enforcement in Content Security Policy * CVE-2021-30532: Insufficient policy enforcement in Content Security Policy * CVE-2021-30533: Insufficient policy enforcement in PopupBlocker * CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox * CVE-2021-30535: Double free in ICU * CVE-2021-21212: Insufficient data validation in networking * CVE-2021-30536: Out of bounds read in V8 * CVE-2021-30537: Insufficient policy enforcement in cookies * CVE-2021-30538: Insufficient policy enforcement in content security policy * CVE-2021-30539: Insufficient policy enforcement in content security policy * CVE-2021-30540: Incorrect security UI in payments * Various fixes from internal audits, fuzzing and other initiatives * drop chromium-90-TokenizedOutput-include.patch * drop chromium-90-CrossThreadCopier-qualification.patch * drop chromium-90-quantization_utils-include.patch * drop chromium-90-angle-constexpr.patch * add chromium-91-java-only-allowed-in-android-builds.patch * add chromium-91-GCC_fix_vector_types_in_pcscan.patch * add chromium-91-system-icu.patch * Mon May 17 2021 Marcus Meissner <meissner@suse.com> - use asimdrdm CPU flag for aarch64 to select only more powerful buildhosts. * Tue May 11 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 90.0.4430.212 (boo#1185908) * CVE-2021-30506: Incorrect security UI in Web App Installs * CVE-2021-30507: Inappropriate implementation in Offline * CVE-2021-30508: Heap buffer overflow in Media Feeds * CVE-2021-30509: Out of bounds write in Tab Strip * CVE-2021-30510: Race in Aura * CVE-2021-30511: Out of bounds read in Tab Group * CVE-2021-30512: Use after free in Notifications * CVE-2021-30513: Type Confusion in V8 * CVE-2021-30514: Use after free in Autofill * CVE-2021-30515: Use after free in File API * CVE-2021-30516: Heap buffer overflow in History * CVE-2021-30517: Type Confusion in V8 * CVE-2021-30518: Heap buffer overflow in Reader Mode * CVE-2021-30519: Use after free in Payments * CVE-2021-30520: Use after free in Tab Strip - FTP support disabled at runtime by default since release 88. Chromium 91 will remove support for ftp altogether (boo#1185496) * Thu May 06 2021 Callum Farmer <gmbr3@opensuse.org> * Patch change * - Fix build with GCC 11 again (bsc#1185716) - Remove chromium-88-compiler.patch - Remove chromium-90-cstdint.patch - Remove chromium-90-gslang-linkage-fixup.patch - Added chromium-90-compiler.patch - Added chromium-90-angle-constexpr.patch - Added chromium-90-TokenizedOutput-include.patch - Added chromium-90-ruy-include.patch - Added chromium-90-CrossThreadCopier-qualification.patch - Added chromium-90-quantization_utils-include.patch * Wed Apr 28 2021 Marcus Meissner <meissner@suse.com> - Chromium 90.0.4430.93 (boo#1185398): - CVE-2021-21227: Insufficient data validation in V8. - CVE-2021-21232: Use after free in Dev Tools. - CVE-2021-21233: Heap buffer overflow in ANGLE. - CVE-2021-21228: Insufficient policy enforcement in extensions. - CVE-2021-21229: Incorrect security UI in downloads. - CVE-2021-21230: Type Confusion in V8. - CVE-2021-21231: Insufficient data validation in V8. - Reference: https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html * Wed Apr 21 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 90.0.4430.85 (boo#1185047): * CVE-2021-21222: Heap buffer overflow in V8 * CVE-2021-21223: Integer overflow in Mojo * CVE-2021-21224: Type Confusion in V8 * CVE-2021-21225: Out of bounds memory access in V8 * CVE-2021-21226: Use after free in navigation - Chromium 90.0.4430.72 (boo#1184764): * CVE-2021-21201: Use after free in permissions * CVE-2021-21202: Use after free in extensions * CVE-2021-21203: Use after free in Blink * CVE-2021-21204: Use after free in Blink * CVE-2021-21205: Insufficient policy enforcement in navigation * CVE-2021-21221: Insufficient validation of untrusted input in Mojo * CVE-2021-21207: Use after free in IndexedDB * CVE-2021-21208: Insufficient data validation in QR scanner * CVE-2021-21209: Inappropriate implementation in storage * CVE-2021-21210: Inappropriate implementation in Network * CVE-2021-21211: Inappropriate implementation in Navigatio * CVE-2021-21212: Incorrect security UI in Network Config UI * CVE-2021-21213: Use after free in WebMIDI * CVE-2021-21214: Use after free in Network API * CVE-2021-21215: Inappropriate implementation in Autofill * CVE-2021-21216: Inappropriate implementation in Autofill * CVE-2021-21217: Uninitialized Use in PDFium * CVE-2021-21218: Uninitialized Use in PDFium * CVE-2021-21219: Uninitialized Use in PDFiu * drop chromium-89-quiche-private.patch * drop chromium-89-quiche-dcheck.patch * drop chromium-89-skia-CropRect.patch * drop chromium-89-dawn-include.patch * drop chromium-89-webcodecs-deps.patch * drop chromium-89-AXTreeSerializer-include.patch * drop libva-2.11.patch * drop libva-2.11-nolegacy.patch * drop chromium-84-blink-disable-clang-format.patch - chromium-90-gslang-linkage-fixup.patch: fixed a weird static/nonpic error - chromium-90-cstdint.patch: some cstd includes added - chromium-90-fseal.patch: F_SEAL defines added * Wed Apr 14 2021 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 89.0.4389.128 (boo#1184700): * CVE-2021-21206: Use after free in blink * CVE-2021-21220: Insufficient validation of untrusted input in v8 for x86_64 * Sat Apr 03 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.114 bsc#1184256 - CVE-2021-21194: Use after free in screen capture - CVE-2021-21195: Use after free in V8 - CVE-2021-21196: Heap buffer overflow in TabStrip - CVE-2021-21197: Heap buffer overflow in TabStrip - CVE-2021-21198: Out of bounds read in IPC - CVE-2021-21199: Use Use after free in Aura - Add libva-2.11.patch to fix build with libva <2.11 - Add libva-2.11-nolegacy.patch to fix build with libva 2.11 - Remove x11-ozone-fix-two-edge-cases.patch * Mon Mar 15 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.90 bsc#1183515 - CVE-2021-21191: Use after free in WebRTC. - CVE-2021-21192: Heap buffer overflow in tab groups. - CVE-2021-21193: Use after free in Blink. * Thu Mar 11 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.82 - Add x11-ozone-fix-two-edge-cases.patch to fix tab drag errors * Fri Mar 05 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.72 bsc#1182960 - CVE-2021-21159: Heap buffer overflow in TabStrip. - CVE-2021-21160: Heap buffer overflow in WebAudio. - CVE-2021-21161: Heap buffer overflow in TabStrip. - CVE-2021-21162: Use after free in WebRTC. - CVE-2021-21163: Insufficient data validation in Reader Mode. - CVE-2021-21164: Insufficient data validation in Chrome for iOS. - CVE-2021-21165: Object lifecycle issue in audio. - CVE-2021-21166: Object lifecycle issue in audio. - CVE-2021-21167: Use after free in bookmarks. - CVE-2021-21168: Insufficient policy enforcement in appcache. - CVE-2021-21169: Out of bounds memory access in V8. - CVE-2021-21170: Incorrect security UI in Loader. - CVE-2021-21171: Incorrect security UI in TabStrip and Navigation. - CVE-2021-21172: Insufficient policy enforcement in File System API. - CVE-2021-21173: Side-channel information leakage in Network Internals. - CVE-2021-21174: Inappropriate implementation in Referrer. - CVE-2021-21175: Inappropriate implementation in Site isolation. - CVE-2021-21176: Inappropriate implementation in full screen mode. - CVE-2021-21177: Insufficient policy enforcement in Autofill. - CVE-2021-21178: Inappropriate implementation in Compositing. - CVE-2021-21179: Use after free in Network Internals. - CVE-2021-21180: Use after free in tab search. - CVE-2020-27844: Heap buffer overflow in OpenJPEG. - CVE-2021-21181: Side-channel information leakage in autofill. - CVE-2021-21182: Insufficient policy enforcement in navigations. - CVE-2021-21183: Inappropriate implementation in performance APIs. - CVE-2021-21184: Inappropriate implementation in performance APIs. - CVE-2021-21185: Insufficient policy enforcement in extensions. - CVE-2021-21186: Insufficient policy enforcement in QR scanning. - CVE-2021-21187: Insufficient data validation in URL formatting. - CVE-2021-21188: Use after free in Blink. - CVE-2021-21189: Insufficient policy enforcement in payments. - CVE-2021-21190: Uninitialized Use in PDFium. - Added patches: - chromium-89-quiche-private.patch - chromium-89-quiche-dcheck.patch - chromium-89-skia-CropRect.patch - chromium-89-dawn-include.patch - chromium-89-webcodecs-deps.patch - chromium-89-EnumTable-crash.patch - chromium-shim_headers.patch - chromium-89-missing-cstring-header.patch - chromium-89-AXTreeSerializer-include.patch - chromium-88-gcc-fix-swiftshader-libEGL-visibility.patch (bsc#1182775) - Removed patches: - chromium-fix-char_traits.patch - build-with-pipewire-0.3.patch - chromium-79-gcc-protobuf-alignas.patch - chromium-87-CursorFactory-include.patch - chromium-87-openscreen-include.patch - chromium-88-vaapi-attribute.patch - chromium-88-ozone-deps.patch - chromium-87-webcodecs-deps.patch - chromium-88-ityp-include.patch - chromium-88-AXTreeFormatter-include.patch - chromium-88-BookmarkModelObserver-include.patch - chromium-88-federated_learning-include.patch - chromium-88-ideographicSpaceCharacter.patch - chromium-88-StringPool-include.patch - chromium-88-dawn-static.patch - chromium-88-CompositorFrameReporter-dcheck.patch * Wed Feb 17 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.182 bsc#1182358 - CVE-2021-21149: Stack overflow in Data Transfer. - CVE-2021-21150: Use after free in Downloads. - CVE-2021-21151: Use after free in Payments. - CVE-2021-21152: Heap buffer overflow in Media. - CVE-2021-21153: Stack overflow in GPU Process. - CVE-2021-21154: Heap buffer overflow in Tab Strip. - CVE-2021-21155: Heap buffer overflow in Tab Strip. - CVE-2021-21156: Heap buffer overflow in V8. - CVE-2021-21157: Use after free in Web Sockets. * Mon Feb 15 2021 Callum Farmer <gmbr3@opensuse.org> - Add chromium-glibc-2.33.patch: fix Sandbox with glibc 2.33 (bsc#1182233) * Sat Feb 06 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.150 bsc#1181827 - CVE-2021-21148: Heap buffer overflow in V8 * Thu Feb 04 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.146 bsc#1181772 - CVE-2021-21142: Use after free in Payments - CVE-2021-21143: Heap buffer overflow in Extensions - CVE-2021-21144: Heap buffer overflow in Tab Groups. - CVE-2021-21145: Use after free in Fonts - CVE-2021-21146: Use after free in Navigation. - CVE-2021-21147: Inappropriate implementation in Skia * Sat Jan 23 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.96 bsc#1181137 - CVE-2021-21117: Insufficient policy enforcement in Cryptohome - CVE-2021-21118: Insufficient data validation in V8 - CVE-2021-21119: Use after free in Media - CVE-2021-21120: Use after free in WebSQL - CVE-2021-21121: Use after free in Omnibox - CVE-2021-21122: Use after free in Blink - CVE-2021-21123: Insufficient data validation in File System API - CVE-2021-21124: Potential user after free in Speech Recognizer - CVE-2021-21125: Insufficient policy enforcement in File System API - CVE-2020-16044: Use after free in WebRTC - CVE-2021-21126: Insufficient policy enforcement in extensions - CVE-2021-21127: Insufficient policy enforcement in extensions - CVE-2021-21128: Heap buffer overflow in Blink - CVE-2021-21129: Insufficient policy enforcement in File System API - CVE-2021-21130: Insufficient policy enforcement in File System API - CVE-2021-21131: Insufficient policy enforcement in File System API - CVE-2021-21132: Inappropriate implementation in DevTools - CVE-2021-21133: Insufficient policy enforcement in Downloads - CVE-2021-21134: Incorrect security UI in Page Info - CVE-2021-21135: Inappropriate implementation in Performance API - CVE-2021-21136: Insufficient policy enforcement in WebView - CVE-2021-21137: Inappropriate implementation in DevTools - CVE-2021-21138: Use after free in DevTools - CVE-2021-21139: Inappropriate implementation in iframe sandbox - CVE-2021-21140: Uninitialized Use in USB - CVE-2021-21141: Insufficient policy enforcement in File System API - Added patches: - chromium-88-compiler.patch - chromium-88-ozone-deps.patch - chromium-88-ityp-include.patch - chromium-88-AXTreeFormatter-include.patch - chromium-88-BookmarkModelObserver-include.patch - chromium-88-federated_learning-include.patch - chromium-88-ideographicSpaceCharacter.patch - chromium-88-StringPool-include.patch - chromium-88-dawn-static.patch - chromium-88-CompositorFrameReporter-dcheck.patch - Removed patches: - gpu-timeout.patch - chromium-87-compiler.patch - chromium-87-ServiceWorkerContainerHost-crash.patch - chromium-87-ozone-deps.patch - chromium-87-v8-icu68.patch - chromium-87-icu68.patch * Sat Jan 16 2021 Callum Farmer <gmbr3@opensuse.org> - Remove C++ only flags from CFLAGS - Update chromium-gcc11.patch - Comply with new Google API key rules for Derivatives * Thu Jan 07 2021 Callum Farmer <gmbr3@opensuse.org> - Update to 87.0.4280.141 bsc#1180645 - CVE-2021-21106: Use after free in autofill - CVE-2021-21107: Use after free in drag and drop - CVE-2021-21108: Use after free in media - CVE-2021-21109: Use after free in payments - CVE-2021-21110: Use after free in safe browsing - CVE-2021-21111: Insufficient policy enforcement in WebUI - CVE-2021-21112: Use after free in Blink - CVE-2021-21113: Heap buffer overflow in Skia - CVE-2020-16043: Insufficient data validation in networking - CVE-2021-21114: Use after free in audio - CVE-2020-15995: Out of bounds write in V8 - CVE-2021-21115: Use after free in safe browsing - CVE-2021-21116: Heap buffer overflow in audio * Sun Dec 20 2020 Callum Farmer <gmbr3@opensuse.org> - Use main URLs instead of redirects in master preferences - Remove useless %post and %postun * Fri Dec 04 2020 Callum Farmer <gmbr3@opensuse.org> - Added patches: - chromium-87-icu68.patch - chromium-87-v8-icu68.patch - Update to 87.0.4280.88 bsc#1179576 - CVE-2020-16037: Use after free in clipboard - CVE-2020-16038: Use after free in media - CVE-2020-16039: Use after free in extensions - CVE-2020-16040: Insufficient data validation in V8 - CVE-2020-16041: Out of bounds read in networking - CVE-2020-16042: Uninitialized Use in V8 * Sat Nov 28 2020 Callum Farmer <gmbr3@opensuse.org> - Remove erroneous call to ldconfig which causes Firefox crashes (boo#1179298) * Thu Nov 19 2020 Callum Farmer <callumjfarmer13@gmail.com> - Added patches: - chromium-gcc11.patch - chromium-86-fix-vaapi-on-intel.patch - chromium-87-compiler.patch - chromium-87-CursorFactory-include.patch - chromium-87-openscreen-include.patch - chromium-87-ozone-deps.patch - chromium-87-ServiceWorkerContainerHost-crash.patch - chromium-87-webcodecs-deps.patch - chromium-88-vaapi-attribute.patch - chromium-lp152-missing-includes.patch - Removed patches: - chromium-86-ServiceWorkerRunningInfo-noexcept.patch - chromium-86-compiler.patch - fix-invalid-end-iterator-usage-in-CookieMonster.patch - old-libva.patch - Update to 87.0.4280.66 bsc#1178923 - Wayland support by default - CVE-2020-16018: Use after free in payments. - CVE-2020-16019: Inappropriate implementation in filesystem. - CVE-2020-16020: Inappropriate implementation in cryptohome. - CVE-2020-16021: Race in ImageBurner. - CVE-2020-16022: Insufficient policy enforcement in networking. - CVE-2020-16015: Insufficient data validation in WASM. R - CVE-2020-16014: Use after free in PPAPI. - CVE-2020-16023: Use after free in WebCodecs. - CVE-2020-16024: Heap buffer overflow in UI. - CVE-2020-16025: Heap buffer overflow in clipboard. - CVE-2020-16026: Use after free in WebRTC. - CVE-2020-16027: Insufficient policy enforcement in developer tools. R - CVE-2020-16028: Heap buffer overflow in WebRTC. - CVE-2020-16029: Inappropriate implementation in PDFium. - CVE-2020-16030: Insufficient data validation in Blink. - CVE-2019-8075: Insufficient data validation in Flash. - CVE-2020-16031: Incorrect security UI in tab preview. - CVE-2020-16032: Incorrect security UI in sharing. - CVE-2020-16033: Incorrect security UI in WebUSB. - CVE-2020-16034: Inappropriate implementation in WebRTC. - CVE-2020-16035: Insufficient data validation in cros-disks. - CVE-2020-16012: Side-channel information leakage in graphics. - CVE-2020-16036: Inappropriate implementation in cookies. * Thu Nov 12 2020 Callum Farmer <callumjfarmer13@gmail.com> - Update to 86.0.4240.198 bsc#1178703 - CVE-2020-16013: Inappropriate implementation in V8 - CVE-2020-16017: Use after free in site isolation * Wed Nov 11 2020 Callum Farmer <callumjfarmer13@gmail.com> - Update to 86.0.4240.193 bsc#1178630 - CVE-2020-16016: Inappropriate implementation in base. * Tue Nov 03 2020 Callum Farmer <callumjfarmer13@gmail.com> - Update to 86.0.4240.183 bsc#1178375 - CVE-2020-16004: Use after free in user interface. - CVE-2020-16005: Insufficient policy enforcement in ANGLE. - CVE-2020-16006: Inappropriate implementation in V8 - CVE-2020-16007: Insufficient data validation in installer. - CVE-2020-16008: Stack buffer overflow in WebRTC. - CVE-2020-16009: Inappropriate implementation in V8. - CVE-2020-16011: Heap buffer overflow in UI on Windows. * Thu Oct 22 2020 Marcus Meissner <meissner@suse.com> - Update to 86.0.4240.111 bsc#1177936 - CVE-2020-16000: Inappropriate implementation in Blink. - CVE-2020-16001: Use after free in media. - CVE-2020-16002: Use after free in PDFium. - CVE-2020-15999: Heap buffer overflow in Freetype. - CVE-2020-16003: Use after free in printing. * Mon Oct 19 2020 Marcus Meissner <meissner@suse.com> - chromium-86-f_seal.patch: F_SEAL* definitions added for leap 15.1 and 15.2 - replace one missed g++-9 by g++-10 for leap 15.1/15.2 * Wed Oct 14 2020 Tomáš Chvátal <tchvatal@suse.com> - Remove vdpau->vaapi bridge as it breaks a lot: (fixes welcome by someone else than me) * chromium-vaapi-fix.patch * Wed Oct 14 2020 Tomáš Chvátal <tchvatal@suse.com> - Fix cookiemonster: * fix-invalid-end-iterator-usage-in-CookieMonster.patch * Wed Oct 14 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 86.0.4240.75 bsc#1177408: * CVE-2020-15967: Use after free in payments. * CVE-2020-15968: Use after free in Blink. * CVE-2020-15969: Use after free in WebRTC. * CVE-2020-15970: Use after free in NFC. * CVE-2020-15971: Use after free in printing. * CVE-2020-15972: Use after free in audio. * CVE-2020-15990: Use after free in autofill. * CVE-2020-15991: Use after free in password manager. * CVE-2020-15973: Insufficient policy enforcement in extensions. * CVE-2020-15974: Integer overflow in Blink. * CVE-2020-15975: Integer overflow in SwiftShader. * CVE-2020-15976: Use after free in WebXR. * CVE-2020-6557: Inappropriate implementation in networking. * CVE-2020-15977: Insufficient data validation in dialogs. * CVE-2020-15978: Insufficient data validation in navigation. * CVE-2020-15979: Inappropriate implementation in V8. * CVE-2020-15980: Insufficient policy enforcement in Intents. * CVE-2020-15981: Out of bounds read in audio. * CVE-2020-15982: Side-channel information leakage in cache. * CVE-2020-15983: Insufficient data validation in webUI. * CVE-2020-15984: Insufficient policy enforcement in Omnibox. * CVE-2020-15985: Inappropriate implementation in Blink. * CVE-2020-15986: Integer overflow in media. * CVE-2020-15987: Use after free in WebRTC. * CVE-2020-15992: Insufficient policy enforcement in networking. * CVE-2020-15988: Insufficient policy enforcement in downloads. * CVE-2020-15989: Uninitialized Use in PDFium. - Add patches: * chromium-78-protobuf-RepeatedPtrField-export.patch * chromium-79-gcc-protobuf-alignas.patch * chromium-80-QuicStreamSendBuffer-deleted-move-constructor.patch * chromium-86-ConsumeDurationNumber-constexpr.patch * chromium-86-ImageMemoryBarrierData-init.patch * chromium-86-ServiceWorkerRunningInfo-noexcept.patch * chromium-86-compiler.patch * chromium-86-nearby-explicit.patch * chromium-86-nearby-include.patch - Remove patches: * chromium-79-gcc-alignas.patch * chromium-80-gcc-quiche.patch * chromium-82-gcc-constexpr.patch * chromium-83-gcc-10.patch * chromium-84-gcc-include.patch * chromium-84-mediaalloc.patch * chromium-85-DelayNode-cast.patch * chromium-85-FrameWidget-namespace.patch * chromium-85-NearbyConnection-abstract.patch * chromium-85-NearbyShareEncryptedMetadataKey-include.patch * chromium-85-oscillator_node-cast.patch * chromium-85-ostream-operator.patch * chromium-85-ozone-include.patch * chromium-85-sim_hash-include.patch * chromium-blink-gcc-diagnostic-pragma.patch * chromium-dma-buf.patch * chromium-drm.patch * chromium-quiche-invalid-offsetof.patch * Sat Oct 10 2020 Andreas Stieger <andreas.stieger@gmx.de> - build with system libevent, the gn bug is no longer present * Wed Sep 23 2020 Tomáš Chvátal <tchvatal@suse.com> - Remove TOC files to avoid warning in post and fix angle conditional * Tue Sep 22 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 85.0.4183.121 bsc#1176791: * CVE-2020-15960: Out of bounds read in storage * CVE-2020-15961: Insufficient policy enforcement in extensions * CVE-2020-15962: Insufficient policy enforcement in serial * CVE-2020-15963: Insufficient policy enforcement in extensions * CVE-2020-15965: Out of bounds write in V8 * CVE-2020-15966: Insufficient policy enforcement in extensions * CVE-2020-15964: Insufficient data validation in media * Tue Sep 15 2020 Tomáš Chvátal <tchvatal@suse.com> - The egl stuff is from angle not swiftshader, thanks Fedora bsc#1176450 * Sat Sep 12 2020 Tomáš Chvátal <tchvatal@suse.com> - Add back the swiftshader folder wrt bsc#1176450 * Wed Sep 09 2020 Tomáš Chvátal <tchvatal@suse.com> - Update 85.0.4183.102 bsc#1176306: * CVE-2020-6573: Use after free in video. * CVE-2020-6574: Insufficient policy enforcement in installer. * CVE-2020-6575: Race in Mojo. * CVE-2020-6576: Use after free in offscreen canvas. * CVE-2020-15959: Insufficient policy enforcement in networking. * Tue Sep 08 2020 Tomáš Chvátal <tchvatal@suse.com> - Move swiftshader stuff to chromium folder directly bsc#1176207 * Tue Sep 01 2020 Tomáš Chvátal <tchvatal@suse.com> - Really update to .83 we accidentally included .69 beta release * Fri Aug 28 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to compile with old libdrm on Leap 15.1: * chromium-lp151-old-drm.patch * Thu Aug 27 2020 Tomáš Chvátal <tchvatal@suse.com> - Version update to 85.0.4183.83 bsc#1175757 * CVE-2020-6558: Insufficient policy enforcement in iOS * CVE-2020-6559: Use after free in presentation API * CVE-2020-6560: Insufficient policy enforcement in autofill * CVE-2020-6561: Inappropriate implementation in Content Security Policy * CVE-2020-6562: Insufficient policy enforcement in Blink * CVE-2020-6563: Insufficient policy enforcement in intent handling. * CVE-2020-6564: Incorrect security UI in permissions * CVE-2020-6565: Incorrect security UI in Omnibox. * CVE-2020-6566: Insufficient policy enforcement in media. * CVE-2020-6567: Insufficient validation of untrusted input in command line handling. * CVE-2020-6568: Insufficient policy enforcement in intent handling. * CVE-2020-6569: Integer overflow in WebUSB. * CVE-2020-6570: Side-channel information leakage in WebRTC. * CVE-2020-6571: Incorrect security UI in Omnibox. - Use bundled vpx everywhere again as it fails to compile against system version - Added patches: * chromium-85-DelayNode-cast.patch * chromium-85-FrameWidget-namespace.patch * chromium-85-NearbyConnection-abstract.patch * chromium-85-NearbyShareEncryptedMetadataKey-include.patch * chromium-85-oscillator_node-cast.patch * chromium-85-ostream-operator.patch * chromium-85-ozone-include.patch * chromium-85-sim_hash-include.patch - Removed patches: * chromium-82-gcc-template.patch * chromium-84-AXObject-stl-iterator.patch * chromium-84-FilePath-add-noexcept.patch * chromium-84-base-has_bultin.patch * chromium-84-fix-decltype.patch * chromium-84-gcc-DOMRect-constexpr.patch * chromium-84-gcc-noexcept.patch * chromium-84-gcc-template.patch * chromium-84-gcc-unique_ptr.patch * chromium-84-gcc-use-brace-initializer.patch * chromium-84-nss-include.patch * chromium-84-ozone-include.patch * chromium-84-revert-manage-ManifestManagerHost-per-document.patch * chromium-84-std-vector-const.patch * chromium-clang_lto_visibility_public.patch - Updated patches: * chromium-83-gcc-10.patch * chromium-84-gcc-include.patch * chromium-prop-codecs.patch * gcc-enable-lto.patch * Thu Aug 27 2020 Tomáš Chvátal <tchvatal@suse.com> - Do not use libexec as we use /usr/lib as a target folder * Fri Aug 21 2020 Tomáš Chvátal <tchvatal@suse.com> - Fix the build by removing expectation of llvm-7.0 * Thu Aug 20 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 84.0.4147.135 (bsc#1175505): * CVE-2020-6556: Heap buffer overflow in SwiftShader * Wed Aug 12 2020 Martin Liška <mliska@suse.cz> - Add chromium-disable-parallel-gold.patch in order to disable broken parallel ld.gold with LTO. - Enable again LTO for x86_64 and increase memory constraints. - Use parallel WPA streaming, we will easily fit into memory constraints. - Remove memory_constrain hack for LTO. * Mon Aug 10 2020 Andreas Stieger <andreas.stieger@gmx.de> - Chromium 84.0.4147.125 (boo#1175085) * CVE-2020-6542: Use after free in ANGLE * CVE-2020-6543: Use after free in task scheduling * CVE-2020-6544: Use after free in media * CVE-2020-6545: Use after free in audio * CVE-2020-6546: Inappropriate implementation in installer * CVE-2020-6547: Incorrect security UI in media * CVE-2020-6548: Heap buffer overflow in Skia * CVE-2020-6549: Use after free in media * CVE-2020-6550: Use after free in IndexedDB * CVE-2020-6551: Use after free in WebXR * CVE-2020-6552: Use after free in Blink * CVE-2020-6553: Use after free in offline mode * CVE-2020-6554: Use after free in extensions * CVE-2020-6555: Out of bounds read in WebGL * Various fixes from internal audits, fuzzing and other initiatives * Mon Aug 10 2020 Tomáš Chvátal <tchvatal@suse.com> - Disable wayland everywhere as it breaks headless and middle mouse copy everywhere: bsc#1174497 bsc#1175044 * Mon Aug 03 2020 Andreas Stieger <andreas.stieger@gmx.de> - Update to 84.0.4147.105 (boo#1174582): * CVE-2020-6537: Type Confusion in V8 * CVE-2020-6538: Inappropriate implementation in WebView * CVE-2020-6532: Use after free in SCTP * CVE-2020-6539: Use after free in CSS * CVE-2020-6540: Heap buffer overflow in Skia * CVE-2020-6541: Use after free in WebUSB * Fri Jul 17 2020 Tomáš Chvátal <tchvatal@suse.com> - Try to fix non-wayland build for Leap builds * Thu Jul 16 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 84.0.4147.89 bsc#1174189: * Critical CVE-2020-6510: Heap buffer overflow in background fetch. * High CVE-2020-6511: Side-channel information leakage in content security policy. * High CVE-2020-6512: Type Confusion in V8. * High CVE-2020-6513: Heap buffer overflow in PDFium. * High CVE-2020-6514: Inappropriate implementation in WebRTC. * High CVE-2020-6515: Use after free in tab strip. * High CVE-2020-6516: Policy bypass in CORS. * High CVE-2020-6517: Heap buffer overflow in history. * Medium CVE-2020-6518: Use after free in developer tools. * Medium CVE-2020-6519: Policy bypass in CSP. * Medium CVE-2020-6520: Heap buffer overflow in Skia. * Medium CVE-2020-6521: Side-channel information leakage in autofill. * Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. * Medium CVE-2020-6523: Out of bounds write in Skia. * Medium CVE-2020-6524: Heap buffer overflow in WebAudio. * Medium CVE-2020-6525: Heap buffer overflow in Skia. * Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. * Low CVE-2020-6527: Insufficient policy enforcement in CSP. * Low CVE-2020-6528: Incorrect security UI in basic auth. * Low CVE-2020-6529: Inappropriate implementation in WebRTC. * Low CVE-2020-6530: Out of bounds memory access in developer tools. * Low CVE-2020-6531: Side-channel information leakage in scroll to text. * Low CVE-2020-6533: Type Confusion in V8. * Low CVE-2020-6534: Heap buffer overflow in WebRTC. * Low CVE-2020-6535: Insufficient data validation in WebUI. * Low CVE-2020-6536: Incorrect security UI in PWAs. - Use bundled xcb-proto as we need to generate py2 bindings - Add new patches: * chromium-84-AXObject-stl-iterator.patch * chromium-84-FilePath-add-noexcept.patch * chromium-84-base-has_bultin.patch * chromium-84-blink-disable-clang-format.patch * chromium-84-fix-decltype.patch * chromium-84-gcc-DOMRect-constexpr.patch * chromium-84-gcc-include.patch * chromium-84-gcc-noexcept.patch * chromium-84-gcc-template.patch * chromium-84-gcc-unique_ptr.patch * chromium-84-gcc-use-brace-initializer.patch * chromium-84-nss-include.patch * chromium-84-ozone-include.patch * chromium-84-revert-manage-ManifestManagerHost-per-document.patch * chromium-84-std-vector-const.patch * chromium-84.0.4147.89.tar.xz * chromium-blink-gcc-diagnostic-pragma.patch * chromium-clang_lto_visibility_public.patch * chromium-quiche-invalid-offsetof.patch * system-libdrm.patch - Remove no longer needed patches: * chromium-81-re2-0.2020.05.01.patch * chromium-82-gcc-incomplete-type.patch * chromium-82-gcc-iterator.patch * chromium-82-gcc-noexcept.patch * chromium-83-gcc-include.patch * chromium-83-gcc-iterator.patch * chromium-83-gcc-permissive.patch * chromium-83-gcc-serviceworker.patch * chromium-83-gcc-template.patch * chromium-83-icu67.patch * chromium-83.0.4103.97-skia-gcc-no_sanitize-fixes.patch * chromium-dev-shm.patch - Rebase and update patches: * build-with-pipewire-0.3.patch * chromium-83-gcc-10.patch * chromium-84-mediaalloc.patch * chromium-norar.patch * chromium-vaapi-fix.patch * Sun Jun 28 2020 Atri Bhattacharya <badshah400@gmail.com> - Refresh build-with-pipewire-0.3.patch to mirror similar patch by Fedora for Firefox; screen-capture wasn't actually working with the previous version of the patch. - Add BuildRequires: pkgconfig(libspa-2.0) when building with pipewire support to guard against potential package splitting off of pipewire-spa-devel from pipewire-devel. * Thu Jun 25 2020 Tomáš Chvátal <tchvatal@suse.com> - Disable the LTO again as it still OOMs quite often * Wed Jun 24 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch to work with new ffmpeg wrt bsc#1173292: * chromium-84-mediaalloc.patch * Tue Jun 23 2020 Tomáš Chvátal <tchvatal@suse.com> - Add multimedia fix for disabled location and also try one additional patch from Debian on the same issue bsc#1173107 Update patch: * no-location-leap151.patch * Tue Jun 23 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch from Fedora to avoid attribute overrides in skia: * chromium-83.0.4103.97-skia-gcc-no_sanitize-fixes.patch * Tue Jun 23 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch to hopefully fix bsc#1173107: * chromium-dev-shm.patch * Tue Jun 23 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.116 bsc#1173251: * CVE-2020-6509: Use after free in extensions * Fri Jun 19 2020 Tomáš Chvátal <tchvatal@suse.com> - Reduce constraints to say 20 GB disk space is enough * Fri Jun 19 2020 Tomáš Chvátal <tchvatal@suse.com> - Disable wayland integration on 15.x bsc#1173187 bsc#1173188 bsc#1173254 * Thu Jun 18 2020 Tomáš Chvátal <tchvatal@suse.com> - Enforce to not use system borders bsc#1173063 * Wed Jun 17 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.106 bsc#1173029: * CVE-2020-6505: Use after free in speech * CVE-2020-6506: Insufficient policy enforcement in WebView * CVE-2020-6507: Out of bounds write in V8 * Mon Jun 15 2020 Tomáš Chvátal <tchvatal@suse.com> - Another attempt on the location handling for Leap 15.1: * no-location-leap151.patch * Thu Jun 11 2020 Tomáš Chvátal <tchvatal@suse.com> - Attempt to build with wayland/ozone enabled * Thu Jun 11 2020 Tomáš Chvátal <tchvatal@suse.com> - Enable more system libs on 15.2+ - Remove the chromium-83-gcc-location-revert.patch as it is wrong approach to fix the problem * Thu Jun 11 2020 Tomáš Chvátal <tchvatal@suse.com> - Update _constraints to match up LTO enablement * Wed Jun 10 2020 Tomáš Chvátal <tchvatal@suse.com> - With GCC 10 released we should be able to enable LTO again * Thu Jun 04 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.97 bsc#1172496: * CVE-2020-6493: Use after free in WebAuthentication. * CVE-2020-6494: Incorrect security UI in payments. * CVE-2020-6495: Insufficient policy enforcement in developer tools. * CVE-2020-6496: Use after free in payments. * Thu May 28 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch to not use bundled unrar: * chromium-norar.patch * Thu May 28 2020 Fabian Vogt <fvogt@suse.com> - Amend chromium-prop-codecs.patch to allow proprietary_codecs without building third_party/openh264 * Wed May 27 2020 Tomáš Chvátal <tchvatal@suse.com> - Add revert of location setting commit that broke build on openSUSE Leap 15.1: * chromium-83-gcc-location-revert.patch * Mon May 25 2020 Tomáš Chvátal <tchvatal@suse.com> - Swtich to GCC 9.x on Leaps to avoid gcc bug exposed in gcc8 * Fri May 22 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch to fix building with new re2: * chromium-81-re2-0.2020.05.01.patch * Wed May 20 2020 Guillaume GARDET <guillaume.gardet@opensuse.org> - Update _constraints to avoid very slow builds seen on obs-arm-4 (probably due to swap) * Wed May 20 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.61 bsc#1171910: * CVE-2020-6465: Use after free in reader mode. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-04-21 * CVE-2020-6466: Use after free in media. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-26 * CVE-2020-6467: Use after free in WebRTC. Reported by ZhanJia Song on 2020-04-06 * CVE-2020-6468: Type Confusion in V8. Reported by Chris Salls and Jake Corina of Seaside Security, Chani Jindal of Shellphish on 2020-04-30 * CVE-2020-6469: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-02 * CVE-2020-6470: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-03-30 * CVE-2020-6471: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-08 * CVE-2020-6472: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-25 * CVE-2020-6473: Insufficient policy enforcement in Blink. Reported by Soroush Karami and Panagiotis Ilia on 2020-02-06 * CVE-2020-6474: Use after free in Blink. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-07 * CVE-2020-6475: Incorrect security UI in full screen. Reported by Khalil Zhani on 2019-10-31 * CVE-2020-6476: Insufficient policy enforcement in tab strip. Reported by Alexandre Le Borgne on 2019-12-18 * CVE-2020-6477: Inappropriate implementation in installer. Reported by RACK911 Labs on 2019-03-26 * CVE-2020-6478: Inappropriate implementation in full screen. Reported by Khalil Zhani on 2019-12-24 * CVE-2020-6479: Inappropriate implementation in sharing. Reported by Zhong Zhaochen of andsecurity.cn on 2020-01-14 * CVE-2020-6480: Insufficient policy enforcement in enterprise. Reported by Marvin Witt on 2020-02-21 * CVE-2020-6481: Insufficient policy enforcement in URL formatting. Reported by Rayyan Bijoora on 2020-04-07 * CVE-2020-6482: Insufficient policy enforcement in developer tools. Reported by Abdulrahman Alqabandi (@qab) on 2017-12-17 * CVE-2020-6483: Insufficient policy enforcement in payments. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-23 * CVE-2020-6484: Insufficient data validation in ChromeDriver. Reported by Artem Zinenko on 2020-01-26 * CVE-2020-6485: Insufficient data validation in media router. Reported by Sergei Glazunov of Google Project Zero on 2020-01-30 * CVE-2020-6486: Insufficient policy enforcement in navigations. Reported by David Erceg on 2020-02-24 * CVE-2020-6487: Insufficient policy enforcement in downloads. Reported by Jun Kokatsu (@shhnjk) on 2015-10-06 * CVE-2020-6488: Insufficient policy enforcement in downloads. Reported by David Erceg on 2020-01-21 * CVE-2020-6489: Inappropriate implementation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-02-10 * CVE-2020-6490: Insufficient data validation in loader. Reported by Twitter on 2019-12-19 * CVE-2020-6491: Incorrect security UI in site information. Reported by Sultan Haikal M.A on 2020-02-07 - Rebase patch: * chromium-vaapi.patch - Remove merged patches: * icu-v67.patch * chromium-80-gcc-blink.patch * chromium-80.0.3987.106-missing-cstddef-header.patch * chromium-80.0.3987.87-missing-cstdint-header.patch * chromium-80.0.3987.87-missing-string-header.patch * chromium-81-gcc-constexpr.patch * chromium-81-gcc-noexcept.patch * chromium-old-glibc-noexcept.patch * fix-vaapi-with-glx.patch - Add new patches: * chromium-82-gcc-constexpr.patch * chromium-82-gcc-incomplete-type.patch * chromium-82-gcc-iterator.patch * chromium-82-gcc-noexcept.patch * chromium-82-gcc-template.patch * chromium-83-gcc-10.patch * chromium-83-gcc-include.patch * chromium-83-gcc-iterator.patch * chromium-83-gcc-permissive.patch * chromium-83-gcc-serviceworker.patch * chromium-83-gcc-template.patch * chromium-83-icu67.patch * Wed May 06 2020 Tomáš Chvátal <tchvatal@suse.com> - update to 81.0.4044.138 bsc#1171247: * CVE-2020-6831: Stack buffer overflow in SCTP * CVE-2020-6464: Type Confusion in Blink. * Tue May 05 2020 Ismail Dönmez <idonmez@suse.com> - Add icu-v67.patch from upstream to fix build with icu v67 * Wed Apr 29 2020 Andreas Stieger <andreas.stieger@gmx.de> - update to 81.0.4044.129 (boo#1170707): * CVE-2020-0561: Use after free in storage * CVE-2020-6462: Use after free in task scheduling * Tue Apr 28 2020 Martin Liška <mliska@suse.cz> - Add chromium-80.0.3987.87-missing-cstdint-header.patch, chromium-80.0.3987.87-missing-string-header.patch and chromium-80.0.3987.106-missing-cstddef-header.patch in order to fix build with GCC 10. * Tue Apr 21 2020 Andreas Stieger <andreas.stieger@gmx.de> - Update to 81.0.4044.122 (boo#1170107 bsc#1171975): * CVE-2020-6459: Use after free in payments * CVE-2020-6460: Insufficient data validation in URL formatting * CVE-2020-6458: Out of bounds read and write in PDFium * CVE-2020-6463: Use after free in ANGLE * Fri Apr 17 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 81.0.4044.113 bsc#1169729: * CVE-2020-6457: Use after free in speech recognizer * Tue Apr 14 2020 Tomáš Chvátal <tchvatal@suse.com> - Try to use system version of xdg-utils * Wed Apr 08 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 81.0.4044.92 bsc#1168911: * CVE-2020-6454: Use after free in extensions * CVE-2020-6423: Use after free in audio * CVE-2020-6455: Out of bounds read in WebSQL * CVE-2020-6430: Type Confusion in V8 * CVE-2020-6456: Insufficient validation of untrusted input in clipboard * CVE-2020-6431: Insufficient policy enforcement in full screen * CVE-2020-6432: Insufficient policy enforcement in navigations * CVE-2020-6433: Insufficient policy enforcement in extensions * CVE-2020-6434: Use after free in devtools * CVE-2020-6435: Insufficient policy enforcement in extensions * CVE-2020-6436: Use after free in window management * CVE-2020-6437: Inappropriate implementation in WebView * CVE-2020-6438: Insufficient policy enforcement in extensions * CVE-2020-6439: Insufficient policy enforcement in navigations * CVE-2020-6440: Inappropriate implementation in extensions * CVE-2020-6441: Insufficient policy enforcement in omnibox * CVE-2020-6442: Inappropriate implementation in cache * CVE-2020-6443: Insufficient data validation in developer tools * CVE-2020-6444: Uninitialized Use in WebRTC * CVE-2020-6445: Insufficient policy enforcement in trusted types * CVE-2020-6446: Insufficient policy enforcement in trusted types * CVE-2020-6447: Inappropriate implementation in developer tools * CVE-2020-6448: Use after free in V8 - Add new patches: * chromium-81-gcc-constexpr.patch * chromium-81-gcc-noexcept.patch * fix-vaapi-with-glx.patch - Remove no longer needed patches: * chromium-80-gcc-abstract.patch * chromium-80-gcc-incomplete-type.patch * chromium-80-gcc-permissive.patch * chromium-80-include.patch * chromium-80-unbundle-libxml.patch * chromium-missing-cstddef-header.patch * chromium-missing-cstdint-header.patch * chromium-missing-cstring-header.patch * chromium-missing-cstring-header2.patch * chromium-system-icu.patch * chromium-unbundle-zlib.patch * webrtc-pulse.patch - Rebase patches: * build-with-pipewire-0.3.patch * chromium-vaapi-fix.patch * chromium-vaapi.patch * gpu-timeout.patch * old-libva.patch * Thu Apr 02 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.162 bsc#1168421: * CVE-2020-6450: Use after free in WebAudio. * CVE-2020-6451: Use after free in WebAudio. * CVE-2020-6452: Heap buffer overflow in media. * Sun Mar 29 2020 Martin Liška <mliska@suse.cz> - Rebase build-with-pipewire-0.3.patch in order to fix patch collision. * Sat Mar 28 2020 Martin Liška <mliska@suse.cz> - Add chromium-missing-cstdint-header.patch, chromium-missing-cstring-header.patch, chromium-missing-cstring-header2.patch and chromium-missing-cstddef-header.patch in order to fix boo#1167465. * Fri Mar 27 2020 Stasiek Michalski <stasiek@michalski.cc> - Use a symbolic icon for GNOME * Mon Mar 23 2020 Antonio Larrosa <alarrosa@suse.com> - Add patch to allow building with pipewire 0.3: * build-with-pipewire-0.3.patch - Use pipewire in Leap 15.2 * Thu Mar 19 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.149: * High CVE-2020-6422: Use after free in WebGL. * High CVE-2020-6424: Use after free in media. * High CVE-2020-6425: Insufficient policy enforcement in extensions. * High CVE-2020-6426: Inappropriate implementation in V8. * High CVE-2020-6427: Use after free in audio. * High CVE-2020-6428: Use after free in audio. * High CVE-2020-6429: Use after free in audio. * High CVE-2019-20503: Out of bounds read in usersctplib. * High CVE-2020-6449: Use after free in audio. * Various fixes from internal audits, fuzzing and other initiatives * Sat Mar 14 2020 Tomáš Chvátal <tchvatal@suse.com> - Do not pull in python deps except interpreter, the bundles are patched anwyays * Thu Mar 05 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.132 bsc#1165826: * CVE-2020-6420: Insufficient policy enforcement in media. * Various fixes from internal audits, fuzzing and other initiatives [2]. * Tue Mar 03 2020 Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to fix pulse audio issues with webrtc: * webrtc-pulse.patch * Tue Feb 25 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.122 bsc#1164828: * CVE-2020-6418: Type confusion in V8 * CVE-2020-6407: Out of bounds memory access in streams. * Integer overflow in ICU * Mon Feb 17 2020 Tomáš Chvátal <tchvatal@suse.com> - Add chromedriver binary to bindir * Thu Feb 13 2020 Tomáš Chvátal <tchvatal@suse.com> - Drop sandbox binary as it should not be needed really bsc#1163588 - Remove unused patch: * chromium-sandbox-pie.patch * Wed Feb 12 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.100 bsc#1163484: * feature fixes only * Wed Feb 05 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.87 bsc#1162833: * CVE-2020-6381: Integer overflow in JavaScript * CVE-2020-6382: Type Confusion in JavaScript * CVE-2019-18197: Multiple vulnerabilities in XML * CVE-2019-19926: Inappropriate implementation in SQLite * CVE-2020-6385: Insufficient policy enforcement in storage * CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite * CVE-2020-6387: Out of bounds write in WebRTC * CVE-2020-6388: Out of bounds memory access in WebAudio * CVE-2020-6389: Out of bounds write in WebRTC * CVE-2020-6390: Out of bounds memory access in streams * CVE-2020-6391: Insufficient validation of untrusted input in Blink * CVE-2020-6392: Insufficient policy enforcement in extensions * CVE-2020-6393: Insufficient policy enforcement in Blink * CVE-2020-6394: Insufficient policy enforcement in Blink * CVE-2020-6395: Out of bounds read in JavaScript * CVE-2020-6396: Inappropriate implementation in Skia * CVE-2020-6397: Incorrect security UI in sharing * CVE-2020-6398: Uninitialized use in PDFium * CVE-2020-6399: Insufficient policy enforcement in AppCache * CVE-2020-6400: Inappropriate implementation in CORS * CVE-2020-6401: Insufficient validation of untrusted input in Omnibox * CVE-2020-6402: Insufficient policy enforcement in downloads * CVE-2020-6403: Incorrect security UI in Omnibox * CVE-2020-6404: Inappropriate implementation in Blink * CVE-2020-6405: Out of bounds read in SQLite * CVE-2020-6406: Use after free in audio * CVE-2019-19923: Out of bounds memory access in SQLite * CVE-2020-6408: Insufficient policy enforcement in CORS * CVE-2020-6409: Inappropriate implementation in Omnibox * CVE-2020-6410: Insufficient policy enforcement in navigation * CVE-2020-6411: Insufficient validation of untrusted input in Omnibox * CVE-2020-6412: Insufficient validation of untrusted input in Omnibox * CVE-2020-6413: Inappropriate implementation in Blink * CVE-2020-6414: Insufficient policy enforcement in Safe Browsing * CVE-2020-6415: Inappropriate implementation in JavaScript * CVE-2020-6416: Insufficient data validation in streams * CVE-2020-6417: Inappropriate implementation in installer - Disable lto for now as it consumes >16GB ram - Added patches: * chromium-80-gcc-abstract.patch * chromium-80-gcc-blink.patch * chromium-80-gcc-incomplete-type.patch * chromium-80-gcc-permissive.patch * chromium-80-gcc-quiche.patch * chromium-80-include.patch * chromium-80-unbundle-libxml.patch * chromium-80.0.3987.87.tar.xz * chromium-fix-char_traits.patch * gpu-timeout.patch - Removed patches: * chromium-79-gcc-ambiguous-nodestructor.patch * chromium-79-gcc-name-clash.patch * chromium-79-gcc-permissive.patch * chromium-79-icu-65.patch * chromium-79-include.patch * chromium-79-system-hb.patch - Rebased patches: * chromium-old-glibc-noexcept.patch * chromium-vaapi-fix.patch * chromium-vaapi.patch * Sat Jan 18 2020 Andreas Stieger <andreas.stieger@gmx.de> - Update to 79.0.3945.130 boo#1161252: * CVE-2020-6378: Use-after-free in speech recognizer * CVE-2020-6379: Use-after-free in speech recognizer * CVE-2020-6380: Extension message verification error * Various fixes from internal audits, fuzzing and other initiatives * Wed Jan 08 2020 Tomáš Chvátal <tchvatal@suse.com> - Update to 79.0.3945.117 bsc#1160337: * CVE-2020-6377: Use after free in audio * Various fixes from internal audits, fuzzing and other initiatives * Mon Dec 30 2019 Stefan Brüns <stefan.bruens@rwth-aachen.de> - Drop obsolete liboil BuildRequires. * Thu Dec 19 2019 Andreas Stieger <andreas.stieger@gmx.de> - update to 79.0.3945.88: * CVE-2019-13767: Use after free in media picker (boo#1159498) * Wed Dec 11 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 79.0.3945.79: * CVE-2019-13725: Use after free in Bluetooth * CVE-2019-13726: Heap buffer overflow in password manager * CVE-2019-13727: Insufficient policy enforcement in WebSockets * CVE-2019-13728: Out of bounds write in V8 * CVE-2019-13729: Use after free in WebSockets * CVE-2019-13730: Type Confusion in V8 * CVE-2019-13732: Use after free in WebAudio * CVE-2019-13734: Out of bounds write in SQLite * CVE-2019-13735: Out of bounds write in V8 * CVE-2019-13764: Type Confusion in V8 * CVE-2019-13736: Integer overflow in PDFium * CVE-2019-13737: Insufficient policy enforcement in autocomplete * CVE-2019-13738: Insufficient policy enforcement in navigation * CVE-2019-13739: Incorrect security UI in Omnibox * CVE-2019-13740: Incorrect security UI in sharing * CVE-2019-13741: Insufficient validation of untrusted input in Blink * CVE-2019-13742: Incorrect security UI in Omnibox * CVE-2019-13743: Incorrect security UI in external protocol handling * CVE-2019-13744: Insufficient policy enforcement in cookies * CVE-2019-13745: Insufficient policy enforcement in audio * CVE-2019-13746: Insufficient policy enforcement in Omnibox * CVE-2019-13747: Uninitialized Use in rendering * CVE-2019-13748: Insufficient policy enforcement in developer tools * CVE-2019-13749: Incorrect security UI in Omnibox * CVE-2019-13750: Insufficient data validation in SQLite * CVE-2019-13751: Uninitialized Use in SQLite * CVE-2019-13752: Out of bounds read in SQLite * CVE-2019-13753: Out of bounds read in SQLite * CVE-2019-13754: Insufficient policy enforcement in extensions * CVE-2019-13755: Insufficient policy enforcement in extensions * CVE-2019-13756: Incorrect security UI in printing * CVE-2019-13757: Incorrect security UI in Omnibox * CVE-2019-13758: Insufficient policy enforcement in navigation * CVE-2019-13759: Incorrect security UI in interstitials * CVE-2019-13761: Incorrect security UI in Omnibox * CVE-2019-13762: Insufficient policy enforcement in downloads * CVE-2019-13763: Insufficient policy enforcement in payments - Remove merged patches: * chromium-77-clang.patch * chromium-78-gcc-enum-range.patch * chromium-78-gcc-noexcept.patch * chromium-78-gcc-std-vector.patch * chromium-78-icon.patch * chromium-78-include.patch * chromium-78-noexcept.patch * chromium-78-pm-crash.patch * chromium-78-protobuf-export.patch - Add new patches: * chromium-79-gcc-alignas.patch * chromium-79-gcc-ambiguous-nodestructor.patch * chromium-79-gcc-name-clash.patch * chromium-79-gcc-permissive.patch * chromium-79-include.patch * chromium-79-system-hb.patch - Rebase patches: * chromium-dma-buf.patch * chromium-old-glibc-noexcept.patch * chromium-vaapi-fix.patch * fix_building_widevinecdm_with_chromium.patch * old-libva.patch * Wed Nov 20 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 78.0.3904.108 bsc#1157269: * CVE-2019-13723: Use-after-free in Bluetooth * CVE-2019-13724: Out-of-bounds access in Bluetooth * Various fixes from internal audits, fuzzing and other initiatives * Mon Nov 18 2019 Guillaume GARDET <guillaume.gardet@opensuse.org> - Fix build on aarch64 with: * chromium-79-icu-65.patch * Fri Nov 08 2019 Andreas Stieger <andreas.stieger@gmx.de> - Update to 78.0.3904.97 boo#1156172: * Various security fixes from internal audits, fuzzing and other initiatives * Wed Nov 06 2019 Tomáš Chvátal <tchvatal@suse.com> - Keep just one conditional for vaapi enablement * Mon Nov 04 2019 Tomáš Chvátal <tchvatal@suse.com> - Add more magic for zlib handling for SLE12 build * Mon Nov 04 2019 Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to build on SLE12: * chromium-old-glibc-noexcept.patch * Fri Nov 01 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 78.0.3904.87 bsc#1155643: * CVE-2019-13721: Use-after-free in PDFium * CVE-2019-13720: Use-after-free in audio * Wed Oct 30 2019 Martin Liška <mliska@suse.cz> - Enable LTO again with disabled parallel LTO WPA streaming. * Fri Oct 25 2019 Tomáš Chvátal <tchvatal@suse.com> - Disable LTO for now as it consumes ~20GB of RAM, we will reenable the feature later when some memory consumption fixes land in GCC * Thu Oct 24 2019 Tomáš Chvátal <tchvatal@suse.com> - Adjust LDFLAGS settings for LTO to take memory-constraints into consideration * Wed Oct 23 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 78.0.3904.70 bsc#1154806: * CVE-2019-13699: Use-after-free in media * CVE-2019-13700: Buffer overrun in Blink * CVE-2019-13701: URL spoof in navigation * CVE-2019-13702: Privilege elevation in Installer * CVE-2019-13703: URL bar spoofing * CVE-2019-13704: CSP bypass * CVE-2019-13705: Extension permission bypass * CVE-2019-13706: Out-of-bounds read in PDFium * CVE-2019-13707: File storage disclosure * CVE-2019-13708: HTTP authentication spoof * CVE-2019-13709: File download protection bypass * CVE-2019-13710: File download protection bypass * CVE-2019-13711: Cross-context information leak * CVE-2019-15903: Buffer overflow in expat * CVE-2019-13713: Cross-origin data leak * CVE-2019-13714: CSS injection * CVE-2019-13715: Address bar spoofing * CVE-2019-13716: Service worker state error * CVE-2019-13717: Notification obscured * CVE-2019-13718: IDN spoof * CVE-2019-13719: Notification obscured * Various fixes from internal audits, fuzzing and other initiatives - Add patches: * chromium-78-gcc-enum-range.patch * chromium-78-gcc-noexcept.patch * chromium-78-gcc-std-vector.patch * chromium-78-icon.patch * chromium-78-include.patch * chromium-78-noexcept.patch * chromium-78-pm-crash.patch * chromium-78-protobuf-export.patch - Remove patches: * chromium-77-blink-include.patch * chromium-77-fix-gn-gen.patch * chromium-77-gcc-abstract.patch * chromium-77-gcc-include.patch * chromium-77-gcc-no-opt-safe-math.patch * chromium-77-no-cups.patch * chromium-77-std-string.patch * chromium-77-system-hb.patch * chromium-77.0.3865.120.tar.xz * chromium-77.0.3865.75-certificate-transparency.patch - Rebase patches: * chromium-system-icu.patch * chromium-unbundle-zlib.patch * chromium-vaapi-fix.patch * chromium-vaapi.patch * old-libva.patch At revision 0ad55cb9e188d5926db26003b443eec9. * Fri Oct 18 2019 Stasiek Michalski <hellcp@mailbox.org> - Use internal resources for icon and appdata * Fri Oct 11 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 77.0.3865.120 bsc#1153660: * CVE-2019-13693: Use-after-free in IndexedDB * CVE-2019-13694: Use-after-free in WebRTC * CVE-2019-13695: Use-after-free in audio * CVE-2019-13696: Use-after-free in V8 * CVE-2019-13697: Cross-origin size leak. * Various fixes from internal audits, fuzzing and other initiatives * Thu Sep 19 2019 Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> - Added patch chromium-vaapi-fix.patch again to fix boo#1146219 * Wed Sep 18 2019 Andreas Stieger <andreas.stieger@gmx.de> - update to chromium 77.0.3865.90 boo#1151229: * CVE-2019-13685: Use-after-free in UI * CVE-2019-13688: Use-after-free in media * CVE-2019-13687: Use-after-free in media * CVE-2019-13686: Use-after-free in offline pages * Mon Sep 16 2019 Tomáš Chvátal <tchvatal@suse.com> - Add patch from Fedora for cert transparency: * chromium-77.0.3865.75-certificate-transparency.patch * Mon Sep 16 2019 Tomáš Chvátal <tchvatal@suse.com> - Add patches from gentoo: * chromium-77-clang.patch * chromium-77-gcc-no-opt-safe-math.patch * chromium-77-no-cups.patch * chromium-77-std-string.patch * Thu Sep 12 2019 Tomáš Chvátal <tchvatal@suse.com> - Update patch old-libva.patch to build on openSUSE Leap 15.0 * Thu Sep 12 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to chromium 77.0.3865.75 bsc#1150425: * CVE-2019-5870: Use-after-free in media * CVE-2019-5871: Heap overflow in Skia * CVE-2019-5872: Use-after-free in Mojo * CVE-2019-5874: External URIs may trigger other browsers * CVE-2019-5875: URL bar spoof via download redirect * CVE-2019-5876: Use-after-free in media * CVE-2019-5877: Out-of-bounds access in V8 * CVE-2019-5878: Use-after-free in V8 * CVE-2019-5879: Extension can bypass same origin policy * CVE-2019-5880: SameSite cookie bypass * CVE-2019-5881: Arbitrary read in SwiftShader * CVE-2019-13659: URL spoof * CVE-2019-13660: Full screen notification overlap * CVE-2019-13661: Full screen notification spoof * CVE-2019-13662: CSP bypass * CVE-2019-13663: IDN spoof * CVE-2019-13664: CSRF bypass * CVE-2019-13665: Multiple file download protection bypass * CVE-2019-13666: Side channel using storage size estimate * CVE-2019-13667: URI bar spoof when using external app URIs * CVE-2019-13668: Global window leak via console * CVE-2019-13669: HTTP authentication spoof * CVE-2019-13670: V8 memory corruption in regex * CVE-2019-13671: Dialog box fails to show origin * CVE-2019-13673: Cross-origin information leak using devtools * CVE-2019-13674: IDN spoofing * CVE-2019-13675: Extensions can be disabled by trailing slash * CVE-2019-13676: Google URI shown for certificate warning * CVE-2019-13677: Chrome web store origin needs to be isolated * CVE-2019-13678: Download dialog spoofing * CVE-2019-13679: User gesture needed for printing * CVE-2019-13680: IP address spoofing to servers * CVE-2019-13681: Bypass on download restrictions * CVE-2019-13682: Site isolation bypass * CVE-2019-13683: Exceptions leaked by devtools - Added patches: * chromium-77-blink-include.patch * chromium-77-fix-gn-gen.patch * chromium-77-gcc-abstract.patch * chromium-77-gcc-include.patch * chromium-77-system-hb.patch * chromium-unbundle-zlib.patch - Removed merged patches: * chromium-76-gcc-ambiguous-nodestructor.patch * chromium-76-gcc-blink-constexpr.patch * chromium-76-gcc-blink-namespace1.patch * chromium-76-gcc-blink-namespace2.patch * chromium-76-gcc-gl-init.patch * chromium-76-gcc-include.patch * chromium-76-gcc-noexcept.patch * chromium-76-gcc-private.patch * chromium-76-gcc-pure-virtual.patch * chromium-76-gcc-uint32.patch * chromium-76-gcc-vulkan.patch * chromium-76-quiche.patch * chromium-angle-inline.patch * chromium-fix-char_traits.patch * chromium-skia-aarch64-buildfix.patch * chromium-vaapi-fix.patch * gcc-lto-rsp-clobber.patch - Refreshed patches: * chromium-prop-codecs.patch * chromium-system-icu.patch * chromium-vaapi.patch * old-libva.patch * Tue Sep 03 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 76.0.3809.132 bsc#1149143 CVE-2019-5869: * CVE-2019-5869: Use-after-free in Blink * Various fixes from internal audits, fuzzing and other initiatives - Refresh patch chromium-76-gcc-ambiguous-nodestructor.patch * Mon Aug 19 2019 Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> - Added patch chromium-vaapi-fix.patch to fix boo#1146219 * Mon Aug 12 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 76.0.3809.100 bsc#1145242: * CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction * CVE-2019-5867: Out-of-bounds read in V8 * Thu Aug 08 2019 Tomáš Chvátal <tchvatal@suse.com> - Add patches to fix few compilation issues: * chromium-angle-inline.patch * chromium-fix-char_traits.patch bsc#1144625 - Remove not properly applying old-glibc patch: * chromium-old-glibc.patch - Disable various gcc warnings as upstream does not care and it just bloats the buildlog (from debian) * Fri Aug 02 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 76.0.3809.87 bsc#1143492: * CVE-2019-5850: Use-after-free in offline page fetcher * CVE-2019-5860: Use-after-free in PDFium * CVE-2019-5853: Memory corruption in regexp length check * CVE-2019-5851: Use-after-poison in offline audio context * CVE-2019-5859: res: URIs can load alternative browsers * CVE-2019-5856: Insufficient checks on filesystem: URI permissions * CVE-2019-5855: Integer overflow in PDFium * CVE-2019-5865: Site isolation bypass from compromised renderer * CVE-2019-5858: Insufficient filtering of Open URL service parameters * CVE-2019-5864: Insufficient port filtering in CORS for extensions * CVE-2019-5862: AppCache not robust to compromised renderers * CVE-2019-5861: Click location incorrectly checked * CVE-2019-5857: Comparison of -0 and null yields crash * CVE-2019-5854: Integer overflow in PDFium text rendering * CVE-2019-5852: Object leak of utility functions * Various fixes from internal audits, fuzzing and other initiatives * Not affected: + CVE-2019-5863: Use-after-free in WebUSB on Windows - Added patches: * chromium-76-gcc-ambiguous-nodestructor.patch * chromium-76-gcc-blink-constexpr.patch * chromium-76-gcc-blink-namespace1.patch * chromium-76-gcc-blink-namespace2.patch * chromium-76-gcc-gl-init.patch * chromium-76-gcc-include.patch * chromium-76-gcc-noexcept.patch * chromium-76-gcc-private.patch * chromium-76-gcc-pure-virtual.patch * chromium-76-gcc-uint32.patch * chromium-76-gcc-vulkan.patch * chromium-76-quiche.patch - Removed patches: * chromium-non-void-return.patch * chromium-75.0.3770.80-SIOCGSTAMP.patch * chromium-75.0.3770.80-pure-virtual-crash-fix.patch * chromium-gcc.patch * chromium-renderprocess-crash.patch * chromium-skia-system-fontconfig.patch - Refreshed patches: * chromium-dma-buf.patch * chromium-drm.patch * chromium-libusb_interrupt_event_handler.patch * chromium-skia-aarch64-buildfix.patch * chromium-system-icu.patch * chromium-vaapi.patch * old-libva.patch * Tue Jul 30 2019 Tomáš Chvátal <tchvatal@suse.com> - Do not use lto flags from prjconf, we need to set them using gn buildsystem * Tue Jul 30 2019 Tomáš Chvátal <tchvatal@suse.com> - Drop patch chromium-non-void-return.patch and just pass a cxxflags disabler for the check * Wed Jul 17 2019 Tomáš Chvátal <tchvatal@suse.com> - Update gcc-enable-lto.patch to work on systems without the lto * Tue Jul 16 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.142 bsc#1141649: * CVE-2019-5847: V8 sealed/frozen elements cause crash * CVE-2019-5848: Font sizes may expose sensitive information - Add patch chromium-renderprocess-crash.patch to hopefully fix bsc#1141102 * Tue Jul 02 2019 Martin Liška <mliska@suse.cz> - Enable LTO for x86_64 - add gcc-enable-lto.patch and gcc-lto-rsp-clobber.patch patches. * Tue Jul 02 2019 Tomáš Chvátal <tchvatal@suse.com> - Install manpage * Wed Jun 19 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.100: * This is just feature fixes update * Fri Jun 14 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.90 bsc#1137332 bsc#1138287: * CVE-2019-5842: Use-after-free in Blink. * Tue Jun 11 2019 Tomáš Chvátal <tchvatal@suse.com> - Fix build with kernel 5.2 and avoid runtime crash due to pure virtual declaration: * chromium-75.0.3770.80-SIOCGSTAMP.patch * chromium-75.0.3770.80-pure-virtual-crash-fix.patch * Sat Jun 08 2019 Tomáš Chvátal <tchvatal@suse.com> - Update old-libva.patch to make sure we build on Leap 42.3 * Fri Jun 07 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.80 bsc#1137332: * CVE-2019-5828: Use after free in ServiceWorker * CVE-2019-5829: Use after free in Download Manager * CVE-2019-5830: Incorrectly credentialed requests in CORS * CVE-2019-5831: Incorrect map processing in V8 * CVE-2019-5832: Incorrect CORS handling in XHR * CVE-2019-5833: Inconsistent security UI placemen * CVE-2019-5835: Out of bounds read in Swiftshader * CVE-2019-5836: Heap buffer overflow in Angle * CVE-2019-5837: Cross-origin resources size disclosure in Appcache * CVE-2019-5838: Overly permissive tab access in Extensions * CVE-2019-5839: Incorrect handling of certain code points in Blink * CVE-2019-5840: Popup blocker bypass * Various fixes from internal audits, fuzzing and other initiatives * CVE-2019-5834: URL spoof in Omnibox on iOS - Remove merged patchsets: * 00-basevalue.patch * 01-basevalue.patch * 02-basevalue.patch * 03-basevalue.patch * 04-basevalue.patch * 05-basevalue.patch * 06-basevalue.patch * chromium-fix-crc32-for-aarch64.patch * quic.patch - Update patches: * chromium-gcc.patch * chromium-non-void-return.patch * chromium-vaapi.patch * old-libva.patch * Tue May 28 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 74.0.3729.169: * Feature fixes update only * Sun May 19 2019 Andreas Stieger <andreas.stieger@gmx.de> - Update to 74.0.3729.157: * Various security fixes from internal audits, fuzzing and other initiatives - includes security fixes from 74.0.3729.131 (boo#1134218): * CVE-2019-5827: Out-of-bounds access in SQLite * CVE-2019-5824: Parameter passing error in media player * Tue May 07 2019 Guillaume GARDET <guillaume.gardet@opensuse.org> - Add patch to fix build on aarch64: * chromium-fix-crc32-for-aarch64.patch * Tue Apr 30 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 74.0.3729.108 bsc#1133313: * CVE-2019-5805: Use after free in PDFium * CVE-2019-5806: Integer overflow in Angle * CVE-2019-5807: Memory corruption in V8 * CVE-2019-5808: Use after free in Blink * CVE-2019-5809: Use after free in Blink * CVE-2019-5810: User information disclosure in Autofill * CVE-2019-5811: CORS bypass in Blink * CVE-2019-5813: Out of bounds read in V8 * CVE-2019-5814: CORS bypass in Blink * CVE-2019-5815: Heap buffer overflow in Blink * CVE-2019-5818: Uninitialized value in media reader * CVE-2019-5819: Incorrect escaping in developer tools * CVE-2019-5820: Integer overflow in PDFium * CVE-2019-5821: Integer overflow in PDFium * CVE-2019-5822: CORS bypass in download manager * CVE-2019-5823: Forced navigation from service worker * CVE-2019-5812: URL spoof in Omnibox on iOS * CVE-2019-5816: Exploit persistence extension on Android * CVE-2019-5817: Heap buffer overflow in Angle on Windows - Add patches: * 00-basevalue.patch * 01-basevalue.patch * 02-basevalue.patch * 03-basevalue.patch * 04-basevalue.patch * 05-basevalue.patch * 06-basevalue.patch * old-libva.patch * quic.patch - Remove patches: * chromium-73.0.3683.75-pipewire-cstring-fix.patch * chromium-fix_crashpad.patch * chromium-fix_swiftshader.patch * chromium-old-libva.patch - Rebase patches: * chromium-gcc.patch * chromium-non-void-return.patch * chromium-old-glibc.patch * Fri Apr 05 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 73.0.3686.103: * Various feature fixes * Mon Mar 25 2019 Tomáš Chvátal <tchvatal@suse.com> - Add patch for pipewire build: * chromium-73.0.3683.75-pipewire-cstring-fix.patch * Mon Mar 25 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 73.0.3683.86: * Just feature fixes around - Refresh patch: * chromium-non-void-return.patch * Thu Mar 21 2019 Tomáš Chvátal <tchvatal@suse.com> - Update conditions to use system harfbuzz on TW+ - Require java during build - Enable using pipewire when available - Rebase chromium-vaapi.patch to match up the Fedora one * Wed Mar 13 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 73.0.3683.75 bsc#1129059: * CVE-2019-5844 CVE-2019-5845 CVE-2019-5846 * CVE-2019-5787: Use after free in Canvas. * CVE-2019-5788: Use after free in FileAPI. * CVE-2019-5789: Use after free in WebMIDI. * CVE-2019-5790: Heap buffer overflow in V8. * CVE-2019-5791: Type confusion in V8. * CVE-2019-5792: Integer overflow in PDFium. * CVE-2019-5793: Excessive permissions for private API in Extensions. * CVE-2019-5794: Security UI spoofing. * CVE-2019-5795: Integer overflow in PDFium. * CVE-2019-5796: Race condition in Extensions. * CVE-2019-5797: Race condition in DOMStorage. * CVE-2019-5798: Out of bounds read in Skia. * CVE-2019-5799: CSP bypass with blob URL. * CVE-2019-5800: CSP bypass with blob URL. * CVE-2019-5801: Incorrect Omnibox display on iOS. * CVE-2019-5802: Security UI spoofing. * CVE-2019-5803: CSP bypass with Javascript URLs'. * CVE-2019-5804: Command line command injection on Windows. - Update patches: * chromium-buildname.patch * chromium-non-void-return.patch * chromium-old-glibc.patch * chromium-old-libva.patch * chromium-vaapi.patch - Removed patches: * chromium-crashpad-fix_aarch64.patch * chromium-webrtc-includes.patch - Added patches: * chromium-gcc.patch * chromium-fix_crashpad.patch * Mon Mar 04 2019 Tomáš Chvátal <tchvatal@suse.com> - Drop direct dependency on libgsm, we just need the devel * Sat Mar 02 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.121: * fixes bsc#1127602 CVE-2019-5786 * Mon Feb 25 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.119: * Feature fixes update only * Wed Feb 20 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.109 bsc#1120892 CVE-2018-20073: * This is just feature fixes update * Mon Feb 11 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.96 bsc#1124936: * CVE-2019-5784: Inappropriate implementation in V8 * Mon Feb 11 2019 Simon Lees <sflees@suse.de> - Provide web_browser so chromium can be installed instead of firefox. * Wed Jan 30 2019 Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.81 bsc#1123641: * CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12 * CVE-2019-5782: Inappropriate implementation in V8. Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on 2018-11-16 * CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10 * CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14 * CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15 * CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 * CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05 * CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05 * CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13 * CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31 * CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13 * CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09 * CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16 * CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20 * CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06 * CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24 * CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11 * CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27 * CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12 * CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26 * CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2018-12-24 * CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract) and Juno Im on 2018-11-11 * CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 * CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14 * CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04 * CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02 * CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11 * CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03 * CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 - Added patches: * chromium-crashpad-fix_aarch64.patch * chromium-fix_swiftshader.patch * chromium-webrtc-includes.patch - Obsoleted patches: * chromium-gcc8-alignof.patch * chromium-initialize-list.patch - Updated patches: * chromium-dma-buf.patch * chromium-non-void-return.patch * chromium-skia-system-fontconfig.patch * chromium-system-icu.patch * chromium-vaapi.patch - Try to reduce constraints to avoid being so much just in scheduled state * Wed Jan 02 2019 Tomáš Chvátal <tchvatal@suse.com> - Tweak fix_building_widevinecdm_with_chromium.patch to make it work again bsc#1120429 * Fri Dec 14 2018 Guillaume GARDET <guillaume.gardet@opensuse.org> - Update %arm build, but keep it disabled for now, as ld requires lots of RAM * Thu Dec 13 2018 Tomáš Chvátal <tchvatal@suse.com> - Version update to 71.0.3578.98 bsc#1119364: * CVE-2018-17481: Use after free in PDFium - Redo chromium-old-libva.patch * Fri Dec 07 2018 Guillaume GARDET <guillaume.gardet@opensuse.org> - Increase %limit_build value to avoid OOM * Thu Dec 06 2018 Tomáš Chvátal <tchvatal@suse.com> - Add patch to build on Leap 42.x: * chromium-old-libva.patch * Thu Dec 06 2018 Tomáš Chvátal <tchvatal@suse.com> - Version update to 71.0.3578.80 bsc#1118529: - CVE-2018-17480: Out of bounds write in V8 - CVE-2018-17481: Use after frees in PDFium - CVE-2018-18335: Heap buffer overflow in Skia - CVE-2018-18336: Use after free in PDFium - CVE-2018-18337: Use after free in Blink - CVE-2018-18338: Heap buffer overflow in Canvas - CVE-2018-18339: Use after free in WebAudio - CVE-2018-18340: Use after free in MediaRecorder - CVE-2018-18341: Heap buffer overflow in Blink - CVE-2018-18342: Out of bounds write in V8 - CVE-2018-18343: Use after free in Skia - CVE-2018-18344: Inappropriate implementation in Extensions - Multiple issues in SQLite via WebSQL - CVE-2018-18345: Inappropriate implementation in Site Isolation - CVE-2018-18346: Incorrect security UI in Blink - CVE-2018-18347: Inappropriate implementation in Navigation - CVE-2018-18348: Inappropriate implementation in Omnibox - CVE-2018-18349: Insufficient policy enforcement in Blink - CVE-2018-18350: Insufficient policy enforcement in Blink - CVE-2018-18351: Insufficient policy enforcement in Navigation - CVE-2018-18352: Inappropriate implementation in Media - CVE-2018-18353: Inappropriate implementation in Network Authentication - CVE-2018-18354: Insufficient data validation in Shell Integration - CVE-2018-18355: Insufficient policy enforcement in URL Formatter - CVE-2018-18356: Use after free in Skia - CVE-2018-18357: Insufficient policy enforcement in URL Formatter - CVE-2018-18358: Insufficient policy enforcement in Proxy. - CVE-2018-18359: Out of bounds read in V8 - Inappropriate implementation in PDFium - Use after free in Extensions - Inappropriate implementation in Navigation - Insufficient policy enforcement in Navigation - Insufficient policy enforcement in URL Formatter - Various fixes from internal audits, fuzzing and other initiatives - Updated/refreshed patches: * fix_building_widevinecdm_with_chromium.patch * chromium-vaapi.patch * chromium-skia-aarch64-buildfix.patch * chromium-prop-codecs.patch * chromium-non-void-return.patch - Removed patches: * chromium-gcc8-constexpr.patch * chromium-libva1.patch * chromium-pdfium-include.patch * chromium-warnings.patch - Added patches: * chromium-initialize-list.patch * Wed Nov 21 2018 Tomáš Chvátal <tchvatal@suse.com> - Version update to 70.0.3538.110 bsc#1116608: * CVE-2018-17479: Use-after-free in GPU * Wed Nov 14 2018 Tomáš Chvátal <tchvatal@suse.com> - Version update to 70.0.3538.102 bsc#1115537 CVE-2018-17478 * CVE-2018-17478: Out of bounds memory access in V8 * Sat Nov 03 2018 Yunhe Guo <i@guoyunhe.me> - Remove noto-emoji-fonts recommends. noto-emoji-fonts has been inactive for a long time. noto-coloremoji-fonts is the current recommended emoji fonts from noto. And noto-emoji-fonts (monochrome) disables noto-coloremoji-fonts (colorful). * Thu Oct 25 2018 Tomáš Chvátal <tchvatal@suse.com> - Update to 70.0.3538.77: * Few feature fixes only - Do not meintion armv6 and armv7 in the constraints - Update patch chromium-non-void-return.patch * Mon Oct 22 2018 Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to get the pkg to build with libva 1.x releases: * chromium-libva1.patch - Update chromium-old-glibc.patch to contain more tweaked locations * Fri Oct 19 2018 Tomáš Chvátal <tchvatal@suse.com> - Add back chromium-old-glibc.patch to make sure we build on 42.3 - Reduce the merge number on jumbo files to reduce memory usage bit * Fri Oct 19 2018 astieger@suse.com - remove trigger word from spec that trips up legal-auto * Wed Oct 17 2018 Tomáš Chvátal <tchvatal@suse.com> - Update to 70.0.3538.67 bsc#1112111: * CVE-2018-17462: Sandbox escape in AppCache * CVE-2018-17463: Remote code execution in V8 * CVE to be assigned: Heap buffer overflow in Little CMS in PDFium * CVE-2018-17464: URL spoof in Omnibox * CVE-2018-17465: Use after free in V8 * CVE-2018-17466: Memory corruption in Angle * CVE-2018-17467: URL spoof in Omnibox * CVE-2018-17468: Cross-origin URL disclosure in Blink * CVE-2018-17469: Heap buffer overflow in PDFium * CVE-2018-17470: Memory corruption in GPU Internals * CVE-2018-17471: Security UI occlusion in full screen mode * CVE-2018-17472: iframe sandbox escape on iOS * CVE-2018-17473: URL spoof in Omnibox * CVE-2018-17474: Use after free in Blink * CVE-2018-17475: URL spoof in Omnibox * CVE-2018-17476: Security UI occlusion in full screen mode * CVE-2018-5179: Lack of limits on update() in ServiceWorker * CVE-2018-17477: UI spoof in Extensions - Added patches: * chromium-gcc8-constexpr.patch * chromium-libusb_interrupt_event_handler.patch * chromium-pdfium-include.patch * chromium-system-libusb.patch - Removed patches: * chromium-old-glibc.patch * chromium-vpx-aarch64.patch - Updated patches: * chromium-gcc8-alignof.patch * chromium-non-void-return.patch * chromium-prop-codecs.patch * chromium-sandbox-pie.patch * chromium-skia-system-fontconfig.patch * chromium-vaapi.patch - Redo the vaapi patch to be default on as there are no reports of issues with it - Use system libusb-1.0 - Use jumbo build to speed things up - Use bundled harfbuzz because we need newer than latest release - Disable gnome-keyring as it crashes the chromium quite often * Tue Sep 18 2018 Tomáš Chvátal <tchvatal@suse.com> - Keep blank line after autopatch to make SLE12 rpm macros happy * Tue Sep 18 2018 Tomáš Chvátal <tchvatal@suse.com> - Update to 69.0.3497.100 bsc#1108774 * Fixes from internal audits, fuzzing and other initiatives * Wed Sep 12 2018 astieger@suse.com - Chromium 69.0.3497.92 (boo#1108114), containing 2 security fixes: * Function signature mismatch in WebAssembly * URL Spoofing in Omnibox - the rpm should not provide swiftshader libs boo#1108175 - make jumbo build configurable, default off * Sat Sep 08 2018 tchvatal@suse.com - Enable jumbo build to speed things up - Enable vulkan integration * Thu Sep 06 2018 tchvatal@suse.com - Add patch to fix mojo build on 32bit: * chromium-gcc8-alignof.patch * Thu Sep 06 2018 Tomáš Chvátal <tchvatal@suse.com> - Split out the gn from this package, obsoletes patches: * fix-gn-bootstrap.patch * chromium-last-commit-position-r0.patch * Thu Sep 06 2018 Tomáš Chvátal <tchvatal@suse.com> - Version update to 69.0.3497.81 bsc#1107235: * CVE-2018-16065: Out of bounds write in V8 * CVE-2018-16066:Out of bounds read in Blink * CVE-2018-16067: Out of bounds read in WebAudio * CVE-2018-16068: Out of bounds write in Mojo * CVE-2018-16069:Out of bounds read in SwiftShader * CVE-2018-16070: Integer overflow in Skia * CVE-2018-16071: Use after free in WebRTC * CVE-2018-16073: Site Isolation bypass after tab restore * CVE-2018-16074: Site Isolation bypass using Blob URLS * Out of bounds read in Little-CMS * CVE-2018-16075: Local file access in Blink * CVE-2018-16076: Out of bounds read in PDFium * CVE-2018-16077: Content security policy bypass in Blink * CVE-2018-16078: Credit card information leak in Autofill * CVE-2018-16079: URL spoof in permission dialogs * CVE-2018-16080: URL spoof in full screen mode * CVE-2018-16081: Local file access in DevTools * CVE-2018-16082: Stack buffer overflow in SwiftShader * CVE-2018-16083: Out of bounds read in WebRTC * CVE-2018-16084: User confirmation bypass in external protocol handling * CVE-2018-16085: Use after free in Memory Instrumentation * CVE-2018-16086: Script injection in New Tab Page. * CVE-2018-16087: Multiple download restriction bypass. * CVE-2018-16088: User gesture requirement bypass. - Added patches: * chromium-old-glibc.patch * chromium-system-icu.patch * chromium-warnings.patch - Removed patches: * chromium-cors-string.patch * chromium-crashpad-aarch64-fix.patch * chromium-ffmpeg.patch * chromium-gcc.patch * chromium-gcc7.patch * chromium-libjpeg.patch * chromium-libwebp-shim.patch - Rebased patches: * chromium-last-commit-position-r0.patch * chromium-non-void-return.patch * chromium-sandbox-pie.patch * chromium-skia-system-fontconfig.patch * chromium-vaapi.patch * Wed Aug 08 2018 tchvatal@suse.com - Update to chromium-68.0.3440.106: * Various feature fixes * Wed Aug 01 2018 tchvatal@suse.com - Version update to 68.0.3440.84: * Various small feature fixes only * Wed Jul 25 2018 guillaume.gardet@opensuse.org - Add patch to fix aarch64 build: * chromium-vpx-aarch64.patch * Wed Jul 25 2018 tchvatal@suse.com - Add patch trying to build chromium on Leap 42.3: * chromium-gcc7.patch * Wed Jul 25 2018 tchvatal@suse.com - Raise libvpx requirement to match what we really need * Wed Jul 25 2018 tchvatal@suse.com - Version update to 68.0.3440.75 bsc#1102530: * CVE-2018-6153: Stack buffer overflow in Skia. * CVE-2018-6154: Heap buffer overflow in WebGL. * CVE-2018-6155: Use after free in WebRTC. * CVE-2018-6156: Heap buffer overflow in WebRTC. * CVE-2018-6157: Type confusion in WebRTC. * CVE-2018-6158: Use after free in Blink. * CVE-2018-6159: Same origin policy bypass in ServiceWorker. * CVE-2018-6160: URL spoof in Chrome on iOS. * CVE-2018-6161: Same origin policy bypass in WebAudio. * CVE-2018-6162: Heap buffer overflow in WebGL. * CVE-2018-6163: URL spoof in Omnibox. * CVE-2018-6164: Same origin policy bypass in ServiceWorker. * CVE-2018-6165: URL spoof in Omnibox. * CVE-2018-6166: URL spoof in Omnibox. * CVE-2018-6167: URL spoof in Omnibox. * CVE-2018-6168: CORS bypass in Blink. * CVE-2018-6169: Permissions bypass in extension installation. * CVE-2018-6170: Type confusion in PDFium. * CVE-2018-6171: Use after free in WebBluetooth. * CVE-2018-6172: URL spoof in Omnibox. * CVE-2018-6173: URL spoof in Omnibox. * CVE-2018-6174: Integer overflow in SwiftShader. * CVE-2018-6175: URL spoof in Omnibox. * CVE-2018-6176: Local user privilege escalation in Extensions. * CVE-2018-6177: Cross origin information leak in Blink. * CVE-2018-6178: UI spoof in Extensions. * CVE-2018-6179: Local file information leak in Extensions. * CVE-2018-6044: Request privilege escalation in Extensions. * CVE-2018-4117: Cross origin information leak in Blink. - Rebase patches: * chromium-master-prefs-path.patch * chromium-non-void-return.patch * chromium-vaapi.patch - Add patches: * chromium-cors-string.patch * chromium-gcc.patch * chromium-libjpeg.patch * chromium-libwebp-shim.patch - Remove patches: * chromium-gcc8.patch * Tue Jul 10 2018 tchvatal@suse.com - Version update to 67.0.3396.99: * Various small feature fixes, no security * Fri Jun 15 2018 tchvatal@suse.com - Add patch to build under gcc8: * chromium-gcc8.patch * Wed Jun 13 2018 security@suse.com - Chromium 67.0.3396.87: * CVE-2018-6149: Out of bounds write in V8 (boo#1097452) * Thu Jun 07 2018 astieger@suse.com - Chromium 67.0.3396.79: * CVE-2018-6148: Incorrect handling of CSP header (boo#1096508) * Fri Jun 01 2018 tchvatal@suse.com - Require ffmpeg >= 4.0 bsc#1095545 * Wed May 30 2018 tchvatal@suse.com - Update to 67.0.3396.62 bsc#1095163 * CVE-2018-6123: Use after free in Blink. * CVE-2018-6124: Type confusion in Blink. * CVE-2018-6125: Overly permissive policy in WebUSB. * CVE-2018-6126: Heap buffer overflow in Skia. * CVE-2018-6127: Use after free in indexedDB. * CVE-2018-6128: uXSS in Chrome on iOS. * CVE-2018-6129: Out of bounds memory access in WebRTC. * CVE-2018-6130: Out of bounds memory access in WebRTC. * CVE-2018-6131: Incorrect mutability protection in WebAssembly. * CVE-2018-6132: Use of uninitialized memory in WebRTC. * CVE-2018-6133: URL spoof in Omnibox. * CVE-2018-6134: Referrer Policy bypass in Blink. * CVE-2018-6135: UI spoofing in Blink. * CVE-2018-6136: Out of bounds memory access in V8. * CVE-2018-6137: Leak of visited status of page in Blink. * CVE-2018-6138: Overly permissive policy in Extensions. * CVE-2018-6139: Restrictions bypass in the debugger extension API. * CVE-2018-6140: Restrictions bypass in the debugger extension API. * CVE-2018-6141: Heap buffer overflow in Skia. * CVE-2018-6142: Out of bounds memory access in V8. * CVE-2018-6143: Out of bounds memory access in V8. * CVE-2018-6144: Out of bounds memory access in PDFium. * CVE-2018-6145: Incorrect escaping of MathML in Blink. * CVE-2018-6147: Password fields not taking advantage of OS protections in Views. - Add patches to build on aarch and remove obsolete one: * chromium-crashpad-aarch64-fix.patch * chromium-skia-aarch64-buildfix.patch * chromium-65.0.3325.162-skia-aarch64-buildfix.patch * chromium-skia-neon.patch - Remove no longer needed gcc patch: * chromium-gcc7.patch - Rebase patches: * chromium-non-void-return.patch * chromium-vaapi.patch * exclude_ymp.patch * fix_building_widevinecdm_with_chromium.patch * Sat May 26 2018 astieger@suse.com - on SLE 12 with SUSE PackageHub 12, do not require the SDK for libwebpmux1 (bsc#1070421) * Sat May 26 2018 astieger@suse.com - Fix installation issue on SUSE PackageHub 12 with libminizip1 (bsc#1093031) * Wed May 16 2018 astieger@suse.com - Chromium 66.0.3359.181: * Autoplay: Force enable on desktop for Web Audio * Fri May 11 2018 astieger@suse.com - Chromium 66.0.3359.170 (bsc#1092923): * Chain leading to sandbox escape: CVE-2018-6121: Privilege Escalation in extensions CVE-2018-6122: Type confusion in V8 * CVE-2018-6120: Heap buffer overflow in PDFium * Various fixes from internal audits, fuzzing and other initiatives * Wed May 09 2018 tchvatal@suse.com - Add patch chromium-skia-system-fontconfig.patch to fix bsc#1092272 * Fri May 04 2018 guillaume.gardet@opensuse.org - Enable build on AArch64 - Fix build on AArch64: * set target_cpu to arm64 * disable tcmalloc and swiftshader for aarch64 * Add new patches: - chromium-65.0.3325.162-skia-aarch64-buildfix.patch - chromium-skia-neon.patch * Fri Apr 27 2018 tchvatal@suse.com - chromium 66.0.3359.139: * CVE-2018-6118: Use after free in Media Cache (bsc#1091288) * drop add-missing-blink-tools.patch, now in tarball again * Wed Apr 18 2018 tchvatal@suse.com - Version bump to chromium 66.0.3359.117 bsc#1090000: * CVE-2018-6085: Use after free in Disk Cache * CVE-2018-6086: Use after free in Disk Cache * CVE-2018-6087: Use after free in WebAssembly * CVE-2018-6088: Use after free in PDFium * CVE-2018-6089: Same origin policy bypass in Service Worker * CVE-2018-6090: Heap buffer overflow in Skia * CVE-2018-6091: Incorrect handling of plug-ins by Service Worker * CVE-2018-6092: Integer overflow in WebAssembly * CVE-2018-6093: Same origin bypass in Service Worker * CVE-2018-6094: Exploit hardening regression in Oilpan * CVE-2018-6095: Lack of meaningful user interaction requirement before file upload * CVE-2018-6096: Fullscreen UI spoof * CVE-2018-6097: Fullscreen UI spoof * CVE-2018-6098: URL spoof in Omnibox * CVE-2018-6099: CORS bypass in ServiceWorker * CVE-2018-6100: URL spoof in Omnibox * CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools * CVE-2018-6102: URL spoof in Omnibox * CVE-2018-6103: UI spoof in Permissions * CVE-2018-6104: URL spoof in Omnibox * CVE-2018-6105: URL spoof in Omnibox * CVE-2018-6106: Incorrect handling of promises in V8 * CVE-2018-6107: URL spoof in Omnibox * CVE-2018-6108: URL spoof in Omnibox * CVE-2018-6109: Incorrect handling of files by FileAPI * CVE-2018-6110: Incorrect handling of plaintext files via file:// * CVE-2018-6111: Heap-use-after-free in DevTools * CVE-2018-6112: Incorrect URL handling in DevTools * CVE-2018-6113: URL spoof in Navigation * CVE-2018-6114: CSP bypass * CVE-2018-6115: SmartScreen bypass in downloads * CVE-2018-6116: Incorrect low memory handling in WebAssembly * CVE-2018-6117: Confusing autofill settings * Various fixes from internal audits, fuzzing and other initiatives - Remove obsolete patches: * chromium-compiler.patch * chromium-glibc-2.27.patch * chromium-vaapi-init.patch * exclude_ymp.diff * fix-gn-bootstrap.diff * fix_network_api_crash.patch * mojo.patch - Add new patches: * chromium-ffmpeg.patch * chromium-gcc7.patch * exclude_ymp.patch * fix-gn-bootstrap.patch - Rebase patches: * chromium-master-prefs-path.patch * chromium-non-void-return.patch * chromium-sandbox-pie.patch * chromium-vaapi.patch - Add patch to fix missing folder from tarball: * add-missing-blink-tools.patch * Sun Apr 08 2018 tchvatal@suse.com - Add vaapi patches: * chromium-vaapi-init.patch * chromium-vaapi.patch * Fri Apr 06 2018 tchvatal@suse.com - Use memory-constraints package to limit threads as needed * Wed Mar 21 2018 astieger@suse.com - Update to Chromium 65.0.3325.181: * Various security relevant fixes from internal audits, fuzzing and other initiatives (boo#1086124) * Tue Mar 20 2018 tchvatal@suse.com - Use both freetype and harfbuzz either bundled or system * Wed Mar 14 2018 tchvatal@suse.com - Version update to 65.0.3325.162: * Various stability fixes only * Wed Mar 14 2018 tchvatal@suse.com - Bundle the harfbuzz on < 15.0 release as we would have to use requires_ge for the library itself later on otherwise * Fri Mar 09 2018 tchvatal@suse.com - Make sure to require gcc7 - Add patch chromium-drm.patch to make sure to build with Leap 42.3 variant of libdrm * Thu Mar 08 2018 tchvatal@suse.com - Version update to 65.0.3325.146 bsc#1084296: * High CVE-2017-11215: Use after free in Flash. * High CVE-2017-11225: Use after free in Flash. * High CVE-2018-6060: Use after free in Blink. * High CVE-2018-6061: Race condition in V8. * High CVE-2018-6062: Heap buffer overflow in Skia. * High CVE-2018-6057: Incorrect permissions on shared memory. * High CVE-2018-6063: Incorrect permissions on shared memory. * High CVE-2018-6064: Type confusion in V8. * High CVE-2018-6065: Integer overflow in V8. * Medium CVE-2018-6066: Same Origin Bypass via canvas. * Medium CVE-2018-6067: Buffer overflow in Skia. * Medium CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. * Medium CVE-2018-6069: Stack buffer overflow in Skia. * Medium CVE-2018-6070: CSP bypass through extensions. * Medium CVE-2018-6071: Heap bufffer overflow in Skia. * Medium CVE-2018-6072: Integer overflow in PDFium. * Medium CVE-2018-6073: Heap bufffer overflow in WebGL. * Medium CVE-2018-6074: Mark-of-the-Web bypass. * Medium CVE-2018-6075: Overly permissive cross origin downloads. * Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. * Medium CVE-2018-6077: Timing attack using SVG filters. * Medium CVE-2018-6078: URL Spoof in OmniBox. * Medium CVE-2018-6079: Information disclosure via texture data in WebGL. * Medium CVE-2018-6080: Information disclosure in IPC call. * Low CVE-2018-6081: XSS in interstitials. * Low CVE-2018-6082: Circumvention of port blocking. * Low CVE-2018-6083: Incorrect processing of AppManifests. - Add new patches: * chromium-compiler.patch * chromium-glibc-2.27.patch * mojo.patch - Drop patches: * chromium-angle.patch * chromium-memcpy.patch - Update constraints - Refresh patch chromium-non-void-return.patch to include more fixes * Sat Feb 24 2018 astieger@suse.com - Chromium 64.0.3282.186: * Various minor bug fixes * Wed Feb 14 2018 astieger@suse.com - update to 64.0.3282.167 (bsc#1080920): * CVE-2018-6056: Incorrect derived class instantiation in V8 * Fri Feb 02 2018 tchvatal@suse.com - Version update to 64.0.3282.140 bsc#1079021: * Various asan fixes bsc#1078463 CVE-2018-6406 * Fri Feb 02 2018 dimstar@opensuse.org - Eliminate build dependency on procps: we only used it to run 'free', in order to find out how much RAM we have available. We can get this information directly from the kernel, from /proc/meminfo. * Mon Jan 29 2018 tchvatal@suse.com - Fix default page to not point to 404 * Mon Jan 29 2018 tchvatal@suse.com - Install swiftshader objects too as they are needed * Fri Jan 26 2018 tchvatal@suse.com - Disable ozone stuff conditions for now as the headless mode breaks up runtime bsc#1077722 * Thu Jan 25 2018 tchvatal@suse.com - Switch to gcc7 on Leap builds * Thu Jan 25 2018 tchvatal@suse.com - Version update to 64.0.3282.119 bsc#1077571: * High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01 * High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20 * High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09 * Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12 * Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23 * Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK's National Cyber Security Centre (NCSC) on 2017-11-30 * Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09 * Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12 * Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17 * Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26 * Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29 * Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12 * Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16 * Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23 * Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31 * Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08 * Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08 * Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05 * Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13 * Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15 * Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11 * Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28 * Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23 * Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24 - Add patches: * chromium-angle.patch * chromium-memcpy.patch - Drop patch: * chromium-gcc.patch - Change desktop file name to fit bellow the icon on ie KDE desktop * Thu Jan 04 2018 astieger@suse.com - Chromium 63.0.3239.132: * DevTools: do not report raw headers and cookies for protected subresources * Various other fixes and updates * Fri Dec 15 2017 tchvatal@suse.com - Version update to 63.0.3239.108 bsc#1072976: * CVE-2017-15429: UXSS in V8 * Various fuzzing fixes * Thu Dec 07 2017 tchvatal@suse.com - Version update to 63.0.3239.84 bsc#1071691: * bsc#1106341 CVE-2017-15430 Unsafe navigation in Chromecast * Critical CVE-2017-15407: Out of bounds write in QUIC. * High CVE-2017-15408: Heap buffer overflow in PDFium. * High CVE-2017-15409: Out of bounds write in Skia. * High CVE-2017-15410: Use after free in PDFium. * High CVE-2017-15411: Use after free in PDFium. * High CVE-2017-15412: Use after free in libXML. * High CVE-2017-15413: Type confusion in WebAssembly. * Medium CVE-2017-15415: Pointer information disclosure in IPC call. * Medium CVE-2017-15416: Out of bounds read in Blink. * Medium CVE-2017-15417: Cross origin information disclosure in Skia. * Medium CVE-2017-15418: Use of uninitialized value in Skia. * Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. * Medium CVE-2017-15420: URL spoofing in Omnibox. * Medium CVE-2017-15422: Integer overflow in ICU. * Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. * Low CVE-2017-15424: URL Spoof in Omnibox. * Low CVE-2017-15425: URL Spoof in Omnibox. * Low CVE-2017-15426: URL Spoof in Omnibox. * Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. - Rebase fix-gn-bootstrap.diff - Drop merged patches: * chromium-gcc5.patch * chromium-60.0.3112.113-breakpad-ucontext.patch * chromium-62.0.3202.62-correct-cplusplus-check.patch - Add new patches: * chromium-non-void-return.patch * chromium-gcc.patch * Wed Nov 22 2017 idonmez@suse.com - BuildRequire nodejs8 instead of nodejs6 for suse_version >= 1330 * Wed Nov 15 2017 astieger@suse.com - Update to 62.0.3202.94: * multiple minor rendering related fixes - fix rebuilds in same chroot * Tue Nov 07 2017 tchvatal@suse.com - Version update to 62.0.3202.89 bsc#1066851: * CVE-2017-15398: Stack buffer overflow in QUIC * CVE-2017-15399: Use after free in V8 - Drop upstream merged chromium-sandbox.patch * Fri Nov 03 2017 tchvatal@suse.com - Restrict the version on jpeg to not waste build power * Sun Oct 29 2017 tchvatal@suse.com - Add patch to fix sandbox crashes wrt bsc#1064298 * chromium-sandbox.patch * Fri Oct 27 2017 tchvatal@suse.com - Version update to 62.0.3202.75 bsc#1065405 CVE-2017-15396 * CVE-2017-15396: Stack overflow in V8 * Thu Oct 26 2017 astieger@suse.com - BuildRequire nodejs6 required for polymer-bundler.js * Thu Oct 26 2017 tchvatal@suse.com - Try to export properly CXX/CC variable to fix leap builds * Wed Oct 25 2017 tchvatal@suse.com - Apply patch to fix building crc32 with gcc7: * chromium-62.0.3202.62-correct-cplusplus-check.patch * Thu Oct 19 2017 tchvatal@suse.com - Update to 62.0.3202.62 bsc#1064066: * CVE-2017-5124: UXSS with MHTML. * CVE-2017-5125: Heap overflow in Skia. * CVE-2017-5126: Use after free in PDFium. * CVE-2017-5127: Use after free in PDFium. * CVE-2017-5128: Heap overflow in WebGL. * CVE-2017-5129: Use after free in WebAudio. * CVE-2017-5132: Incorrect stack manipulation in WebAssembly. * CVE-2017-5130: Heap overflow in libxml2. * CVE-2017-5131: Out of bounds write in Skia. * CVE-2017-5133: Out of bounds write in Skia. * CVE-2017-15386: UI spoofing in Blink. * CVE-2017-15387: Content security bypass. * CVE-2017-15388: Out of bounds read in Skia. * CVE-2017-15389: URL spoofing in OmniBox. * CVE-2017-15390: URL spoofing in OmniBox. * CVE-2017-15391: Extension limitation bypass in Extensions. * CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. * CVE-2017-15393: Referrer leak in Devtools. * CVE-2017-15394: URL spoofing in extensions UI. * CVE-2017-15395: Null pointer dereference in ImageCapture. - Drop unused patches: * arm-webrtc-fix.patch * arm_use_right_compiler.patch * chromium-46.0.2490.71-fix-missing-i18n_process_css_test.patch * chromium-atk.patch * chromium-mojo-dep.patch * gcc60-fixes.diff - Refresh patches: * chromium-gcc5.patch * chromium-prop-codecs.patch * exclude_ymp.diff * fix-gn-bootstrap.diff * Fri Sep 22 2017 astieger@suse.com - Update to 61.0.3163.100 (boo#1060019): * CVE-2017-5121: Out-of-bounds access in V8 * CVE-2017-5122: Out-of-bounds access in V8 * Various fixes from internal audits, fuzzing and other initiatives * Sat Sep 16 2017 tchvatal@suse.com - Update to 61.0.3163.91: * Various bugfixes * Mon Sep 11 2017 tchvatal@suse.com - Update to 61.0.3163.79 bsc#1057364: * CVE-2017-5111: Use after free in PDFium. * CVE-2017-5112: Heap buffer overflow in WebGL. * CVE-2017-5113: Heap buffer overflow in Skia. * CVE-2017-5114: Memory lifecycle issue in PDFium. * CVE-2017-5115: Type confusion in V8. * CVE-2017-5116: Type confusion in V8. * CVE-2017-5117: Use of uninitialized value in Skia. * CVE-2017-5118: Bypass of Content Security Policy in Blink. * CVE-2017-5119: Use of uninitialized value in Skia. * CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. - Rebase patch: * fix-gn-bootstrap.diff - Remove patches: * chromium-gcc7.patch * chromium-override.patch - Add new patches: * chromium-atk.patch * chromium-gcc5.patch * chromium-mojo-dep.patch - Gtk3 is hard required from now on - Version some of the required dependencies * Mon Aug 28 2017 astieger@suse.com - fix build with Factory glibc: add chromium-60.0.3112.113-breakpad-ucontext.patch * Fri Aug 25 2017 tchvatal@suse.com - Version update to 60.0.3112.113: * Various bugfixes * Tue Aug 15 2017 tchvatal@suse.com - Version update to 60.0.3112.101: * various usability bugfixes * Thu Aug 03 2017 tchvatal@suse.com - Version update to 60.0.3112.90: * Various usability bugfixes * Wed Jul 26 2017 tchvatal@suse.com - Version update to 60.0.3112.78 bsc#1050537: * CVE-2017-5091: Use after free in IndexedDB * CVE-2017-5092: Use after free in PPAPI * CVE-2017-5093: UI spoofing in Blink * CVE-2017-5094: Type confusion in extensions * CVE-2017-5095: Out-of-bounds write in PDFium * CVE-2017-5096: User information leak via Android intents * CVE-2017-5097: Out-of-bounds read in Skia * CVE-2017-5098: Use after free in V8 * CVE-2017-5099: Out-of-bounds write in PPAPI * CVE-2017-5100: Use after free in Chrome Apps * CVE-2017-5101: URL spoofing in OmniBox * CVE-2017-5102: Uninitialized use in Skia * CVE-2017-5103: Uninitialized use in Skia * CVE-2017-5104: UI spoofing in browser * CVE-2017-7000: Pointer disclosure in SQLite * CVE-2017-5105: URL spoofing in OmniBox * CVE-2017-5106: URL spoofing in OmniBox * CVE-2017-5107: User information leak via SVG * CVE-2017-5108: Type confusion in PDFium * CVE-2017-5109: UI spoofing in browser * CVE-2017-5110: UI spoofing in payments dialog * Various fixes from internal audits, fuzzing and other initiatives - Add patch chromium-override.patch - Remove patches chromium-fpermissive.patch chromium-system-ffmpeg-r3.patch - Rebase patches: * chromium-dma-buf.patch * chromium-gcc7.patch * chromium-last-commit-position-r0.patch * fix-gn-bootstrap.diff * Mon Jul 24 2017 tchvatal@suse.com - Recommend emoji fonts to make sure major web chats do not show questionmarks * Wed Jun 28 2017 tchvatal@suse.com - Update to 59.0.3071.115: * Various small fixes all around * Fri Jun 23 2017 astieger@suse.com - Update to 59.0.3071.109: * ozone/drm: Only reuse ScanoutBuffers with compatible modifiers * Fixing mouse focus on WebView * Remove gtk dependency from gles tests * Set build flag when using own FreeType * Revert of [scheduler] Move some task types to suspendable task runner * Fix an incorrect method name on the chrome://site-engagement WebUI page * Linux/Windows: Removing Guest menu item for supervised profile * Fri Jun 16 2017 astieger@suse.com - Update to 59.0.3071.104 (bsc#1044690): * CVE-2017-5087: Sandbox Escape in IndexedDB * CVE-2017-5088: Out of bounds read in V8 * CVE-2017-5089: Domain spoofing in Omnibox * Various fixes from internal audits, fuzzing and other initiatives * Thu Jun 08 2017 tchvatal@suse.com - Add patch chromium-buildname.patch bsc#1043420 * Tue Jun 06 2017 tchvatal@suse.com - Update to 59.0.3071.86 bsc#1042833: * CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16 * CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26 * CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07 * CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28 * CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09 * CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05 * CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16 * CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06 * CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28 * CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12 * CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20 * CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05 * CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07 * CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11 * CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24 * CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15 - Add patch to fix build with system dma: * chromium-dma-buf.patch - Drop no longer needed patches: * chromium-linker-memory.patch * chromium-system-jinja-r13.patch - Refresh patches: * chromium-gcc7.patch * chromium-system-ffmpeg-r3.patch * fix-gn-bootstrap.diff - Use bundled libxml * Upstream unfortunately uses git snapshot that is not api/abi compatible * Mon Jun 05 2017 tchvatal@suse.com - Add patch to build with gcc7: * chromium-gcc7.patch - Add patch for fpermissive build error: * chromium-fpermissive.patch * Wed May 10 2017 tchvatal@suse.com - Version update to 58.0.3029.110: * Various small bugfixes * Thu May 04 2017 tchvatal@suse.com - Version update to 58.0.3029.96: * Fixes bsc#1037594 CVE-2017-5068 * Tue Apr 25 2017 tchvatal@suse.com - Use bundled jinja2, system one changed in 2.9 too much to work * It is at least used only during build * Fri Apr 21 2017 tchvatal@suse.com - Version update to 58.0.3029.81 bsc#1035103: * High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360 * High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani * High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro's Zero Day Initiative * Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng * Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah) * Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous * Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip * Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar * Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani * Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to chenchu * Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani * Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman - Refresh patch fix-gn-bootstrap.diff - Refresh patch chromium-system-jinja-r13.patch - Remove obsolete patch chromium-57-gcc4.patch * Thu Mar 30 2017 tchvatal@suse.com - Version update to 57.0.2987.133 bsc#1031677: * Critical CVE-2017-5055: Use after free in printing. Credit to Wadih Matar * High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs * High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin * High CVE-2017-5056: Use after free in Blink. Credit to anonymous * High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587) * Fri Mar 24 2017 tchvatal@suse.com - Drop the browser(npapi) provide which is not true * Sun Mar 19 2017 tchvatal@suse.com - Add patch to build with gcc4 * chromium-57-gcc4.patch * Thu Mar 16 2017 tchvatal@suse.com - Do not use gcc5 and newer as the compat was fixed again - Update to 57.0.2987.110 with various other small tweaks * Fri Mar 10 2017 tchvatal@suse.com - Version update to 57.0.2987.98 bsc#1028848: CVE-2017-5030 CVE-2017-5031 CVE-2017-5032 CVE-2017-5029 CVE-2017-5034 CVE-2017-5035 CVE-2017-5036 CVE-2017-5037 CVE-2017-5039 CVE-2017-5040 CVE-2017-5041 CVE-2017-5033 CVE-2017-5042 CVE-2017-5038 CVE-2017-5043 CVE-2017-5044 CVE-2017-5045 CVE-2017-5046 - Refresh patches * fix-gn-bootstrap.diff * chromium-linker-memory.patch - Remove obsolete patches: * chromium-sandbox.patch * chromium-54-ffmpeg2compat.patch - Remove vaapi patch which broke rendering on non-intel cards: * chromium-enable-vaapi-on-suse.patch - From this release onwards i586 build is disabled * Wed Feb 15 2017 idonmez@suse.com - Also add harfbuzz-ng to keeplibs for SLE * Mon Feb 06 2017 tchvatal@suse.com - Add condition for system harfbuzz to be disabled on SLE * Mon Feb 06 2017 qvoheagbfovvhubzdxfx@posteo.net - Fixed a typo in the build requirements for system minizip. * Fri Feb 03 2017 tchvatal@suse.com - Version update to 56.0.2924.87: * Various small fixes * Disabled option to enable/disable plugins in the chrome://plugins * Thu Feb 02 2017 qvoheagbfovvhubzdxfx@posteo.net - Added the package 'chromium-privacy' with multiple patches sourced from the release version on https://github.com/ u4qo60z73t1c4hurv3ny/privacy_patches-oS_cr, which, when enabled with the build option 'privacy', builds a version of Chromium with less privacy implications due to Google services integration. * Wed Feb 01 2017 qvoheagbfovvhubzdxfx@posteo.net - Changed the build requirement of libavformat to library version 57.41.100, as included in ffmpeg 3.1.1, as only this version properly supports the public AVStream API 'codecpar'. * Tue Jan 31 2017 tchvatal@suse.com - Version update to 56.0.2924.76 bsc#1022049: - CVE-2017-5007: Universal XSS in Blink - CVE-2017-5006: Universal XSS in Blink - CVE-2017-5008: Universal XSS in Blink - CVE-2017-5010: Universal XSS in Blink - CVE-2017-5011: Unauthorised file access in Devtools - CVE-2017-5009: Out of bounds memory access in WebRTC - CVE-2017-5012: Heap overflow in V8 - CVE-2017-5013: Address spoofing in Omnibox - CVE-2017-5014: Heap overflow in Skia - CVE-2017-5015: Address spoofing in Omnibox - CVE-2017-5019: Use after free in Renderer - CVE-2017-5016: UI spoofing in Blink - CVE-2017-5017: Uninitialised memory access in webm video - CVE-2017-5018: Universal XSS in chrome://apps - CVE-2017-5020: Universal XSS in chrome://downloads - CVE-2017-5021: Use after free in Extensions - CVE-2017-5022: Bypass of Content Security Policy in Blink - CVE-2017-5023: Type confusion in metrics - CVE-2017-5024: Heap overflow in FFmpeg - CVE-2017-5025: Heap overflow in FFmpeg - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing - Add conditional to switch between system and bundled icu - Raise dependency on harfbuzz to 1.3.1 - Also refresh patches: chromium-prop-codecs.patch chromium-linker-memory.patch * Sat Jan 28 2017 qvoheagbfovvhubzdxfx@posteo.net - Added patch chromium-enable-vaapi-on-suse.patch to enable VAAPI hardware accelerated video decoding. * Wed Dec 21 2016 astieger@suse.com - Chromium 55.0.2883.87: * various fixes for crashes and specific wesites * update Google pinned certificates * Wed Dec 21 2016 tchvatal@suse.com - Disable system icu on Factory, crashes autofill * Tue Dec 13 2016 idonmez@suse.com - python-html5lib now depends on six, so preserve that too for SLE builds. * Fri Dec 09 2016 astieger@suse.com - Obsolete ffmpeg and ffmpegsumo package in addition to conflict * Mon Dec 05 2016 astieger@suse.com - record minimum version for harfbuzz, incuding runtime Chromium will crash with harfbuzz < 1.3.0 * Sat Dec 03 2016 tchvatal@suse.com - Chromium 55.0.2883.75 bnc#1013236: CVE-2016-9651 CVE-2016-5208 CVE-2016-5207 CVE-2016-5206 CVE-2016-5205 CVE-2016-5204 CVE-2016-5209 CVE-2016-5203 CVE-2016-5210 CVE-2016-5212 CVE-2016-5211 CVE-2016-5213 CVE-2016-5214 CVE-2016-5216 CVE-2016-5215 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5221 CVE-2016-5220 CVE-2016-5222 CVE-2016-9650 CVE-2016-5223 CVE-2016-5226 CVE-2016-5225 CVE-2016-5224 CVE-2016-9652 - Switch to system libraries: harfbuzz, zlib, ffmpeg, ... - Refreshed patches: * chromium-system-ffmpeg-r3.patch * chromium-system-jinja-r13.patch - Use system ffmpeg unless on 13.2 that didn't include it * chromium-54-ffmpeg2compat.patch * Remove upstreamed chromium-more-codec-aliases.patch - Remove bookmarks override as discussed with artwork simply just set homepage to our openSUSE one and that is all * Sat Nov 12 2016 astieger@suse.com - Chromium 54.0.2840.100: * CVE-2016-5199: Heap corruption in FFmpeg (boo#1009892) * CVE-2016-5200: out of bounds memory access in v8 (boo#1009893) * CVE-2016-5201: info leak in extensions (boo#1009894) * CVE-2016-5202: various fixes from internal audits (boo#1009895) * Mon Nov 07 2016 tchvatal@suse.com - Add patch chromium-prop-codecs.patch and set properly the codecs variable in main scope to allow ffmpeg passthrough bnc#1008725 * Wed Nov 02 2016 tchvatal@suse.com - Update to 54.0.2840.90: * Few fixes and tweaks * Fixes CVE-2016-5198 bsc#1008274 * Fri Oct 21 2016 tchvatal@suse.com - Update to 54.0.2840.71: * Few fixes around * Thu Oct 13 2016 tchvatal@suse.com - Version update to 54.0.2840.59 bnc#1004465: - CVE-2016-5181: Universal XSS in Blink (Anonymous) - CVE-2016-5182: Heap overflow in Blink (Giwan Go of STEALIEN) - CVE-2016-5183: Use after free in PDFium (Anonymous) - CVE-2016-5184: Use after free in PDFium (Anonymous) - CVE-2016-5185: Use after free in Blink (cloudfuzzer) - CVE-2016-5187: URL spoofing (Luan Herrera) - CVE-2016-5188: UI spoofing (Luan Herrera) - CVE-2016-5192: Cross-origin bypass in Blink (haojunhou at gmail) - CVE-2016-5189: URL spoofing (xisigr of Tencent's Xuanwu Lab) - CVE-2016-5186: Out of bounds read in DevTools (Abdulrahman Alqabandi) - CVE-2016-5191: Universal XSS in Bookmarks (Gareth Hughes) - CVE-2016-5190: Use after free in Internals (Atte Kettunen of OUSPG) - CVE-2016-5193: Scheme bypass (Yuyang ZHOUmartinzhou96) - packaging changes: * disable build for chromium-beta on %arm. * Make linker use less memory by tweaking its options: chromium-linker-memory.patch * obsolete desktop subpackages * Switch to gold to reduce memory use use during build * fix build on 4.5+ kernels with systemlibs: chromium-sandbox.patch * various compiler and linker flag adjustments * enable gtk3 ui, add patch gtk3-missing-define.patch * switch from some bundled libraries to the system versions chromium-system-ffmpeg-r3.patch chromium-system-jinja-r13.patch fix-gn-bootstrap.diff * remove service file covered by download_files - run time bug fixes: * Add --ui-disable-partial-swap to the launcher bnc#1000019 * Use default chromium values from master_preferences on first run rather than pseudo-duplicating in shellscript - added features: * hangouts extension * Fri Sep 30 2016 tchvatal@suse.com - Version update to 53.0.2785.143 bnc#1002140: * CVE-2016-5177: Use after free in V8 * CVE-2016-5178: Various fixes from internal audits * Mon Sep 26 2016 dimstar@opensuse.org - Export GDK_BACKEND=x11 before starting chromium, ensuring that it's started as an Xwayland client (boo#1001135). * Sat Sep 17 2016 tchvatal@suse.com - Apply sandbox patch to fix crashers on tumbleweed bnc#999091 * chromium-sandbox.patch * Thu Sep 15 2016 tchvatal@suse.com - Version update stable channel 53.0.2785.116 * Just smal bugfixes around * Wed Sep 14 2016 tchvatal@suse.com - Version update to 53.0.2785.113 bnc#998743: * CVE-2016-5170 Use after free in Blink * CVE-2016-5171 Use after free in Blink * CVE-2016-5172 Arbitrary Memory Read in v8 * CVE-2016-5173 Extension resource access * CVE-2016-5174 Popup not correctly suppressed * CVE-2016-5175 Various fixes from internal audits * Mon Sep 12 2016 tchvatal@suse.com - Reenable widevine build again bnc#998328 * Sat Sep 10 2016 tchvatal@suse.com - Stable channel update to 53.0.2785.101 * SPDY crasher fixes * Disable NV12 DXGI video on AMD * Forward --password-store switch to os_crypt * Tell the kernel to discard USB requests when they time out. * Wed Sep 07 2016 astieger@suse.com - Update to Chromium 53.0.2785.92: * Revert of support relocatable RPM packages * disallow WKBackForwardListItem navigations for pushState pages * arc: bluetooth: Fix advertised uuid * fix conflicting PendingIntent for stop button and swipe away * Thu Sep 01 2016 tittiatcoke@gmail.com - Update to Chromium 53.0.2785.89 - Improvements to the GN build system (boo#996032, boo#99606, boo#995932) - Security fixes (boo#996648) * CVE-2016-5147: Universal XSS in Blink. * CVE-2016-5148: Universal XSS in Blink. * CVE-2016-5149: Script injection in extensions. * CVE-2016-5150: Use after free in Blink. * CVE-2016-5151: Use after free in PDFium. * CVE-2016-5152: Heap overflow in PDFium. * CVE-2016-5153: Use after destruction in Blink. * CVE-2016-5154: Heap overflow in PDFium. * CVE-2016-5155: Address bar spoofing. * CVE-2016-5156: Use after free in event bindings. * CVE-2016-5157: Heap overflow in PDFium. * CVE-2016-5158: Heap overflow in PDFium. * CVE-2016-5159: Heap overflow in PDFium. * CVE-2016-5161: Type confusion in Blink. * CVE-2016-5162: Extensions web accessible resources bypass. * CVE-2016-5163: Address bar spoofing. * CVE-2016-5164: Universal XSS using DevTools. * CVE-2016-5165: Script injection in DevTools. * CVE-2016-5166: SMB Relay Attack via Save Page As. * CVE-2016-5160: Extensions web accessible resources bypass. - Drop patches chromium-snapshot-toolchain-r1.patch * Sat Aug 27 2016 tittiatcoke@gmail.com - Make it build on ARM. * Add build patch arm_use_right_compiler.patch - Drop unnecessary patches: * chromium-arm-r0.patch * Mon Aug 22 2016 tittiatcoke@gmail.com - Change buildsystem to GN, which is the new upstream default * Make Ninja only use 4 buildprocesses for building Chromium itself * Drop unnecessary patches - chromium-gcc-fixes.patch - adjust-ldflags-no-keep-memory.patch - gcc50-fixes.diff * Add patches to ensure correct build - chromium-last-commit-position-r0.patch - chromium-snapshot-toolchain-r1.patch * Drop unnecessary sourcefiles - courgette.tar.xz - depot_tools.tar.xz - gn-binaries.tar.xz * Fri Aug 12 2016 tittiatcoke@gmail.com - Use an explicit number of ninja build processes (-j 4), to further reduce the memory used. * Fri Aug 05 2016 astieger@suse.com - Update to Chromium 52.0.2743.116: * Security fixes (boo#992305): + CVE-2016-5141: Address bar spoofing (boo#992314) + CVE-2016-5142: Use-after-free in Blink (boo#992313) + CVE-2016-5139: Heap overflow in pdfium (boo#992311) + CVE-2016-5140: Heap overflow in pdfium (boo#992310) + CVE-2016-5145: Same origin bypass for images in Blink (boo#992320) + CVE-2016-5143: Parameter sanitization failure in DevTools (boo#992319) + CVE-2016-5144: Parameter sanitization failure in DevTools (boo#992315) + CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives (boo#992309) * Thu Jul 21 2016 tittiatcoke@gmail.com - Temporarily disable fix_network_api_crash.patch. Upstream has changed part of their code, so hopefully that resolved the issue * Thu Jul 21 2016 tittiatcoke@gmail.com - Update to Chromium 52.0.2743.82 * Security fixes (boo#989901): + CVE-2016-1706: Sandbox escape in PPAPI + CVE-2016-1707: URL spoofing on iOS + CVE-2016-1708: Use-after-free in Extensions + CVE-2016-1709: Heap-buffer-overflow in sfntly + CVE-2016-1710: Same-origin bypass in Blink + CVE-2016-1711: Same-origin bypass in Blink + CVE-2016-5127: Use-after-free in Blink + CVE-2016-5128: Same-origin bypass in V8 + CVE-2016-5129: Memory corruption in V8 + CVE-2016-5130: URL spoofing + CVE-2016-5131: Use-after-free in libxml + CVE-2016-5132: Limited same-origin bypass in Service Workers + CVE-2016-5133: Origin confusion in proxy authentication + CVE-2016-5134: URL leakage via PAC script + CVE-2016-5135: Content-Security-Policy bypass + CVE-2016-5136: Use after free in extensions + CVE-2016-5137: History sniffing with HSTS and CSP + CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives * Mon Jul 11 2016 Nick_Levinson@yahoo.com - Clarification/correction to chromium-desktop-gnome and chromium-desktop-kde software descriptions due to passwords preservation reported by Chromium developer * Fri Jun 24 2016 tittiatcoke@gmail.com - Update to Chromium 51.0.2704.106 * No changelog indicated * Thu Jun 23 2016 tittiatcoke@gmail.com - Add gcc60-fixes.diff to resolve the crashes observed with chromium when compiled with GCC6 * Fri Jun 17 2016 astieger@suse.com - Update to Chromium 51.0.2704.103 * Security fixes: - CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives (boo#985397) * Tue Jun 07 2016 tittiatcoke@gmail.com - Update to Chromium 51.0.2704.84 * No further changelog * Thu Jun 02 2016 astieger@suse.com - Update to Chromium 51.0.2704.79 [boo#982719] * Security fixes: - CVE-2016-1696: Cross-origin bypass in Extension bindings - CVE-2016-1697: Cross-origin bypass in Blink - CVE-2016-1698: Information leak in Extension bindings - CVE-2016-1699: Parameter sanitization failure in DevTools - CVE-2016-1700: Use-after-free in Extensions - CVE-2016-1701: Use-after-free in Autofill - CVE-2016-1702: Out-of-bounds read in Skia - CVE-2016-1703: Various fixes from internal audits, fuzzing and other initiatives. * Thu May 26 2016 tittiatcoke@gmail.com - Update to Chromium 51.0.2704.63 [boo#981886] * Security fixes: - CVE-2016-1672: Cross-origin bypass in extension bindings - CVE-2016-1673: Cross-origin bypass in Blink - CVE-2016-1674: Cross-origin bypass in extensions - CVE-2016-1675: Cross-origin bypass in Blink - CVE-2016-1676: Cross-origin bypass in extension bindings - CVE-2016-1677: Type confusion in V8 - CVE-2016-1678: Heap overflow in V8 - CVE-2016-1679: Heap use-after-free in V8 bindings - CVE-2016-1680: Heap use-after-free in Skia - CVE-2016-1681: Heap overflow in PDFium - CVE-2016-1682: CSP bypass for ServiceWorker - CVE-2016-1683: Out-of-bounds access in libxslt - CVE-2016-1684: Integer overflow in libxslt - CVE-2016-1685: Out-of-bounds read in PDFium - CVE-2016-1686: Out-of-bounds read in PDFium - CVE-2016-1687: Information leak in extensions - CVE-2016-1688: Out-of-bounds read in V8 - CVE-2016-1689: Heap buffer overflow in media - CVE-2016-1690: Heap use-after-free in Autofill - CVE-2016-1691: Heap buffer-overflow in Skia - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker - CVE-2016-1693: HTTP Download of Software Removal Tool - CVE-2016-1694: HPKP pins removed on cache clearance - CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives - drop chromium-50.0.2661.75-export_blink_Platform_symbols_in_shared_library_builds.patch now upstream * Fri May 13 2016 astieger@suse.com - Update to Chromium 50.0.2661.102 (boo#979859) * Security fixes: - CVE-2016-1667: Same origin bypass in DOM - CVE-2016-1668: Same origin bypass in Blink V8 bindings - CVE-2016-1669: Buffer overflow in V8 - CVE-2016-1670: Race condition in loader * Fri Apr 29 2016 astieger@suse.com - Update to Chromium 50.0.2661.94 (boo#977830) * Security fixes: - CVE-2016-1660: Out-of-bounds write in Blink - CVE-2016-1661: Memory corruption in cross-process frames - CVE-2016-1662: Use-after-free in extensions - CVE-2016-1663: Use-after-free in Blink’s V8 bindings - CVE-2016-1664: Address bar spoofing - CVE-2016-1665: Information leak in V8 - CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives * Fri Apr 22 2016 jslaby@suse.com - _constraints: increase memory. It takes 1.2G to build some .o, and with -j4 this results in OOM. * Thu Apr 14 2016 tittiatcoke@gmail.com - Update to Chromium 50.0.2661.75 (boo#975572) * Security Fixes: - CVE-2016-1652: Universal XSS in extension bindings - CVE-2016-1653: Out-of-bounds write in V8 - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding - CVE-2016-1654: Uninitialized memory read in media - CVE-2016-1655: Use-after-free related to extensions - CVE-2016-1656: Android downloaded file path restriction bypass - CVE-2016-1657: Address bar spoofing - CVE-2016-1658: Potential leak of sensitive information to malicious extensions - CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives - add patch to fix GCC builds with component=shared_library: chromium-50.0.2661.75-export_blink_Platform_symbols_in_shared_library_builds.patch * Fri Apr 08 2016 astieger@suse.com - Update to Chromium 49.0.2623.112 * Block user removal when login attempt is in progress * Add the SuppressUnsupportedOSWarning policy setting * Fix how Save-Page-As responds to web requests blocked by extensions * Fix preferred width calculation for 8bit ltr runs in rtl blocks * Wed Mar 30 2016 tittiatcoke@gmail.com - Update to Chromium 49.0.2623.110 * No changelog available * Mon Mar 28 2016 tittiatcoke@gmail.com - Update to Chromium 49.0.2623.108 * Security fixes (boo#972834): - CVE-2016-1646: Out-of-bounds read in V8 - CVE-2016-1647: Use-after-free in Navigation - CVE-2016-1648: Use-after-free in Extensions - CVE-2016-1649: Buffer overflow in libANGLE - CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-3679: Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33). * Wed Mar 09 2016 tittiatcoke@gmail.com - Update to Chromium 49.0.2623.87 * Security fixes: - CVE-2016-1643: Type confusion in Blink (boo#970514) - CVE-2016-1644: Use-after-free in Blink (boo#970509) - CVE-2016-1645: Out-of-bounds write in PDFium (boo#970511) * Tue Mar 08 2016 tittiatcoke@gmail.com - Change the build method used on Packman. * Drop patch no-clang-on-packman.diff . This is no longer required as that ninja is respecting the build flags correctly. - Drop unused patch skia.patch * Fri Mar 04 2016 tittiatcoke@gmail.com - Update to Chromium 49.0.2623.75 * 26 security fixes, with the most important ones being: - CVE-2016-1630: Same-origin bypass in Blink - CVE-2016-1631: Same-origin bypass in Pepper Plugin - CVE-2016-1632: Bad cast in Extensions - CVE-2016-1633: Use-after-free in Blink - CVE-2016-1634: Use-after-free in Blink - CVE-2016-1635: Use-after-free in Blink - CVE-2016-1636: SRI Validation Bypass - CVE-2015-8126: Out-of-bounds access in libpng - CVE-2016-1637: Information Leak in Skia - CVE-2016-1638: WebAPI Bypass - CVE-2016-1639: Use-after-free in WebRTC - CVE-2016-1640: Origin confusion in Extensions UI - CVE-2016-1641: Use-after-free in Favicon - CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.26) (boo#969333) * Fri Feb 19 2016 tittiatcoke@gmail.com - Update to Chromium 48.0.2564.116 * Fixes a critical security flaw: - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. (boo#967376) * Mon Feb 15 2016 tittiatcoke@gmail.com - Update to Chromium 48.0.2564.109 * Security fixes (boo#965999) - CVE-2016-1622: Same-origin bypass in Extensions - CVE-2016-1623: Same-origin bypass in DOM - CVE-2016-1624: Buffer overflow in Brotli - CVE-2016-1625: Navigation bypass in Chrome Instant - CVE-2016-1626: Out-of-bounds read in PDFium - CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives * Sat Feb 13 2016 tittiatcoke@gmail.com - Drop the libva support completely. It seems that this is causing more issues than it actually resolves. (boo#965566) * Drop chromium-enable-vaapi.patch * Thu Feb 11 2016 tittiatcoke@gmail.com - Don't build with libva support for openSUSE 13.2 and lower (boo#966082) * Tue Feb 09 2016 tittiatcoke@gmail.com - Drop completely the option to build with system libraries. This could lead to issues (boo#965738) * Fri Feb 05 2016 tittiatcoke@gmail.com - Update to Chromium 48.0.2564.103 * No chnagelog available * Sun Jan 31 2016 tittiatcoke@gmail.com - Build against the in-source libjpeg to prevent graphical issues * Sun Jan 31 2016 tchvatal@suse.com - Use spec-cleaner - Remove buildenv check that is moot for the update-alternatives script - Build against the latest libjpeg rather than jpeg6 - Use update-alternatives as is required by the specification * Thu Jan 28 2016 tittiatcoke@gmail.com - Update to Chromium 48.0.2564.97 * No changelog available - Update the desktop-kde package so that on Leap and TW, the kwallet5 becomes the default. desktop-kde/gnome packages are no longer recommended as that the default is to automatically detect the password store. Only for those users that want to change this, they can select a different setup. * Fri Jan 22 2016 tittiatcoke@gmail.com - Update to Chromium 48.0.2564.82 * Security fixes: - CVE-2016-1612: Bad cast in V8 (boo#963184) - CVE-2016-1613: Use-after-free in PDFium (boo#963185) - CVE-2016-1614: Information leak in Blink (boo#963186) - CVE-2016-1615: Origin confusion in Omnibox (boo#963187) - CVE-2016-1616: URL Spoofing (boo#963188) - CVE-2016-1617: History sniffing with HSTS and CSP (boo#963189) - CVE-2016-1618: Weak random number generator in Blink (boo#963190) - CVE-2016-1619: Out-of-bounds read in PDFium (boo#963191) - CVE-2016-1620 chromium-browser: various fixes (boo#963192) * Thu Jan 14 2016 tittiatcoke@gmail.com - Update to Chromium 47.0.2526.111. * No changelog available * Mon Dec 28 2015 stefan.bruens@rwth-aachen.de - Enable SSE2 on x86_64 * Sun Dec 27 2015 stefan.bruens@rwth-aachen.de - Fix crash when trying to enable chromecast extension * Add patch: fix_network_api_crash.patch Fix https://code.google.com/p/chromium/issues/detail?id=572539 * Sun Dec 20 2015 astieger@suse.com - Update to Chromium 47.0.2525.106, fixing the following security issue: * CVE-2015-6792: Fixes from internal audits and fuzzing. [boo#959458] * Mon Dec 14 2015 jimmy@boombatower.com - Enable VA-API hardware acceleration in Linux. * chromium-enable-vaapi.patch * Thu Dec 10 2015 tittiatcoke@gmail.com - Update to Chromium 47.0.2526.80 [boo#958481] * Security fixes - CVE-2015-6788: Type confusion in extensions - CVE-2015-6789: Use-after-free in Blink - CVE-2015-6790: Escaping issue in saved pages - CVE-2015-6791: Various fixes from internal audits, fuzzing and other initiatives - Drop unused patch fix-clang.diff. * Sat Dec 05 2015 tittiatcoke@gmail.com - Enable the possibility to utilize the Widevine plugin within chromium. (boo#954103) * Add patch: fix_building_widevinecdm_with_chromium.patch * Wed Dec 02 2015 tittiatcoke@gmail.com - Update to Chromium 47.0.2526.73 * Security fixes (boo#957519) - CVE-2015-6765: Use-after-free in AppCache - CVE-2015-6766: Use-after-free in AppCache - CVE-2015-6767: Use-after-free in AppCache - CVE-2015-6768: Cross-origin bypass in DOM - CVE-2015-6769: Cross-origin bypass in core - CVE-2015-6770: Cross-origin bypass in DOM - CVE-2015-6771: Out of bounds access in v8 - CVE-2015-6772: Cross-origin bypass in DOM - CVE-2015-6764: Out of bounds access in v8 - CVE-2015-6773: Out of bounds access in Skia - CVE-2015-6774: Use-after-free in Extensions - CVE-2015-6775: Type confusion in PDFium - CVE-2015-6776: Out of bounds access in PDFium - CVE-2015-6777: Use-after-free in DOM - CVE-2015-6778: Out of bounds access in PDFium - CVE-2015-6779: Scheme bypass in PDFium - CVE-2015-6780: Use-after-free in Infobars - CVE-2015-6781: Integer overflow in Sfntly - CVE-2015-6782: Content spoofing in Omnibox - CVE-2015-6783: Signature validation issue in Android Crazy Linker. - CVE-2015-6784: Escaping issue in saved pages - CVE-2015-6785: Wildcard matching issue in CSP - CVE-2015-6786: Scheme bypass in CSP - CVE-2015-6787: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch (currently 4.7.80.23) * Wed Nov 11 2015 tittiatcoke@gmail.com - Update to Chromium 46.0.2490.86 * Security fixes (boo#954579): - CVE-2015-1302: Information leak in PDF viewer * Fri Oct 23 2015 tittiatcoke@gmail.com - Update to Chromium 46.0.2490.80 * No changelog available * Mon Oct 19 2015 tittiatcoke@gmail.com - Change the default homepage based on the new landingpage for the openSUSE Project. (boo#950957) * Wed Oct 14 2015 tittiatcoke@gmail.com - Update to Chromium 46.0.2490.71 * Security fixes (boo#950290) - CVE-2015-6755: Cross-origin bypass in Blink - CVE-2015-6756: Use-after-free in PDFium - CVE-2015-6757: Use-after-free in ServiceWorker - CVE-2015-6758: Bad-cast in PDFium - CVE-2015-6759: Information leakage in LocalStorage - CVE-2015-6760: Improper error handling in libANGLE - CVE-2015-6761: Memory corruption in FFMpeg - CVE-2015-6762: CORS bypass via CSS fonts - CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23) CVE-2015-7834 - drop upstreamed correct-blacklist.diff - add chromium-46.0.2490.71-fix-missing-i18n_process_css_test.patch to fix build - remove remoting_locales from spec * Sat Oct 03 2015 tittiatcoke@gmail.com - Update to Chromium 45.0.2454.101 * Security fixes: - CVE-2015-1303: Cross-origin bypass in DOM [boo#947504] - CVE-2015-1304: Cross-origin bypass in V8 [boo#947507] * Tue Sep 22 2015 tittiatcoke@gmail.com - Update to Chromium 45.0.2454.99 - No changelog available - Add upstream patch correct-blacklist.diff * This should restore the correct behavior of the option - -ignore-gpu-blacklist. https://code.google.com/p/chromium/issues/detail?id=509336 * Wed Sep 16 2015 tittiatcoke@gmail.com - Update to Chromium 45.0.2454.93 - No changelog available * Fri Sep 11 2015 tittiatcoke@gmail.com - Update to Chromium 45.0.2454.85 Security fixes: * CVE-2015-1291: Cross-origin bypass in DOM * CVE-2015-1292: Cross-origin bypass in ServiceWorker * CVE-2015-1293: Cross-origin bypass in DOM * CVE-2015-1294: Use-after-free in Skia * CVE-2015-1295: Use-after-free in Printing * CVE-2015-1296: Character spoofing in omnibox * CVE-2015-1297: Permission scoping error in WebRequest * CVE-2015-1298: URL validation error in extensions * CVE-2015-1299: Use-after-free in Blink * CVE-2015-1300: Information leak in Blink * CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives. * Wed Aug 05 2015 tittiatcoke@gmail.com - Update to Chromium 44.0.2403.130 * No changelog available * Wed Jul 29 2015 tittiatcoke@gmail.com - Update to Chromium 44.0.2403.125 * No changelog available - The chromium-ffmpeg package (on Packman) now requires the same version for the main chromium package. This should prevent the issues arised from the libffmpeg switch that Google did recently * Sat Jul 25 2015 tittiatcoke@gmail.com - Update to Chromium 44.0.2403.107 * No changelog available * Tue Jul 21 2015 tittiatcoke@gmail.com - Update to Chromium 44.0.2403.89 * A number of new apps/extension APIs * Lots of under the hood changes for stability and performance * Security fixes: - CVE-2015-1271: Heap-buffer-overflow in pdfium - CVE-2015-1273: Heap-buffer-overflow in pdfium - CVE-2015-1274: Settings allowed executable files to run immediately after download - CVE-2015-1275: UXSS in Chrome for Android - CVE-2015-1276: Use-after-free in IndexedDB - CVE-2015-1279: Heap-buffer-overflow in pdfium - CVE-2015-1280: Memory corruption in skia - CVE-2015-1281: CSP bypass - CVE-2015-1282: Use-after-free in pdfium - CVE-2015-1283: Heap-buffer-overflow in expat - CVE-2015-1284: Use-after-free in blink - CVE-2015-1286: UXSS in blink - CVE-2015-1287: SOP bypass with CSS - CVE-2015-1270: Uninitialized memory read in ICU - CVE-2015-1272: Use-after-free related to unexpected GPU process termination - CVE-2015-1277: Use-after-free in accessibility - CVE-2015-1278: URL spoofing using pdf files - CVE-2015-1285: Information leak in XSS auditor - CVE-2015-1288: Spell checking dictionaries fetched over HTTP - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives * Wed Jul 15 2015 tittiatcoke@gmail.com - Update to Chromium 43.0.2357.134 Update of the Pepper Flash plugin to 18.0.0.209 * Wed Jul 08 2015 tittiatcoke@gmail.com - Update to Chromium 43.0.2357.132 No changelog available * Tue Jun 23 2015 tittiatcoke@gmail.com - Update to Chromium 43.0.2357.130 - Security fixes (boo#935723) * CVE-2015-1266: Scheme validation error in WebUI * CVE-2015-1268: Cross-origin bypass in Blink * CVE-2015-1267: Cross-origin bypass in Blink * CVE-2015-1269: Normalization error in HSTS/HPKP preload list * Wed Jun 17 2015 tittiatcoke@gmail.com - Add the buildflag enable_hotwording=0 to prevent that Chromium downloads a binary blob for speechrecognition (boo#935022) - Add patch gcc50-fixes.diff to enable building against GCC 5. The patch fixes the python regular expression and ensures to return a two digit value for the GCC version * Fri Jun 12 2015 tittiatcoke@gmail.com - Update to Chromium 43.0.2357.125 * Bug-fixes: - esolved browser font magnification/scaling issue. * Wed May 27 2015 tittiatcoke@gmail.com - Update to Chromium 43.0.2357.81 * Bug-fixes: - Fixed an issue where sometimes a blank page would print - Icons not displaying properly on Linux * Wed May 20 2015 tittiatcoke@gmail.com - Update to Chromium 43.0.2357.65 * Security fixes: - CVE-2015-1252: Sandbox escape in Chrome - CVE-2015-1253: Cross-origin bypass in DOM - CVE-2015-1254: Cross-origin bypass in Editing - CVE-2015-1255: Use-after-free in WebAudio - CVE-2015-1256: Use-after-free in SVG - CVE-2015-1251: Use-after-free in Speech - CVE-2015-1257: Container-overflow in SVG - CVE-2015-1258: Negative-size parameter in Libvpx - CVE-2015-1259: Uninitialized value in PDFium - CVE-2015-1260: Use-after-free in WebRTC - CVE-2015-1261: URL bar spoofing - CVE-2015-1262: Uninitialized value in Blink - CVE-2015-1263: Insecure download of spellcheck dictionary - CVE-2015-1264: Cross-site scripting in bookmarks - CVE-2015-1265: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch (currently 4.3.61.21) * Wed Apr 29 2015 tittiatcoke@gmail.com - Update to Chromium 42.0.2311.135 * Security fixes: - CVE-2015-1243: Use-after-free in DOM - CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives and 3 more security fixes. * Mon Apr 27 2015 tittiatcoke@gmail.com - Fix for missing Chromium icon in the taskbar. * Wed Apr 15 2015 tittiatcoke@gmail.com - Update to Chromium 42.0.2311.90 * A number of new apps, extension and Web Platform APIs (including the Push API!) * Lots of under the hood changes for stability and performance * Security fixes, including: - CVE-2015-1235: Cross-origin-bypass in HTML parser - CVE-2015-1236: Cross-origin-bypass in Blink - CVE-2015-1237: Use-after-free in IPC - CVE-2015-1238: Out-of-bounds write in Skia - CVE-2015-1240: Out-of-bounds read in WebGL - CVE-2015-1241: Tap-Jacking - CVE-2015-1242: Type confusion in V8 - CVE-2015-1244: HSTS bypass in WebSockets - CVE-2015-1245: Use-after-free in PDFium - CVE-2015-1246: Out-of-bounds read in Blink - CVE-2015-1247: Scheme issues in OpenSearch - CVE-2015-1248: SafeBrowsing bypass - CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed * Thu Apr 02 2015 tittiatcoke@gmail.com - Update to Chromium 41.0.2272.118 Security fixes: * CVE-2015-1233: A combination of V8, Gamepad and IPC bugs that can lead to remote code execution outside of the sandbox * CVE-2015-1234: Buffer overflow via race condition in GPU * Sat Mar 21 2015 tittiatcoke@gmail.com - Update to Chromium 41.0.2272.101 * Bugfixes * Thu Mar 12 2015 tittiatcoke@gmail.com - Update to Chromium 41.0.2272.89 * Bugfixes * Wed Mar 04 2015 tittiatcoke@gmail.com - Update to Chromium 41.0.2272.76 Security fixes: * CVE-2015-1212: Out-of-bounds write in media * CVE-2015-1213: Out-of-bounds write in skia filters * CVE-2015-1214: Out-of-bounds write in skia filters * CVE-2015-1215: Out-of-bounds write in skia filters * CVE-2015-1216: Use-after-free in v8 bindings * CVE-2015-1217: Type confusion in v8 bindings * CVE-2015-1218: Use-after-free in dom * CVE-2015-1219: Integer overflow in webgl * CVE-2015-1220: Use-after-free in gif decoder * CVE-2015-1221: Use-after-free in web databases * CVE-2015-1222: Use-after-free in service workers * CVE-2015-1223: Use-after-free in dom * CVE-2015-1230: Type confusion in v8 * CVE-2015-1224: Out-of-bounds read in vpxdecoder * CVE-2015-1225: Out-of-bounds read in pdfium * CVE-2015-1226: Validation issue in debugger * CVE-2015-1227: Uninitialized value in blink * CVE-2015-1228: Uninitialized value in rendering * CVE-2015-1229: Cookie injection via proxies * CVE-2015-1231: Various fixes from internal audits * Multiple vulnerabilities in V8 fixed at the tip of the 4.1 branch * Fri Feb 27 2015 meissner@suse.com - regular diskusage is more like 20GB+ * Mon Feb 23 2015 meissner@suse.com - uses around 5.8GB for building, assign like 6GB in _constraints * Fri Feb 20 2015 tittiatcoke@gmail.com - Update to Chromium 40.0.2214.115 * Bugfixes * Wed Feb 18 2015 tittiatcoke@gmail.com - Utilize the _service file to download the chromium tarball * Sun Feb 08 2015 tittiatcoke@gmail.com - Update to Chromium 40.0.2214.111 * Security Fixes: - CVE-2015-1209: Use-after-free in DOM - CVE-2015-1210: Cross-origin-bypass in V8 bindings - CVE-2015-1211: Privilege escalation using service workers - CVE-2015-1212: Various fixes from internal audits, fuzzing and other initiatives * Sat Jan 31 2015 tittiatcoke@gmail.com - Update to Chromium 40.0.2214.94 - Bugfixes * Wed Jan 28 2015 tittiatcoke@gmail.com - Update to Chromium 40.0.2214.93 - Bugfixes * Fri Jan 23 2015 tittiatcoke@gmail.com - Update to Chromium 40.0.2214.91 * Security Fixes: - CVE-2014-7923: Memory corruption in ICU - CVE-2014-7924: Use-after-free in IndexedDB - CVE-2014-7925: Use-after-free in WebAudio - CVE-2014-7926: Memory corruption in ICU - CVE-2014-7927: Memory corruption in V8 - CVE-2014-7928: Memory corruption in V8 - CVE-2014-7930: Use-after-free in DOM - VE-2014-7931: Memory corruption in V8 - CVE-2014-7929: Use-after-free in DOM - CVE-2014-7932: Use-after-free in DOM - CVE-2014-7933: Use-after-free in FFmpeg - CVE-2014-7934: Use-after-free in DOM - CVE-2014-7935: Use-after-free in Speech - CVE-2014-7936: Use-after-free in Views - CVE-2014-7937: Use-after-free in FFmpeg - CVE-2014-7938: Memory corruption in Fonts - CVE-2014-7939: Same-origin-bypass in V8 - CVE-2014-7940: Uninitialized-value in ICU - CVE-2014-7941: Out-of-bounds read in UI - CVE-2014-7942: Uninitialized-value in Fonts - CVE-2014-7943: Out-of-bounds read in Skia - CVE-2014-7944: Out-of-bounds read in PDFium - CVE-2014-7945: Out-of-bounds read in PDFium - CVE-2014-7946: Out-of-bounds read in Fonts - CVE-2014-7947: Out-of-bounds read in PDFium - CVE-2014-7948: Caching error in AppCache - CVE-2015-1205: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 3.30 branch * Tue Jan 13 2015 tittiatcoke@gmail.com - Update to Chromium 39.0.2171.99 * Bugfixes * Wed Dec 10 2014 tittiatcoke@gmail.com - Update to Chromium 39.0.2171.95 * Bugfixes * Sun Nov 30 2014 Led <ledest@gmail.com> - fix using 'echo' command in chromium-browser.sh script * Wed Nov 26 2014 tittiatcoke@gmail.com - Update to Chromium 39.0.2171.71 * Bugfixes * Wed Nov 19 2014 tittiatcoke@gmail.com - Update to Chromium 39.0.2171.65 * Security fixes: - CVE-2014-7899: Address bar spoofing (boo#906320) - CVE-2014-7900: Use-after-free in pdfium (boo#906317) - CVE-2014-7901: Integer overflow in pdfium (boo#906322) - CVE-2014-7902: Use-after-free in pdfium (boo#906328) - CVE-2014-7903: Buffer overflow in pdfium (boo#906318) - CVE-2014-7904: Buffer overflow in Skia (boo#906321) - CVE-2014-7905: Flaw allowing navigation to intents that do not have the BROWSABLE category (boo#906330) - CVE-2014-7906: Use-after-free in pepper plugins (boo#906319) - CVE-2014-0574: Double-free in Flash - CVE-2014-7907: Use-after-free in blink (boo#906323) - CVE-2014-7908: Integer overflow in media (boo#906324) - CVE-2014-7909: Uninitialized memory read in Skia (boo#906326) - CVE-2014-7910: Various fixes from internal audits, fuzzing and other initiatives (boo#906327) * Fri Nov 14 2014 tittiatcoke@gmail.com - Update to Chromium 38.0.2125.122 * Several bugfixes * Tue Oct 28 2014 tittiatcoke@gmail.com - Update to Chromium 38.0.2125.111 * Several bugfixes * Wed Oct 15 2014 tittiatcoke@gmail.com - Update to Chromium 38.0.2125.104 * Several bugfixes - Updated source url to point to the right location
/etc/chromium /etc/chromium/master_preferences /etc/chromium/native-messaging-hosts /etc/chromium/policies /etc/chromium/policies/managed /etc/chromium/policies/recommended /usr/bin/chromium /usr/bin/chromium-browser /usr/lib64/chromium /usr/lib64/chromium/chrome /usr/lib64/chromium/chrome-wrapper /usr/lib64/chromium/chrome_100_percent.pak /usr/lib64/chromium/chrome_200_percent.pak /usr/lib64/chromium/chrome_crashpad_handler /usr/lib64/chromium/icudtl.dat /usr/lib64/chromium/libEGL.so /usr/lib64/chromium/libGLESv2.so /usr/lib64/chromium/libvk_swiftshader.so /usr/lib64/chromium/libvulkan.so.1 /usr/lib64/chromium/locales /usr/lib64/chromium/locales/af.pak /usr/lib64/chromium/locales/am.pak /usr/lib64/chromium/locales/ar-XB.pak /usr/lib64/chromium/locales/ar.pak /usr/lib64/chromium/locales/bg.pak /usr/lib64/chromium/locales/bn.pak /usr/lib64/chromium/locales/ca.pak /usr/lib64/chromium/locales/cs.pak /usr/lib64/chromium/locales/da.pak /usr/lib64/chromium/locales/de.pak /usr/lib64/chromium/locales/el.pak /usr/lib64/chromium/locales/en-GB.pak /usr/lib64/chromium/locales/en-US.pak /usr/lib64/chromium/locales/en-XA.pak /usr/lib64/chromium/locales/es-419.pak /usr/lib64/chromium/locales/es.pak /usr/lib64/chromium/locales/et.pak /usr/lib64/chromium/locales/fa.pak /usr/lib64/chromium/locales/fi.pak /usr/lib64/chromium/locales/fil.pak /usr/lib64/chromium/locales/fr.pak /usr/lib64/chromium/locales/gu.pak /usr/lib64/chromium/locales/he.pak /usr/lib64/chromium/locales/hi.pak /usr/lib64/chromium/locales/hr.pak /usr/lib64/chromium/locales/hu.pak /usr/lib64/chromium/locales/id.pak /usr/lib64/chromium/locales/it.pak /usr/lib64/chromium/locales/ja.pak /usr/lib64/chromium/locales/kn.pak /usr/lib64/chromium/locales/ko.pak /usr/lib64/chromium/locales/lt.pak /usr/lib64/chromium/locales/lv.pak /usr/lib64/chromium/locales/ml.pak /usr/lib64/chromium/locales/mr.pak /usr/lib64/chromium/locales/ms.pak /usr/lib64/chromium/locales/nb.pak /usr/lib64/chromium/locales/nl.pak /usr/lib64/chromium/locales/pl.pak /usr/lib64/chromium/locales/pt-BR.pak /usr/lib64/chromium/locales/pt-PT.pak /usr/lib64/chromium/locales/ro.pak /usr/lib64/chromium/locales/ru.pak /usr/lib64/chromium/locales/sk.pak /usr/lib64/chromium/locales/sl.pak /usr/lib64/chromium/locales/sr.pak /usr/lib64/chromium/locales/sv.pak /usr/lib64/chromium/locales/sw.pak /usr/lib64/chromium/locales/ta.pak /usr/lib64/chromium/locales/te.pak /usr/lib64/chromium/locales/th.pak /usr/lib64/chromium/locales/tr.pak /usr/lib64/chromium/locales/uk.pak /usr/lib64/chromium/locales/ur.pak /usr/lib64/chromium/locales/vi.pak /usr/lib64/chromium/locales/zh-CN.pak /usr/lib64/chromium/locales/zh-TW.pak /usr/lib64/chromium/plugins /usr/lib64/chromium/resources.pak /usr/lib64/chromium/v8_context_snapshot.bin /usr/lib64/chromium/vk_swiftshader_icd.json /usr/share/applications/chromium-browser.desktop /usr/share/chromium /usr/share/chromium/extensions /usr/share/doc/packages/chromium /usr/share/doc/packages/chromium/AUTHORS /usr/share/icons/hicolor /usr/share/icons/hicolor/128x128 /usr/share/icons/hicolor/128x128/apps /usr/share/icons/hicolor/128x128/apps/chromium-browser.png /usr/share/icons/hicolor/16x16 /usr/share/icons/hicolor/16x16/apps /usr/share/icons/hicolor/16x16/apps/chromium-browser.png /usr/share/icons/hicolor/24x24 /usr/share/icons/hicolor/24x24/apps /usr/share/icons/hicolor/24x24/apps/chromium-browser.png /usr/share/icons/hicolor/256x256 /usr/share/icons/hicolor/256x256/apps /usr/share/icons/hicolor/256x256/apps/chromium-browser.png /usr/share/icons/hicolor/32x32 /usr/share/icons/hicolor/32x32/apps /usr/share/icons/hicolor/32x32/apps/chromium-browser.png /usr/share/icons/hicolor/48x48 /usr/share/icons/hicolor/48x48/apps /usr/share/icons/hicolor/48x48/apps/chromium-browser.png /usr/share/icons/hicolor/64x64 /usr/share/icons/hicolor/64x64/apps /usr/share/icons/hicolor/64x64/apps/chromium-browser.png /usr/share/icons/hicolor/symbolic /usr/share/icons/hicolor/symbolic/apps /usr/share/icons/hicolor/symbolic/apps/chromium-browser.svg /usr/share/licenses/chromium /usr/share/licenses/chromium/LICENSE /usr/share/man/man1/chromium-browser.1.gz /usr/share/metainfo/chromium-browser.appdata.xml
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 18:11:13 2024