-
Committer:
Chad MILLER
-
Date:
2016-12-14 14:06:51 UTC
-
mfrom:
(734.15.196 trusty-working)
-
Revision ID:
chad.miller@canonical.com-20161214140651-t7j5o3vwty6bsvoa
[Chad Miller]
* debian/rules, debian/control: Use gcc/g++ 4.8 to build.
* Upstream release of 55.0.2883.75:
- CVE-2016-9651: Private property access in V8.
- CVE-2016-5208: Universal XSS in Blink.
- CVE-2016-5207: Universal XSS in Blink.
- CVE-2016-5206: Same-origin bypass in PDFium.
- CVE-2016-5205: Universal XSS in Blink.
- CVE-2016-5204: Universal XSS in Blink.
- CVE-2016-5209: Out of bounds write in Blink.
- CVE-2016-5203: Use after free in PDFium.
- CVE-2016-5210: Out of bounds write in PDFium.
- CVE-2016-5212: Local file disclosure in DevTools.
- CVE-2016-5211: Use after free in PDFium.
- CVE-2016-5213: Use after free in V8.
- CVE-2016-5214: File download protection bypass.
- CVE-2016-5216: Use after free in PDFium.
- CVE-2016-5215: Use after free in Webaudio.
- CVE-2016-5217: Use of unvalidated data in PDFium.
- CVE-2016-5218: Address spoofing in Omnibox.
- CVE-2016-5219: Use after free in V8.
- CVE-2016-5221: Integer overflow in ANGLE.
- CVE-2016-5220: Local file access in PDFium.
- CVE-2016-5222: Address spoofing in Omnibox.
- CVE-2016-9650: CSP Referrer disclosure.
- CVE-2016-5223: Integer overflow in PDFium.
- CVE-2016-5226: Limited XSS in Blink.
- CVE-2016-5225: CSP bypass in Blink.
- CVE-2016-5224: Same-origin bypass in SVG
- CVE-2016-9652: Various fixes from internal audits, fuzzing and other
initiatives
* Upstream release of 54.0.2840.100:
- CVE-2016-5199: Heap corruption in FFmpeg.
- CVE-2016-5200: Out of bounds memory access in V8.
- CVE-2016-5201: Info leak in extensions.
- CVE-2016-5202: Various fixes from internal audits, fuzzing and other
initiatives
* Move to using GN to build chromium.
- debian/known_gn_gen_args
- debian/rules
patches
* debian/rules, lintians, installs, script: Move component libs out of
libs/, to /usr/lib/chromium-browser/ only.
* debian/patches/do-not-use-bundled-clang: Use clang from path.
* debian/control: Express that binary packages could be on "any"
architecture.
* debian/control: additionally build-dep on libgtk-3-dev
* debian/patches/arm64-support: Fail nicer if aarch64/arm64 mismatch.
* Upstrem release of 54.0.2840.59:
- CVE-2016-5181: Universal XSS in Blink.
- CVE-2016-5182: Heap overflow in Blink.
- CVE-2016-5183: Use after free in PDFium.
- CVE-2016-5184: Use after free in PDFium.
- CVE-2016-5185: Use after free in Blink.
- CVE-2016-5187: URL spoofing.
- CVE-2016-5188: UI spoofing.
- CVE-2016-5192: Cross-origin bypass in Blink.
- CVE-2016-5189: URL spoofing.
- CVE-2016-5186: Out of bounds read in DevTools.
- CVE-2016-5191: Universal XSS in Bookmarks.
- CVE-2016-5190: Use after free in Internals.
- CVE-2016-5193: Scheme bypass.
- CVE-2016-5194: Various fixes from internal audits, fuzzing and other
initiatives
* debian/patches/allow-component-build: Hard-code, override
release -> no component logic.
* debian/known_gyp_flags: Remove old GYP known-flags list.
* debian/default-allocator: Insist on not using tcmalloc allocator.
* debian/rules: Set LDFLAGS to limit memory usage.
* debian/control: Remove extraneous dependencies.
* debian/patches/defang-ct-timebomb: backport TLS cert invalidity based
on build-time. (LP: #1641380)
* Upstream release 53.0.2785.143:
- CVE-2016-5177: Use after free in V8.
- CVE-2016-5178: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 53.0.2785.113:
- CVE-2016-5170: Use after free in Blink.
- CVE-2016-5171: Use after free in Blink.
- CVE-2016-5172: Arbitrary Memory Read in v8.
- CVE-2016-5173: Extension resource access.
- CVE-2016-5174: Popup not correctly suppressed.
- CVE-2016-5175: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/rules: Use gold ld to link.
* debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
we can not assume a memory access to address zero always results in a
trap.
* debian/patches/gsettings-display-scaling,
debian/patches/display-scaling-default-value, reenable DPI scaling taken
from dconf.
* debian/rules: explicitly set target arch for arm64.
* debian/control, debian/rules: re-add -dbg transitional packages.
* Upstream release 53.0.2785.89:
- CVE-2016-5147: Universal XSS in Blink.
- CVE-2016-5148: Universal XSS in Blink.
- CVE-2016-5149: Script injection in extensions.
- CVE-2016-5150: Use after free in Blink.
- CVE-2016-5151: Use after free in PDFium.
- CVE-2016-5152: Heap overflow in PDFium.
- CVE-2016-5153: Use after destruction in Blink.
- CVE-2016-5154: Heap overflow in PDFium.
- CVE-2016-5155: Address bar spoofing.
- CVE-2016-5156: Use after free in event bindings.
- CVE-2016-5157: Heap overflow in PDFium.
- CVE-2016-5158: Heap overflow in PDFium.
- CVE-2016-5159: Heap overflow in PDFium.
- CVE-2016-5161: Type confusion in Blink.
- CVE-2016-5162: Extensions web accessible resources bypass.
- CVE-2016-5163: Address bar spoofing.
- CVE-2016-5164: Universal XSS using DevTools.
- CVE-2016-5165: Script injection in DevTools.
- CVE-2016-5166: SMB Relay Attack via Save Page As.
- CVE-2016-5160: Extensions web accessible resources bypass.
- CVE-2016-5167: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/cups-include-deprecated-ppd, debian/rules: include cups
functions.
* Use system libraries for expat, speex, zlib, opus, png, jpeg.
* Also build for arm64 architecture.
* Don't compile in cups support by default on all architectures.
* debian/control: remvove build-dep on clang.
* debian/patches/linux45-madvfree: If MADV_FREE is not defined, do not allow
it in sandbox filter. Also, undefine it so we don't use MADV_FREE and
thereby depend on it at runtime.
* debian/rules: Use gold ld to link.
* debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
we can not assume a memory access to address zero always results in a
trap.
* debian/patches/series, debian/rules: Re-enable widevine component.
* debian/patches/expat-config: Avoid "memmove does not exist".