Day: April 18, 2016

Five days ago, Chromium 50 was announced on the Google Chrome Releases blog. The 64bit package was built soon after, but then I needed my server’s processing power for the new KDE Plasma5 releases that have become available (Frameworks, Plasma) or will soon become available (Applications) and those required an update of the Qt5 package to 5.6.0… timeconsuming to build I can assure you! Especially if the build fails right at the end of 7 hours of compilation and a patch needs to be written…

So reserving time to compile the 32bit package for chromium took a while. And remember, even though I can still provide a 32bit Chromium browser, Google has ceased providing a 32bit version of their own Chrome browser – which means, no more updates to the 32bit PepperFlash and Widevine plugins.

This new release (50.0.2661.75) addresses a couple of security issues – some of these have a CVE number:

• [$7500][590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
• [$5000][589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
• [591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP’s Zero Day Initiative.
• [$1500][589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
• [$1500][582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
• [$500][570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
• [$1000][567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
• [$500][573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
• [602697] CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives.

As always, it is strongly advised to upgrade to this new version of Chromium. Get my chromium packages in one of the usual locations:

• http://slackware.com/~alien/slackbuilds/ (primary server)
• http://bear.alienbase.nl/mirrors/people/alien/slackbuilds/ (my own fast mirror)
• http://slackware.uk/people/alien/slackbuilds/ (UK mirror – fast & preferred, also has rsync access)
• http://alien.slackbook.org/slackbuilds/ (US mirror)

The widevine and pepperflash plugin packagess for chromium can be found in the same repository. The 64bit versions of these plugins were both updated with new libraries extracted from the official Google Chrome for Linux.

Have fun! Eric