Chromium 49 packages address security issues; no more 32-bit binary plugins
Chromium 49 was announced on the Google Chrome Releases blog. I needed some time to compile package for my ‘ktown’ repository containing the KDE Plasma 5 environment. In fact it took more time than anticipated because I had upgraded my QEMU from 1.2.0 to 2.5.0 and that had unepected side effects: it severely affected the performance of the host server (running Slackware64 13.37 and a 22.214.171.124 kernel) and decreased the Virtual Machine speed to almost half. And when the VM froze while I was compiling chromium in it, I had enough. I reverted to QEMU 1.2.0 and all is well again.
Anyway, the new chromium 49.0.2623.75 release addresses a couple of security issues – some of these have a CVE number:
- [$8000] High CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
- [$7500] High CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski.
- [$5000] High CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
- [$3000] High CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
- [$3000] High CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
- [$2000] High CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
- [$2000] High CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and Bryant Zadegan.
- [$500] High CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann.
- [$2000] Medium CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
- [$1000] Medium CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
- [$1000] Medium CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
- [$1000] Medium CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera.
- [$500] Medium CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of OUSPG.
-  CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.
It is advised to upgrade to this version of Chromium.
Please note that Google has stopped providing 32-bit versions of Chrome for Linux. This means that I will no longer be able to supply 32-bit plugins for Pepper Flash and for Widevine CDM support. The 32-bit plugins currently in my repository are taken from the Chrome 48 RPM and they will probably just keep functioning for a while. However I have no idea when they break, and particularly the Pepper Flash plugin will age pretty fast, considering the fact that Adobe releases security updates for Flash almost every month. YMMV.
Get my chromium packages in one of the usual locations:
- http://slackware.com/~alien/slackbuilds/ (primary server)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/ (my own US mirror)
- http://slackware.uk/people/alien/slackbuilds/ (UK mirror – fast & preferred, also has rsync access)
- http://alien.slackbook.org/slackbuilds/ (US mirror)
The widevine and pepperflash plugin packagess for chromium can be found in the same repository.
Have fun! Eric