My thoughts on Slackware, life and everything

New update for Chromium to address 0-day exploit

Chromium, regular and un-googled.

Earlier last week Google released 108.0.5359.71. On friday, I had finally built and uploaded Slackware packages for this, when they released a quick fix to plug an already actively exploited hole (CVE-2022-4262).
The intermediate release took me by surprise. Luckily someone alerted me to the security fix in the comments section of my previous post. I grabbed the new source tarballs and built 108.0.5359.94 in the course of the weekend.
And I have now uploaded new packages both for chromium and chromium-ungoogled. Target OS releases are Slackware 14.2 and higher (32bit and 64bit).

Quick reminder:
I will stop releasing Chromium packages for Slackware 14.2 after February 2nd, 2023. On that day, Slackware 15.0 is one year old and I expect that everybody who uses a graphical desktop on Slackware, will have upgraded from Slackware 14.2 to 15.0 during that year. If you did upgrade yet but still want to use my Chromium browser packages, you still have two months’ time to prepare and execute that upgrade.
Chromium packages for Slackware 15.0 and -current will of course keep coming.

Cheers, Eric

44 Comments

  1. Konrad J Hambrick

    Thanks Eric !
    Posted from chromium-ungoogled-108.0.5359.94-x86_64-1alien and working just fine.
    — kjh

  2. Magic Magee

    Eric,
    Unfortunately, after upgrade from chromium-107.0.5304.121-x86_64-1alien (which ran fine), I encounter
    /usr/lib64/chromium/chromium: symbol lookup error: /usr/lib64/chromium/chromium: undefined symbol: gbm_bo_get_modifier

    I’m running Slackware 14.2 so that might apply.
    Thank you for all your work and attention

  3. Marco

    Thanks!

  4. Marco

    I noticed that your Chromium builds for 14.2, 15.0 and current are, at the moment, the same. Apparantly there are not a lot (or none) dependent libraries for Chromium? Do you expect that newer versions will keep working on 14.2?

    • alienbob

      Marco. Compiling a single Chromium package takes 8 to 9 hours. Of course I do not build separate packages for Slackware 14.2, 15.0 and -current. The binaries inside the package are mostly self-contained and have very little external dependencies. I compile the chromium packages on 14.2 and they are indeed the same as you install on 15.0 or -current.
      Now when I switch to Slackware 15.0 as the platform to compile Chromium, that will make it easier hopefully. Slackware 14.2 contains a lot of libraries that are too old for Chromium’s compilation process and I have to tweak the installed OS to make it compile successfully. The resulting binaries are mostly depending on glibc. That is also exactly the reason why a package that I compile on Slackware 15.0 will not be able to run on Slackware 14.2.

      • Marco

        I don’t expect you to, Eric. I was just wondering.
        I guess you meant “when I switch to 15.0”? I never compiled Chromium myself and knew you would be able to answer these questions. Thank you for all your work.

        • alienbob

          Thanks for catching the “switch to…” typo there. I have fixed the text in my comment.

  5. Andrew Patrzalek

    Thank you and the person who notified you of the exploit. Also thanks for taking care of others.

  6. BrianA_MN

    Eric, thank you for the continued support of 14.2 with some of your slackbuilds. Even if you stop building for 14.2, will you leave your 14.2 slackbuilds available for others to use? I realize there may be some curating to do, since some packages already fail to build for 14.2 due to upstream changes to dependencies, but I’m just wondering. Thanks, BrianA_MN

    • alienbob

      The Chromium packages for Slackware 14.2 will become stale overtime and looking at the seven zero-day exploits discovered for Chromium just in 2022, it would be unwise to keep using an old Chromium on Slackware 14.2 when I stop compiling the latest releases.
      What is the reason that you would be unable to migrate to Slackware 15.0?

      • JanR

        He is probably asking about availability of your slackbuild sources for 14.2, not for the resulting builds. I’m interrested in those, too.

        Btw, I’m not going to upgrade to 15.0 anytime soon for a plethora of reasons (time constraints and workload – need to avoid splitting my task for maintaining different sets of production system versions – the number of those I maintain is a 2digit number – and a huge amount of changes I’d need to research first in order to reach the same working environment I depend on, on my desktop, etc.). It will eventually happen, but certainly not on Feb 2nd.

        So I guess it would be good if you’d leave the 14.2 slackbuild sources (if not the builds) of your last 14.2 chromium builds up for download even after 2nd February, so that people who are able to build the package themselves, can continue to do so (a.k.a. slackbuilds.org approach). I have prepared patches for/built the Seamonkey myself in the past, will build Chromium myself too. Sigh. (After all, this is the main Slackware advantage as I see it – one can support themselves in the sense of backporting needed fixes, and even complex tasks like building a browser, notwithstanding how cumbersome it can be to prepare, are a viable option for those, who have good reasons why not to rely on the builds done by someone else…).

        Btw, could you elaborate a bit about the burden the 14.2 (32bit) builds of these newest chromium releases pose? Should one expect to create handmade fixes for failing builds like every second canary release or something like that?

        • alienbob

          There is no “14.2 SlackBuild”. There’s just the “build” directory which builds packages for every Slackware release if that is asked.
          You can of course download these sources in future and compile them on Slackware 14.2 but you will be running into increasingly obscure compilation issues.
          There has been a person earlier this year who kept spamming my mailbox with his failing attempts to compile even older versions of Chromium on Slackware 14.0.

          • JanR

            OK. I havent looked at them yet, I must admit. And the one person who has mailed you 14.0-related backporting issues wasnt me. However it might be a bit indicative of problems (s)he can have, similar to mine.
            Btw, part of the hassle of upgrading to 15.0 from 14.2 is that this cannot be easily done by a rolling approach (by looking at the ChangeLog). Too many things have changed and progress in libstdc++ dependent things has gone mad.
            It will require a completely clean install which I didnt do for ages.

      • BrianA_MN

        Hi Eric, I was asking more about all your 14.2 packages, not just the Chromium packages. I’m not great at debugging, but your slackbuilds are a starting point, rather than trying from fresh or with rpm2tgz, or even src2pkg. Thanks again for all your support.

        PS I too am not planning to upgrade to 15.0 anytime soon. My reasons are that I find the frequent updates for base system programs right now to be perplexing that there are still many bugs and security holes in the newer versions.

        On the other hand I also notice that Pat isn’t’ providing many security fixes for older versions of base programs, unless they are severe.

        • alienbob

          Can you point out these bugs and security holes that exist in new programs that do not exist in their Slackware 14.2 versions? I am curious.
          Also, Slackware 15.0 is quite stable in terms of updates – you’ll only get security updates and no version upgrades that add functionality. There’s -current for that.

          I’ll stop updating all my Slackware 14.2 packages early 2023. More the result of time constraints and not so much an inability to compile new program versions on Slackware 14.2 by the way.

          • BrianA_MN

            Hi Eric, thanks for the support you have always and continue to provide for Slackware. Thank you for providing the timeline for continued support of 14.2 compiles at your repository. It is not clear if you will take down the slackbuild 14.2 scripts also, or just end compilation based on those scripts?

            I apologize if my comments about frequent updates to 15.0 struck a nerve, that was not my intent. It was simply to provide an observation that there have been many more updates to the 15 packages, both fixes and security as the Changelog provides, than there have been updates to 14.2. It is not my intent to disparage Slackware, Pat or your efforts, it is only an observation that reflects my time constraints also; which are I have less time to deal with the weekly multiple updates in 15 compared to a couple updates per month for 14.2. I’m also sorry to clutter this great blog with these observations, Your time and information are always a fascinating and enjoyable read. Your slackbuild scripts and repository are clean builds and truly appreciated by those of us who don’t have your skills.

            Merry Christmas.

          • alienbob

            I still think you are confusing Slackware 15.0 wth -current.
            If you look at http://www.slackware.com/changelog/stable.php?cpu=x86_64 you see multiple updates per week, but they concern only an extremely limited amount of packages. And all of those updates are security fixes. I would not skip them.
            On the other hand, the software in Slackware 14.2 is so old that most of these software releases are considered obsolete by their developers. That does not mean they are not vunerable to attacks! It’s just that the developers don’t care about the ancient versions of their software and expect people to move on.
            Slackware 14.2 is just a sitting duck at the moment. And an upgrade strategy for a Slackware 15.0 computer could be that you check for updates once per week, at a fixed time of day, apply any updates, and continue with what you were doing. Won’t take that much time.

            As I explained earlier, there are no “Slackware 14.2” build scripts in my repository. There’s always just the “build” directory which produces the packages for all of the Slackware releases that I support. But once I stop compiling a package for a certain release of Slackware, say 14.2, there is no guarantee that the sources in the “build” directory will be successful at producing a package. It will be untested. And considering the time I spend often in finding patches or workarounds, it will not take long before my scripts stop compiling on Slackware 14.2 once I stop supporting that platform.
            And don’t worry about cluttering the blog. You have valid questions and other people might also want to read the answers to them.

  7. JanR

    Tried chromium-108.0.5359.94-i586-1alien build on slackware-14.2 x86 . The resulting binary wont start. It complains “undefined symbol: gbm_bo_get_modifier”. The 14.2’s default mesa-11.2.2-i586-1 (that I use) has a libgbm that does not contain that symbol. So you have either compiled with newer, backported mesa, or the devs have just screwed up again.

  8. Sergey

    Can I download chromium-107.0.5304.121-x86_64-1alien.txz somewhere? I lost my old package and now lost the browser because 108 does not start with “undefined symbol: gbm_bo_get_modifier”.

    • alienbob

      I’ll re-add the older 107 packages temporarily, while I try to fix the symbol error in the 108 packages.
      Watch my repository for updates in the next hour.

      • Sergey

        Thank you, Eric! You save me! 🙂

  9. alienbob

    A fix package for chromium-108.0.5359.94 is going to be available in my repository in an hour. Chromium 108 works again on Slackware 14.2 and newer.

    • Magic Magee

      Very grateful! Thanks for your quick attention to this

  10. Sergey

    Thanks Eric!

    108 works perfectly now

  11. Konrad J Hambrick

    Eric —
    Maybe I am jumping the gun but I just now upgraded the following Packages to your Dec 09-10 Releases:
    chromium-108.0.5359.98-x86_64-1alien
    chromium-ungoogled-108.0.5359.98-x86_64-1alien
    chromium-widevine-plugin-4.10.2557.0-x86_64-1alien
    and I am posting this Comment from chromium-ungoogled-108.0.5359.98-x86_64-1alien
    Thank You !
    — kjh

    • alienbob

      I wasn’t going to post about the new packages, good to hear that you find them nevertheless and they work to your satisfaction 🙂

  12. Janis

    Hi!
    may be you can give an advice/ides where I could find Chromium for Slackware 14.1/ARMv6? (to be used on Raspberry PI 2B as chromedriver for Selenium) Or it is not worth the efforts?

    • Janis

      ok 14.2 would do, Raspi2 does not go higher

      • alienbob

        I have no idea. You’ll have to try yourself.

  13. JanR

    Hello Eric,

    In my attempt to start preparing my dev. slackware 14.2 environment for compiling the chromium using your SlackBuild, my preliminary sweep through it made me curious:

    – What nodejs and JRE are you using for the task? I’d guess rebuilding nodejs from -current on 14.2 would do the trick, but I have no clue what flavor and version of JRE are you using for building. Can you tell me please?

    – The llvm shipped with 15.0 (that I’ve rebuilt & installed on 14.2) lacks lld. Are you sure lld is necessary if clang is to be used for compiling (SlackBuild sets LD=/usr/bin/lld)?

    Just FYI: I’ve enhanced my 14.2 system quite some time ago with a set of 15.0-originating development packages that I’ve recompiled in 14.2 environment, in an attempt to be ready for this task (my primary goal was a bit different – compiling mesa from 15.0 for my personal purposes – and that goal has been reached).

  14. chuck56

    Eric,
    chromium-ungoogled broke on my -current system due to Pat’s removal of libFLAC.so.8.3.0 from the aaa_libraries.

    Sat Dec 17 02:40:06 UTC 2022
    a/aaa_libraries-15.1-x86_64-14.txz: Rebuilt.
    Removed: … libFLAC.so.8.3.0 …

    Short term I added a link to my system which seems to work:

    2022-12-17 ADDED chromium-ungoogled
    ln -s /usr/lib64/libFLAC.so.12 /usr/lib64/libFLAC.so.8

    I’ll remove the link from my system when/if chromium-ungoogled moves to a more recent FLAC.

    Thanks for all you do!

    • alienbob

      The next Chromium package which is in the process of compiling (takes 8+ hours) will use its own internal FLAC library. That will solve the problem.

      • Konrad J Hambrick

        Thanks alienbob
        I am posting from chromium-ungoogled-108.0.5359.124-x86_64-1alien on Slackware64 15.0 +multilib.
        Works great for me.
        I also reported the update on LQ in a thread related to the libFLAC issue on -current ( see https://www.linuxquestions.org/questions/slackware-14/chromium-ungoogled-complaining-about-libflac-library-4175719904/#post6398669 )
        Hope that’s OK.
        Thanks again and happy holidays to you and yours !
        — kjh

        • alienbob

          Hi Konrad,

          You are of course free to report or discuss anything concerning my stuff on LQ. It’s just me that is no longer visiting there.
          If anything of interest to me is discussed there, it will eventually find its way to me via this blog of via email, if it is important enough.

  15. Marco

    Thanks for Chromium(-ungoogled) 109.0.5414.74 update!

    • Konrad J Hambrick

      Thanks Eric.
      Posting from chromium-ungoogled-109.0.5414.74-x86_64-1alien where everything works as expected.
      Also installed libreoffice-7.4.4-x86_64-1alien last Friday with fairly heavy use and it works great !
      Thanks and Happy NY !
      — kjh

      • Petri Kaukasoina

        Unfortunately, chromium-109.0.5414.74-x86_64-1alien does not work on 14.2:

        /usr/lib64/chromium/chromium: symbol lookup error: /usr/lib64/chromium/chromium: undefined symbol: drmGetDevices2

        The 14.2 version of libdrm.so.2.4.0 from libdrm-2.4.68-x86_64-1 does not offer symbol drmGetDevices2. The -current version of libdrm.so.2.4.0 from libdrm-2.4.114-x86_64-1 does, so it works fine on -current.

        • alienbob

          Yeah it looks like Slackware 14.2 is getting long in the tooth.
          As said before, I will end supporting Chromium on Slackware 14.2 per Feb 22, 2023, but I will try and get this libdrm issue fixed first.

          • Slack14.2_user

            Hello. I unfortunatelly upgrade my chromium package to version 109 on my Slackware 14.2 and browser wont run anymore. Can I download somewhere previous version which works fine now?

          • alienbob

            I do not keep previous versions available, perhaps if you are using slackpkg+ a cached copy can still be found in /var/cache/packages/ but I am afraid it will not be there.
            I am finishing the rebuild (BUILD=2) for the last chromium package and then I will upload versions for chromium and chromium-ungoogled 109 that work again on Slackware 14.2
            Compiling a single chromium package takes 9 hours on average. For every failure in the build process or the resulting binary, another 9 hours. Etcetera.

  16. Erich

    https://taper.alienbase.nl/people/alien/slackbuilds/chromium-ungoogled/pkg64/15.0/ is missing the *.lst, *.meta, and *.txz.asc files. My mirror script spit out a “failed gpg verification” warning which is how I noticed.

    • alienbob

      It’ll be OK in the end. Just wait.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 Alien Pastures

Theme by Anders NorenUp ↑