Security update for Chromium 48

chromium_iconGoogle released an update for Chrome/Chromium – their version 48 of the browser is now at “48.0.2564.109“. The chromium sources are still not available six days after the announcement, even though the official Chrome binary distributions were available right from the start. I think that this is inexcusable for a big company like Google, but this is not the first time that their autobots falter and no one cares enough to fix the release process. Notwithstanding some complaints by fellow application packagers.

So for this release I switched to the “chromium source tarball” git repository to get a tarball and compile some Slackware packages.

This chromium release addresses a couple of security issues with the following CVE numbers:

  • [$7500][546677] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
  • [$7500][577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [$TBD][583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.
  • [$1000][509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
  • [571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP’s Zero Day Initiative.
  • [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.

Get my chromium packages in one of the usual locations:

The widevine and pepperflash plugin packagess for chromium can be found in the same repository.

Have fun! Eric

11 thoughts on “Security update for Chromium 48

  1. Google’s been doing this a lot lately. For instance the OSX update to chrome was late a week. Mere oversight that they didn’t upload the correct boundary? I know, never ascribe to malice what’s explained by incompetence.

  2. Upon starting Chromium 48.0.2564.97, it told me to run:

    sudo chmod -R 1777 /dev/shm

    “ls /dev/shm” showed contains many PulseAudio files. Yet, Chromium didn’t detect any audio devices.

  3. cwizardone , ideally, yes, because it indicates that I extracted the plugin from a Chrome binary of the same version.
    Fortunately, the widevine plugin’s internal version has not changed for a long time, so the package in my repository will still work. I will update the widevine package soon-ish.

  4. Pingback: Links 16/2/2016: FOSS Search Engine of Wikipedia, Street Fighter V on GNU/Linux | Techrights

  5. Eric: Google will stop providing 32-bit executables early March. I had a look at your SlackBuild and I see no *technical* reason to not produce a 32-bit executable. Will you continue to provide 32-bit executables?
    Regards, Dick

  6. Google has stated that it will stop providing pre-built 32-bit executables, but that the Chromium code can still be compiled as 32-bit code.
    So I will still be providing 32-bit chromium packages after March.
    Without the 32-bit binary chrome distribution this will of course mean the end of my 32-bit chrome-widevine-plugin and chrome-pepperflash-plugin packages.
    The 64-bit plugins will still be shipped with the 64-bit chrome binaries.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.