My thoughts on Slackware, life and everything

Security update for Chromium 48

chromium_iconGoogle released an update for Chrome/Chromium – their version 48 of the browser is now at “48.0.2564.109“. The chromium sources are still not available six days after the announcement, even though the official Chrome binary distributions were available right from the start. I think that this is inexcusable for a big company like Google, but this is not the first time that their autobots falter and no one cares enough to fix the release process. Notwithstanding some complaints by fellow application packagers.

So for this release I switched to the “chromium source tarball” git repository https://github.com/zcbenz/chromium-source-tarball/releases to get a tarball and compile some Slackware packages.

This chromium release addresses a couple of security issues with the following CVE numbers:

  • [$7500][546677] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
  • [$7500][577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [$TBD][583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.
  • [$1000][509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
  • [571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP’s Zero Day Initiative.
  • [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.

Get my chromium packages in one of the usual locations:

The widevine and pepperflash plugin packagess for chromium can be found in the same repository.

Have fun! Eric

10 Comments

  1. Jen

    Google’s been doing this a lot lately. For instance the OSX update to chrome was late a week. Mere oversight that they didn’t upload the correct boundary? I know, never ascribe to malice what’s explained by incompetence.

  2. Jen

    Er, binary. Autocorrect fail.

  3. cwizardone

    In the past didn’t Chromium and the widevine plugin have to
    have the same version number?

  4. Geremia

    Upon starting Chromium 48.0.2564.97, it told me to run:

    sudo chmod -R 1777 /dev/shm

    “ls /dev/shm” showed contains many PulseAudio files. Yet, Chromium didn’t detect any audio devices.

  5. alienbob

    cwizardone , ideally, yes, because it indicates that I extracted the plugin from a Chrome binary of the same version.
    Fortunately, the widevine plugin’s internal version has not changed for a long time, so the package in my repository will still work. I will update the widevine package soon-ish.

  6. D.L.C. Burggraaff

    Eric: Google will stop providing 32-bit executables early March. I had a look at your SlackBuild and I see no *technical* reason to not produce a 32-bit executable. Will you continue to provide 32-bit executables?
    Regards, Dick

  7. D.L.C. Burggraaff

    Hmm, I meant “Google will stop providing 32-bit *Chrome* executables”.

  8. D.L.C. Burggraaff

    And what about the plugins?
    Regards again, Dick

  9. alienbob

    Google has stated that it will stop providing pre-built 32-bit executables, but that the Chromium code can still be compiled as 32-bit code.
    So I will still be providing 32-bit chromium packages after March.
    Without the 32-bit binary chrome distribution this will of course mean the end of my 32-bit chrome-widevine-plugin and chrome-pepperflash-plugin packages.
    The 64-bit plugins will still be shipped with the 64-bit chrome binaries.

  10. Eduardo

    Thank you Eric! Upgraded with no problems.

Leave a Reply to Jen Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 Alien Pastures

Theme by Anders NorenUp ↑