Stable channel for Chromium hits 43
Building on my experiences with chromium-dev (the development channel of the Chromium browser which is currently at version 44), I have made similar changes to my latest package for the chromium browser and its widevine and pepperflash plugins.
This means that I have said goodbye to the single configuration file (/etc/default/chromium) and switched to a configuration directory, which is “/etc/chromium/” for the chromium package. Each package (Chromium as well as any plugin or extension) can add its own configuration file to that directory. The new packages for chromium, chromium-pepperflash-plugin and chromium-widevine-plugin are now using this new setup.
I made one other change: I have applied a patch taken from an Ubuntu PPA. That patch is based on a blog post which explains how to enable VAAPI (aka hardware video decoding) on Linux. The chromium sources disable this functionality by default if you are not compiling for ChromeOS. Tell me your experiences with playback of H.264 video!
The new chromium packages have the version number 43.0.2357.65. The first release of the “43” series brings a total of 37 published security fixes, and here are the CVE’s:
- [$16337] High CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous.
- [$7500] High CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous.
- [$3000] High CVE-2015-1254: Cross-origin bypass in Editing. Credit to Armin Razmdjou.
- [$3000] High CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani.
- [$2000] High CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen of OUSPG.
-  High CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined working with HP’s Zero Day Initiative
- [$1500] Medium CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz.
- [$1000] Medium CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer
- [$1000] Medium CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen of OUSPG
- [$1000] Medium CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani.
- [$500] Medium CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen.
- [$500] Medium CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz.
- [$500] Low CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy.
- [$500] Low CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L.
Get my chromium packages in one of the usual locations:
- http://slackware.com/~alien/slackbuilds/chromium/ (primary server)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/chromium/ (my own US mirror)
- http://alien.slackbook.org/slackbuilds/chromium/ (US)
- http://slackware.org.uk/people/alien/slackbuilds/chromium/ (UK)
Change the URL a bit to get the widevine-plugin and pepperflash-plugin packages.
Have fun! Eric