Last week, Chromium 68 was introduced to the “Stable Channel” with lots of bugs fixed, many of those being security fixes (42 in total). And a few days ago an update was released, so I decided to build Chromium 68 for Slackware.
NOTE: starting with Chromium 68, the browser will show a “Not secure” warning on all HTTP pages. Google announced this in a blog post published on February 8th on Google’s Chromium and Online Security blogs.
You’ll find 32bit as well as 64bit packages for Chromium 68.0.3440.84 in my package repository. They are available for both Slackware 14.2 and -current. I have also updated the Chromium Widevine plugin to version 18.104.22.1688. The older version refused to work with Chromium 68. Note that the Widevine plugin is available for 32bit just as for the 64bit browser, so even those running older computers (or those of you who are in need of a 32bit OS) can enjoy DRM movie playback.
For newcomers: Widevine is a Content Decryption Module (CDM) used by Netflix to stream video to your computer in a Chromium browser window. With my chromium and chromium-widevine-plugin packages you no longer need Chrome (or Firefox if you dislike that browser), to watch Netflix.
Also note (to the purists among you): even though support for Widevine CDM plugin has been built into my chromium package, that package is still built from Open Source software only. As long as you do not install the chromium-widevine-plugin package, your system will not be tainted by closed-source code.
Google released chrome/chromium 59.0.3071.86 earlier this week. This was accompanied by a rather big list of security updates.
Taken from the Red Hat Security Advisory: “Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5086, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085)”
Otherwise, Chromium did not receive new functionality that immediately jumps out at me, except that the Chrome Settings page has changed its look and feel to Google’s “Material Design“.
Remember when you want to compile Chromium yourself, you will need ninja and nodejs (fortunately ninja and nodejs are only needed for the compilation, not for actually running the browser).
The packages for chromium, and the chromium widevine CDM plugin, are available for Slackware 14.2 and -current in my repository or one of its mirrors:
Google updated their Chrome/Chromium with mention of some security fixes. I had to finish compiling LibreOffice first, and also it takes a while for the official chromium source tarball to appear on Google’s servers. But the weekend started uneventful so it was easy to build you some new packages for the chromium browser inbetween baking some tasty sourdough bread. Accompanied by packages for the widevine plugin (a closed-source non-free plugin which allows you to watch Netflix in particular).
The security fixes in chromium 45.0.2454.101 have CVE numbers:
[$TBD] High CVE-2015-1303: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.
[$TBD] High CVE-2015-1304: Cross-origin bypass in V8. Credit to Mariusz Mlynski.
Get my chromium (and widevine plugin) packages in one of the usual locations:
This means that I have said goodbye to the single configuration file (/etc/default/chromium) and switched to a configuration directory, which is “/etc/chromium/” for the chromium package. Each package (Chromium as well as any plugin or extension) can add its own configuration file to that directory. The new packages for chromium, chromium-pepperflash-plugin and chromium-widevine-plugin are now using this new setup.
I made one other change: I have applied a patch taken from an Ubuntu PPA. That patch is based on a blog post which explains how to enable VAAPI (aka hardware video decoding) on Linux. The chromium sources disable this functionality by default if you are not compiling for ChromeOS. Tell me your experiences with playback of H.264 video!
The new chromium packages have the version number 43.0.2357.65. The first release of the “43” series brings a total of 37 published security fixes, and here are the CVE’s:
[$16337] High CVE-2015-1252: Sandbox escape in Chrome. Credit to anonymous.
[$7500] High CVE-2015-1253: Cross-origin bypass in DOM. Credit to anonymous.
[$3000] High CVE-2015-1254: Cross-origin bypass in Editing. Credit to Armin Razmdjou.
[$3000] High CVE-2015-1255: Use-after-free in WebAudio. Credit to Khalil Zhani.
[$2000] High CVE-2015-1256: Use-after-free in SVG. Credit to Atte Kettunen of OUSPG.
 High CVE-2015-1251: Use-after-free in Speech. Credit to SkyLined working with HP’s Zero Day Initiative
[$1500] Medium CVE-2015-1257: Container-overflow in SVG. Credit to miaubiz.
[$1000] Medium CVE-2015-1258: Negative-size parameter in Libvpx. Credit to cloudfuzzer
[$1000] Medium CVE-2015-1259: Uninitialized value in PDFium. Credit to Atte Kettunen of OUSPG
[$1000] Medium CVE-2015-1260: Use-after-free in WebRTC. Credit to Khalil Zhani.
[$500] Medium CVE-2015-1261: URL bar spoofing. Credit to Juho Nurminen.
[$500] Medium CVE-2015-1262: Uninitialized value in Blink. Credit to miaubiz.
[$500] Low CVE-2015-1263: Insecure download of spellcheck dictionary. Credit to Mike Ruddy.
[$500] Low CVE-2015-1264: Cross-site scripting in bookmarks. Credit to K0r3Ph1L.
Get my chromium packages in one of the usual locations:
I have been working on some changes for the chromium package, and what’s better than to first test those changes on a Chromium Development release?
I have not really been happy with the choice I made to have a single configuration file (/etc/default/chromium) which would then have to be re-written by any plugins that you would install. For instance, the PepperFlash plugin modifies that file so that Chromium learns of the pathname and version of that plugin when it starts. Unfortunately, some people would accidentally wipe those modifications with every update to the Chromium main package (the “/etc/default/chromium.new” file would overwrite the “/etc/default/chromium” file if you were not paying attention).
So what I did was change the single configuration file into a configuration directory, which is “/etc/chromium-dev/” for the Chromium Dev package. Each package (Chromium as well as any plugin or extension) can add its own configuration file to that directory. As an example of how that works, I have created packages for chromium-dev, chromium-dev-pepperflash-plugin and chromium-dev-widevine-plugin that use this new setup. Those are Slackware packages for -current only by the way – when a new version of Chromium Stable is released I will also add this new configuration setup and then the packages will be released for Slackware 14.1 as well.
What else is there to say about my chromium-dev packages? Chromium-dev is the development release of the browser (there’s also a “beta” channel but I don’t care about that too much). Testing the development release from time to time is preparing me well in advance for major (or subtle) changes in the compilation process and functionality, so that when the stable channel jumps to a higher major release it won’t take me long to come up with a set of packages.
The new chromium-dev packages have the version number 44.0.2398.0. So what changed with this new major release 44 compared to the previous 43 (or even the stable 42)? One important change is that it is no longer necessary to extract the Widevine CDM library from an official Google Chrome RPM in order to compile the Open Source Widevine adapter library which is the piece of code that interfaces between the browser and the closed-source Content Decryption Module. Therefore even the Open Source purists should be at peace now with the new process. If you do want to use Widevine CDM, for instance when you want to stream Netflix in your Chromium browser, you simply install my widevine-plugin package (the version it reports will be 22.214.171.1243). The browser itself will not be tainted.
The PepperFlash plugin package which I added as well (first time for my Chromium Dev releases) has a change as well, compared to the package for Chromium Stable. The PepperFlash directory is installed to “/usr/lib64/chromium-dev/” instead of “/usr/lib64/” (it’s “lib” for 32bit Slackware of course) so that the pepperflash-plugin package’s files will not clash with the pepperflash-plugin for Chromium Stable. The plugin for Chromium Dev reports itself as version 126.96.36.199 by the way. This version is not even listed yet on Adobe’s Flash test page. I assume that this too, is a development version.
Get my Chromium Development packages in one of the usual locations: