I had a couple of busy weeks at work, and even though I managed to get some updated packages out the door, there was no opportunity to write about them earlier. I bought a ChromeCast and played with that instead to force myself to stay awake after dinner. So, what was new in the last two weeks?
LibreOffice:
Right before LibreOffice turned four years old, The Document Foundation announced LibreOffice 4.3.2. Belated happy birthday to the project! More than 80 fixes went into this minor release, with a focus on interoperability issues when reading or writing Microsoft Office (DOCX, XLSX and PPTX) files.
My previous article which I wrote for LibreOffice 4.3.1 has some additional info on the 4.3 series, should you not have read it before.
LibreOffice 4.3.2 packages for Slackware 14.1 and -current are ready for download from the usual mirror locations:
If there is anyone who has a solution for LibreOffice being incapable to ignore the system harfbuzz library and use an internal version instead… please let me know. It annoys the hell out of me that I can not use the updated harfbuzz in my ‘ktown‘ repository without breaking LibreOffice.
Chromium:
A couple of days ago Chromium stable was updated to 38.0.2125.101. The package which I have built is just for Slackware 14.1 & current. I am pondering an update for the package for Slackware 13.37 & 14.0 but don’t hold your breath. I’ll meet you halfway: I have refreshed the chromium_1337.SlackBuild script in case you want to compile a new one yourself (that script builds the package which I offer for both the older Slackware releases).
Taken from the Chrome releases blog: Chromium 38.0.2125.101 addresses a whopping amount of 159 security fixes, of which these stand out –
- [$27633.70][416449] Critical CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox.
- [$3000][398384] High CVE-2014-3189: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
- [$3000][400476] High CVE-2014-3190: Use-after-free in Events. Credit to cloudfuzzer, Chen Zhang (demi6od) of NSFOCUS Security Team.
- [$3000][402407] High CVE-2014-3191: Use-after-free in Rendering. Credit to cloudfuzzer.
- [$2000][403276] High CVE-2014-3192: Use-after-free in DOM. Credit to cloudfuzzer.
- [$1500][399655] High CVE-2014-3193: Type confusion in Session Management. Credit to miaubiz.
- [$1500][401115] High CVE-2014-3194: Use-after-free in Web Workers. Credit to Collin Payne.
- [$4500][403409] Medium CVE-2014-3195: Information Leak in V8. Credit to Jüri Aedla.
- [$3000][338538] Medium CVE-2014-3196: Permissions bypass in Windows Sandbox. Credit to James Forshaw.
- [$1500][396544] Medium CVE-2014-3197: Information Leak in XSS Auditor. Credit to Takeshi Terada.
- [$1500][415307] Medium CVE-2014-3198: Out-of-bounds read in PDFium. Credit to Atte Kettunen of OUSPG.
- [$500][395411] Low CVE-2014-3199: Release Assert in V8 bindings. Credit to Collin Payne.
This list shows that there is a healthy interest from external researchers to audit the code and contribute to the security of the browser (not only Chrome, but Chromium and Chrome OS profit from these as well). The biggest bonus of over 27 thousand dollars shows that Google is taking security very seriously. They recently announced that they were going to increase the value of these bonuses… et voilà!
Get my Chromium 38.0.2125.101 packages in one of the usual locations:
Let me remind you again, that you can subscribe to the repository’s RSS feed if you want to be the first to know when new packages are uploaded.
Eric
Recent comments