Alien Pastures

My thoughts on Slackware, life and everything

Tag: zero-day

Update your Chromium to 93.0.4577.82

September 15, 2021 / / 12 Comments

Today, I uploaded a set of Chromium 93.0.4577.82 packages for Slackware 14.2 and -current (32-bit as well as 64-bit).

According to yesterday’s official announcement on the Google blog, this release patches a number of vulnerabilites and two of them are zero-day vulnerabilities that are actively being exploited online.

The advice is to upgrade Chromium on your Slackware 14.2 and -current computers as soon as possible.

The ungoogled-chromium sources are lagging behind as usual, but I have hopes that a new source tarball will appear soon, now that we have a Chromium update which addresses multiple zero-days. Eloston, the project maintainer, seems AWOL but several contributors have a working patch set ready.

Stay safe! Eric

Chromium security updates (and fix for 32-bit crash)

March 16, 2021 / / 11 Comments

I have updated the ‘chromium‘, ‘chromium-ungoogled‘ and ‘chromium-widevine-plugin‘ packages in my repository.

For Chromium (-ungoogled) these are security updates. The new 89.0.4389.90 release addresses several critical vulnerabilities (it’s the third release in the 89 series in rapid succession actually, to fix critical bugs) but in particular it plugs a zero-day exploit that exists in the wild: CVE-2021-21193. You are urged to update your installation of Chromium (-ungoogled) ASAP.

I made chromium-ungoogled also available for Slackware 14.2, I hope that makes some people happy.

Since I had to build packages anyway, I took the opportunity to apply a patch that fixes the crashes on 32-bit systems with glibc-2.33 installed (i.e. on Slackware-current).
In that same chromium-distro-packagers group that is the home of the discussion about Google’s decision to cripple 3rd-party Chromium browsers, I had asked the Chromium team to address the crash Slackware users are experiencing. Google is no longer offering 32-bit binaries which means, issues like these are not likely to be caught in their own tests, but they are listening to the packagers who do build 32-bit binaries. Luckily. And the fix took a while to actually get implemented, but in the end it all worked out. I assume that the patch will end up in the Chromium source code after it passes the internal review process.

The Widevine plugin package for which I provided an update, is meant for chromium-ungoogled only. The ‘real’ Chromium does not need or use it, since Chromium downloads this CDM library automatically for you. The change to the package is small: it adds a compatibility symlink. That is not needed for chromium-ungoogled itself, but I was alerted to the fact that Spotify specifically looks for ‘libwidevinecdm.so’ in the toplevel Chromium library directory. The update takes care of that.

Also, this was the last package which i compiled for Chromium that contains my Google API Key as well as the OAuth client/secret credentials. I noticed that Chromium still works as before, even now after the 15 March deadline has passed, but future builds of my package will only contain my API key. That will leave the Safe Browsing functional, but it removes the Chrome Sync and other features. If you still want Chrome Sync to work with Chromium, I just want to point you to “/etc/chromium/01-apikeys.conf” in my future packages and get inspired by its content.

Have fun!
Eric

© 2024 Alien Pastures

Theme by Anders NorenUp ↑