Chromium 55+ doesn't support Widevine library

Bug #1652110 reported by Chad Miller on 2016-12-22
88
This bug affects 35 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Olivier Tilloy

Bug Description

Since the update to version 55, Amazon Prime Video and Magine TV no longer work. I thought the fix solves this problem, apparently I was wrong. It seems also Widevine DRM since version 55 no longer work. This affects Chromium, Opera and Vivaldi because they use all chromium-codecs-ffmpeg-extra.
A downgrade to version 53 restores the function.

Chad Miller (cmiller) on 2016-12-22
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
Dirk Böttger (dirkboettger) wrote :

This may help

Vivaldi via update to version 1.6.689.46-1
Changelog since the second 1.6 release
[Linux] Vivaldi does play proprietary HTML5 video and audio on Ubuntu with chromium-codecs-ffmpeg-extra 55.0.2883.87 (VB-24384)

Chris Cheney (ccheney) wrote :

This also affects Spotify and likely Netflix.

Is this going to be fixed?

Fink Nottle (finknottle) wrote :
Vuk (wooque) wrote :

Issue still present in Chromium 62.0.3202.75. Spotify won't work.
Is there any workaround?

Vuk (wooque) wrote :

Debian contains /debian/patches/fixes/widevine-revision.patch, similar patch exists in Arch also, but not in Ubuntu.
Also fix_building_widevinecdm_with_chromium.patch is probably not needed anymore. There isn't similar patch in Arch nor Debian.
Maybe replacing fix_building_widevinecdm_with_chromium.patch with widevine-revision.patch will help

Olivier Tilloy (osomon) on 2017-11-10
Changed in chromium-browser (Ubuntu):
assignee: Chad Miller (cmiller) → Olivier Tilloy (osomon)
status: Confirmed → In Progress
Olivier Tilloy (osomon) on 2017-11-13
Changed in chromium-browser (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 63.0.3239.84-0ubuntu0.17.04.1

---------------
chromium-browser (63.0.3239.84-0ubuntu0.17.04.1) zesty; urgency=medium

  * Upstream release: 63.0.3239.84
    - CVE-2017-15407: Out of bounds write in QUIC.
    - CVE-2017-15408: Heap buffer overflow in PDFium.
    - CVE-2017-15409: Out of bounds write in Skia.
    - CVE-2017-15410: Use after free in PDFium.
    - CVE-2017-15411: Use after free in PDFium.
    - CVE-2017-15412: Use after free in libXML.
    - CVE-2017-15413: Type confusion in WebAssembly.
    - CVE-2017-15415: Pointer information disclosure in IPC call.
    - CVE-2017-15416: Out of bounds read in Blink.
    - CVE-2017-15417: Cross origin information disclosure in Skia.
    - CVE-2017-15418: Use of uninitialized value in Skia.
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink.
    - CVE-2017-15420: URL spoofing in Omnibox.
    - CVE-2017-15422: Integer overflow in ICU.
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
    - CVE-2017-15424: URL Spoof in Omnibox.
    - CVE-2017-15425: URL Spoof in Omnibox.
    - CVE-2017-15426: URL Spoof in Omnibox.
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
  * debian/rules:
    - replace allow_posix_link_time_opt=false by use_lld=false, is_cfi=false
      and use_thin_lto=false
    - rename use_vulcanize GN flag to optimize_webui
    - generate the man page as it's not being built with chromium any
      longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
    - build gn with clang
  * debian/patches/arm-neon.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
    debian/patches/widevine-revision.patch
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: updated
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/touch-v35: refreshed
  * debian/patches/widevine-other-locations: updated (LP: #1652110)
  * debian/patches/widevine-revision.patch: added (LP: #1652110)

 -- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:35:57 +0100

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 63.0.3239.84-0ubuntu0.14.04.1

---------------
chromium-browser (63.0.3239.84-0ubuntu0.14.04.1) trusty; urgency=medium

  * Upstream release: 63.0.3239.84
    - CVE-2017-15407: Out of bounds write in QUIC.
    - CVE-2017-15408: Heap buffer overflow in PDFium.
    - CVE-2017-15409: Out of bounds write in Skia.
    - CVE-2017-15410: Use after free in PDFium.
    - CVE-2017-15411: Use after free in PDFium.
    - CVE-2017-15412: Use after free in libXML.
    - CVE-2017-15413: Type confusion in WebAssembly.
    - CVE-2017-15415: Pointer information disclosure in IPC call.
    - CVE-2017-15416: Out of bounds read in Blink.
    - CVE-2017-15417: Cross origin information disclosure in Skia.
    - CVE-2017-15418: Use of uninitialized value in Skia.
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink.
    - CVE-2017-15420: URL spoofing in Omnibox.
    - CVE-2017-15422: Integer overflow in ICU.
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
    - CVE-2017-15424: URL Spoof in Omnibox.
    - CVE-2017-15425: URL Spoof in Omnibox.
    - CVE-2017-15426: URL Spoof in Omnibox.
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
  * debian/control: build-depend on gcc-mozilla (which is effectively gcc 4.9
    on trusty)
  * debian/rules:
    - change use_gold GN flag to false
    - remove linux_use_bundled_binutils=false GN flag
    - replace allow_posix_link_time_opt=false by use_lld=false, is_cfi=false
      and use_thin_lto=false
    - rename use_vulcanize GN flag to optimize_webui
    - generate the man page as it's not being built with chromium any
      longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
  * debian/patches/arm-neon.patch: refreshed
  * debian/patches/build-with-gcc-mozilla.patch: added
  * debian/patches/c++-compatibility.patch: removed, no longer needed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
    debian/patches/widevine-revision.patch
  * debian/patches/no-new-ninja-flag.patch: refreshed
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: updated
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/touch-v35: refreshed
  * debian/patches/use-clang-versioned.patch: refreshed
  * debian/patches/widevine-other-locations: updated (LP: #1652110)
  * debian/patches/widevine-revision.patch: added (LP: #1652110)

 -- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:51:08 +0100

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 63.0.3239.84-0ubuntu0.17.10.1

---------------
chromium-browser (63.0.3239.84-0ubuntu0.17.10.1) artful; urgency=medium

  * Upstream release: 63.0.3239.84
    - CVE-2017-15407: Out of bounds write in QUIC.
    - CVE-2017-15408: Heap buffer overflow in PDFium.
    - CVE-2017-15409: Out of bounds write in Skia.
    - CVE-2017-15410: Use after free in PDFium.
    - CVE-2017-15411: Use after free in PDFium.
    - CVE-2017-15412: Use after free in libXML.
    - CVE-2017-15413: Type confusion in WebAssembly.
    - CVE-2017-15415: Pointer information disclosure in IPC call.
    - CVE-2017-15416: Out of bounds read in Blink.
    - CVE-2017-15417: Cross origin information disclosure in Skia.
    - CVE-2017-15418: Use of uninitialized value in Skia.
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink.
    - CVE-2017-15420: URL spoofing in Omnibox.
    - CVE-2017-15422: Integer overflow in ICU.
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
    - CVE-2017-15424: URL Spoof in Omnibox.
    - CVE-2017-15425: URL Spoof in Omnibox.
    - CVE-2017-15426: URL Spoof in Omnibox.
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
  * debian/rules:
    - replace allow_posix_link_time_opt=false by use_lld=false,
      is_cfi=false and use_thin_lto=false
    - rename use_vulcanize GN flag to optimize_webui
    - generate the man page as it's not being built with chromium any
      longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
  * debian/patches/arm-neon.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
    debian/patches/widevine-revision.patch
  * debian/patches/glibc-2-26-changes.patch: renamed to
    debian/patches/no-xlocale-header.patch and updated
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: updated
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/touch-v35: refreshed
  * debian/patches/use-clang-versioned.patch: refreshed
  * debian/patches/widevine-other-locations: updated (LP: #1652110)
  * debian/patches/widevine-revision.patch: added (LP: #1652110)

 -- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:28:26 +0100

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
Fink Nottle (finknottle) wrote :

This is again broken with chromium 66 on 16.04. chrome is on v67 though. Some discussion about this: https://forums.gentoo.org/viewtopic-p-8217026.html?sid=b64f0e093db635a0dd3ceafcae15c57b

Olivier Tilloy (osomon) wrote :

Just tested with chromium-browser 68.0.3440.75-0ubuntu0.16.04.1 in a xenial amd64 VM, with google-chrome stable installed (68.0.3440.84-1), and widevine works.

Fink Nottle (finknottle) wrote :

Yes, this is working fine right now. For the past two releases, it would break whenever the chrome version was newer than chromium.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.