Ubuntu
chromium-browser package

Chromium 55+ doesn't support Widevine library

Bug #1652110 reported by Chad Miller on 2016-12-22

This bug affects 35 people

Affects

Status

Importance

Assigned to

Milestone

chromium-browser (Ubuntu)

Fix Released

High

Olivier Tilloy

You need to log in to change this bug's status.

Affecting:	chromium-browser (Ubuntu)
Filed here by:	Chad Miller
When:	2016-12-22
Confirmed:	2016-12-22
Assigned:	2016-12-22
Started work:	2017-11-10
Completed:	2017-12-11

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	High

Assigned to

	Me
	Olivier Tilloy (osomon)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Since the update to version 55, Amazon Prime Video and Magine TV no longer work. I thought the fix solves this problem, apparently I was wrong. It seems also Widevine DRM since version 55 no longer work. This affects Chromium, Opera and Vivaldi because they use all chromium-codecs-ffmpeg-extra.
A downgrade to version 53 restores the function.

Add tags Tag help

Related branches

lp:~chromium-team/chromium-browser/artful-beta

lp:~chromium-team/chromium-browser/bionic-beta

lp:~chromium-team/chromium-browser/zesty-beta

lp:~chromium-team/chromium-browser/xenial-beta

lp:~chromium-team/chromium-browser/trusty-beta

CVE References

Chad Miller (cmiller) on 2016-12-22

Changed in chromium-browser (Ubuntu):
assignee:	nobody → Chad Miller (cmiller)
importance:	Undecided → High

Launchpad Janitor (janitor) wrote on 2016-12-22:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status:	New → Confirmed

Dirk Böttger (dirkboettger) wrote on 2016-12-23:

This may help

Vivaldi via update to version 1.6.689.46-1
Changelog since the second 1.6 release
[Linux] Vivaldi does play proprietary HTML5 video and audio on Ubuntu with chromium-codecs-ffmpeg-extra 55.0.2883.87 (VB-24384)

Chris Cheney (ccheney) wrote on 2017-06-28:

This also affects Spotify and likely Netflix.

Is this going to be fixed?

Fink Nottle (finknottle) wrote on 2017-07-21:

Relevant issue for a potential fix: https://github.com/saiarcot895/chromium-ubuntu-build/issues/18

Vuk (wooque) wrote on 2017-11-05:

Issue still present in Chromium 62.0.3202.75. Spotify won't work.
Is there any workaround?

Vuk (wooque) wrote on 2017-11-05:

Debian contains /debian/patches/fixes/widevine-revision.patch, similar patch exists in Arch also, but not in Ubuntu.
Also fix_building_widevinecdm_with_chromium.patch is probably not needed anymore. There isn't similar patch in Arch nor Debian.
Maybe replacing fix_building_widevinecdm_with_chromium.patch with widevine-revision.patch will help

Olivier Tilloy (osomon) on 2017-11-10

Changed in chromium-browser (Ubuntu):
assignee:	Chad Miller (cmiller) → Olivier Tilloy (osomon)
status:	Confirmed → In Progress

Olivier Tilloy (osomon) on 2017-11-13

Changed in chromium-browser (Ubuntu):
status:	In Progress → Fix Committed

Launchpad Janitor (janitor) wrote on 2017-12-11:

This bug was fixed in the package chromium-browser - 63.0.3239.84-0ubuntu0.17.04.1

---------------
chromium-browser (63.0.3239.84-0ubuntu0.17.04.1) zesty; urgency=medium

  * Upstream release: 63.0.3239.84
    - CVE-2017-15407: Out of bounds write in QUIC.
    - CVE-2017-15408: Heap buffer overflow in PDFium.
    - CVE-2017-15409: Out of bounds write in Skia.
    - CVE-2017-15410: Use after free in PDFium.
    - CVE-2017-15411: Use after free in PDFium.
    - CVE-2017-15412: Use after free in libXML.
    - CVE-2017-15413: Type confusion in WebAssembly.
    - CVE-2017-15415: Pointer information disclosure in IPC call.
    - CVE-2017-15416: Out of bounds read in Blink.
    - CVE-2017-15417: Cross origin information disclosure in Skia.
    - CVE-2017-15418: Use of uninitialized value in Skia.
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink.
    - CVE-2017-15420: URL spoofing in Omnibox.
    - CVE-2017-15422: Integer overflow in ICU.
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
    - CVE-2017-15424: URL Spoof in Omnibox.
    - CVE-2017-15425: URL Spoof in Omnibox.
    - CVE-2017-15426: URL Spoof in Omnibox.
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
  * debian/rules:
    - replace allow_posix_link_time_opt=false by use_lld=false, is_cfi=false
      and use_thin_lto=false
    - rename use_vulcanize GN flag to optimize_webui
    - generate the man page as it's not being built with chromium any
      longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
    - build gn with clang
  * debian/patches/arm-neon.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
    debian/patches/widevine-revision.patch
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: updated
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/touch-v35: refreshed
  * debian/patches/widevine-other-locations: updated (LP: #1652110)
  * debian/patches/widevine-revision.patch: added (LP: #1652110)

-- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:35:57 +0100

Changed in chromium-browser (Ubuntu):
status:	Fix Committed → Fix Released

Launchpad Janitor (janitor) wrote on 2017-12-11:

This bug was fixed in the package chromium-browser - 63.0.3239.84-0ubuntu0.14.04.1

---------------
chromium-browser (63.0.3239.84-0ubuntu0.14.04.1) trusty; urgency=medium

  * Upstream release: 63.0.3239.84
    - CVE-2017-15407: Out of bounds write in QUIC.
    - CVE-2017-15408: Heap buffer overflow in PDFium.
    - CVE-2017-15409: Out of bounds write in Skia.
    - CVE-2017-15410: Use after free in PDFium.
    - CVE-2017-15411: Use after free in PDFium.
    - CVE-2017-15412: Use after free in libXML.
    - CVE-2017-15413: Type confusion in WebAssembly.
    - CVE-2017-15415: Pointer information disclosure in IPC call.
    - CVE-2017-15416: Out of bounds read in Blink.
    - CVE-2017-15417: Cross origin information disclosure in Skia.
    - CVE-2017-15418: Use of uninitialized value in Skia.
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink.
    - CVE-2017-15420: URL spoofing in Omnibox.
    - CVE-2017-15422: Integer overflow in ICU.
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
    - CVE-2017-15424: URL Spoof in Omnibox.
    - CVE-2017-15425: URL Spoof in Omnibox.
    - CVE-2017-15426: URL Spoof in Omnibox.
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
  * debian/control: build-depend on gcc-mozilla (which is effectively gcc 4.9
    on trusty)
  * debian/rules:
    - change use_gold GN flag to false
    - remove linux_use_bundled_binutils=false GN flag
    - replace allow_posix_link_time_opt=false by use_lld=false, is_cfi=false
      and use_thin_lto=false
    - rename use_vulcanize GN flag to optimize_webui
    - generate the man page as it's not being built with chromium any
      longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
  * debian/patches/arm-neon.patch: refreshed
  * debian/patches/build-with-gcc-mozilla.patch: added
  * debian/patches/c++-compatibility.patch: removed, no longer needed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
    debian/patches/widevine-revision.patch
  * debian/patches/no-new-ninja-flag.patch: refreshed
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: updated
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/touch-v35: refreshed
  * debian/patches/use-clang-versioned.patch: refreshed
  * debian/patches/widevine-other-locations: updated (LP: #1652110)
  * debian/patches/widevine-revision.patch: added (LP: #1652110)

-- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:51:08 +0100

Changed in chromium-browser (Ubuntu):
status:	Fix Committed → Fix Released

Launchpad Janitor (janitor) wrote on 2017-12-11:

This bug was fixed in the package chromium-browser - 63.0.3239.84-0ubuntu0.17.10.1

---------------
chromium-browser (63.0.3239.84-0ubuntu0.17.10.1) artful; urgency=medium

  * Upstream release: 63.0.3239.84
    - CVE-2017-15407: Out of bounds write in QUIC.
    - CVE-2017-15408: Heap buffer overflow in PDFium.
    - CVE-2017-15409: Out of bounds write in Skia.
    - CVE-2017-15410: Use after free in PDFium.
    - CVE-2017-15411: Use after free in PDFium.
    - CVE-2017-15412: Use after free in libXML.
    - CVE-2017-15413: Type confusion in WebAssembly.
    - CVE-2017-15415: Pointer information disclosure in IPC call.
    - CVE-2017-15416: Out of bounds read in Blink.
    - CVE-2017-15417: Cross origin information disclosure in Skia.
    - CVE-2017-15418: Use of uninitialized value in Skia.
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink.
    - CVE-2017-15420: URL spoofing in Omnibox.
    - CVE-2017-15422: Integer overflow in ICU.
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
    - CVE-2017-15424: URL Spoof in Omnibox.
    - CVE-2017-15425: URL Spoof in Omnibox.
    - CVE-2017-15426: URL Spoof in Omnibox.
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
  * debian/rules:
    - replace allow_posix_link_time_opt=false by use_lld=false,
      is_cfi=false and use_thin_lto=false
    - rename use_vulcanize GN flag to optimize_webui
    - generate the man page as it's not being built with chromium any
      longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
  * debian/patches/arm-neon.patch: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
  * debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
    debian/patches/widevine-revision.patch
  * debian/patches/glibc-2-26-changes.patch: renamed to
    debian/patches/no-xlocale-header.patch and updated
  * debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: updated
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/touch-v35: refreshed
  * debian/patches/use-clang-versioned.patch: refreshed
  * debian/patches/widevine-other-locations: updated (LP: #1652110)
  * debian/patches/widevine-revision.patch: added (LP: #1652110)

-- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:28:26 +0100

Changed in chromium-browser (Ubuntu):
status:	Fix Committed → Fix Released

Fink Nottle (finknottle) wrote on 2018-07-09:

#10

This is again broken with chromium 66 on 16.04. chrome is on v67 though. Some discussion about this: https://forums.gentoo.org/viewtopic-p-8217026.html?sid=b64f0e093db635a0dd3ceafcae15c57b

Olivier Tilloy (osomon) wrote on 2018-08-08:

#11

Just tested with chromium-browser 68.0.3440.75-0ubuntu0.16.04.1 in a xenial amd64 VM, with google-chrome stable installed (68.0.3440.84-1), and widevine works.

Fink Nottle (finknottle) wrote on 2018-08-08:

#12

Yes, this is working fine right now. For the past two releases, it would break whenever the chrome version was newer than chromium.

Report a bug

This report contains Public information Edit

Everyone can see this information.

Duplicates of this bug

Bug #1371274

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-saiarcot895-chromium-ubuntu-build #18
[closed] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuchromium-browser package

Chromium 55+ doesn't support Widevine library

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
chromium-browser package