Ubuntu
chromium package

Sync chromium 78.0.3904.108-1 (universe) from Debian unstable (main)

Bug #1855594 reported by Amr Ibrahim
42
This bug affects 10 people
Affects Status Importance Assigned to Milestone
chromium (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

Please sync chromium 78.0.3904.108-1 (universe) from Debian unstable (main)

Now that the other chromium-browser source package in Ubuntu is just a transitional dummy package to the chromium snap, I guess we can now sync the Debian chromium package.
This gives the community a chance to maintain a deb chromium package in Ubuntu independent from the snap one.

All changelog entries:

chromium (78.0.3904.108-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2019-13723: Use-after-free in Bluetooth. Reported by Yuxiang Li
    - CVE-2019-13724: Out-of-bounds in Bluetooth. Reported by Yuxiang Li
  * Disable vaapi on armhf (closes: #944627).

 -- Michael Gilbert <email address hidden> Wed, 20 Nov 2019 23:46:06 +0000

chromium (78.0.3904.97-1) unstable; urgency=medium

  * New upstream security release.
  * Enable vaapi (closes: #940074).
  * Fix crash during profile manager shutdown.
  * Drop libglewmx-dev build dependency (closes: #941050).

 -- Michael Gilbert <email address hidden> Sat, 09 Nov 2019 03:33:52 +0000

chromium (78.0.3904.87-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2019-5869: Use-after-free in Blink. Reported by Zhe Jin
    - CVE-2019-5870: Use-after-free in media. Reported by Guang Gong
    - CVE-2019-5871: Heap overflow in Skia. Reported by Anonymous
    - CVE-2019-5872: Use-after-free in Mojo. Reported by Zhe Jin
    - CVE-2019-5874: External URIs may trigger other browsers. Reported by
      James Lee
    - CVE-2019-5875: URL bar spoof. Reported by Khalil
      Zhani
    - CVE-2019-5876: Use-after-free in media. Reported by Man Yue Mo
    - CVE-2019-5877: Out-of-bounds access in V8. Reported by Guang Gong
    - CVE-2019-5878: Use-after-free in V8. Reported by Guang Gong
    - CVE-2019-5879: Extensions can read some local files. Reported by Jinseo
      Kim
    - CVE-2019-5880: SameSite cookie bypass. Reported by Jun Kokatsu
    - CVE-2019-13659: URL spoof. Reported by Lnyas Zhang
    - CVE-2019-13660: Full screen notification overlap. Reported by Wenxu Wu
    - CVE-2019-13661: Full screen notification spoof. Reported by Wenxu Wu
    - CVE-2019-13662: CSP bypass. Reported by David Erceg
    - CVE-2019-13663: IDN spoof. Reported by Lnyas Zhang
    - CVE-2019-13664: CSRF bypass. Reported by thomas "zemnmez" shadwell
    - CVE-2019-13665: Multiple file download protection bypass. Reported by
      Jun Kokatsu
    - CVE-2019-13666: Side channel using storage size estimate. Reported by
      Tom Van Goethem
    - CVE-2019-13667: URI bar spoof when using external app URIs. Reported by
      Khalil Zhani
    - CVE-2019-13668: Global window leak via console. Reported by David Erceg
    - CVE-2019-13669: HTTP authentication spoof. Reported by Khalil Zhani
    - CVE-2019-13670: V8 memory corruption in regex. Reported by Guang Gong
    - CVE-2019-13671: Dialog box fails to show origin. Reported by xisigr
    - CVE-2019-13673: Cross-origin information leak using devtools. Reported
      by David Erceg
    - CVE-2019-13674: IDN spoofing. Reported by Khalil Zhani
    - CVE-2019-13675: Extensions can be disabled by trailing slash. Reported
      by Jun Kokatsu
    - CVE-2019-13676: Google URI shown for certificate warning. Reported by
      Wenxu Wu
    - CVE-2019-13677: Chrome web store origin needs to be isolated. Reported
      by Jun Kokatsu
    - CVE-2019-13678: Download dialog spoofing. Reported by Ronni Skansing
    - CVE-2019-13679: User gesture needed for printing. Reported by Conrad
      Irwin
    - CVE-2019-13680: IP address spoofing to servers. Reported by Thijs
      Alkemade
    - CVE-2019-13681: Bypass on download restrictions. Reported by David Erceg
    - CVE-2019-13682: Site isolation bypass. Reported by Jun Kokatsu
    - CVE-2019-13683: Exceptions leaked by devtools. Reported by David Erceg
    - CVE-2019-13685: Use-after-free in UI. Reported by Khalil Zhani
    - CVE-2019-13686: Use-after-free in offline pages. Reported by Brendon
    - CVE-2019-13687: Use-after-free in media. Reported by Man Yue Mo
    - CVE-2019-13688: Use-after-free in media. Reported by Man Yue Mo
      Tiszka
    - CVE-2019-13691: Omnibox spoof. Reported by David Erceg
    - CVE-2019-13692: SOP bypass. Reported by Jun Kokatsu
    - CVE-2019-13693: Use-after-free in IndexedDB. Reported by Guang Gong
    - CVE-2019-13694: Use-after-free in WebRTC. Reported by banananapenguin
    - CVE-2019-13695: Use-after-free in audio. Reported by Man Yue Mo
    - CVE-2019-13696: Use-after-free in V8. Reported by Guang Gong
    - CVE-2019-13697: Cross-origin size leak. Reported by Luan Herrera
    - CVE-2019-13699: Use-after-free in media. Reported by Man Yue Mo
    - CVE-2019-13700: Buffer overrun in Blink. Reported by Man Yue Mo
    - CVE-2019-13701: URL spoof in navigation. Reported by David Erceg
    - CVE-2019-13702: Privilege elevation in Installer. Reported by Phillip
      Langlois and Edward Torkington
    - CVE-2019-13703: URL bar spoofing. Reported by Khalil Zhani
    - CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu
    - CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera
    - CVE-2019-13706: Out-of-bounds read in PDFium. Reported by pdknsk
    - CVE-2019-13707: File storage disclosure. Reported by Andrea Palazzo
    - CVE-2019-13708: HTTP authentication spoof. Reported by Khalil Zhani
    - CVE-2019-13709: File download protection bypass. Reported by Zhong
      Zhaochen
    - CVE-2019-13710: File download protection bypass. Reported by
      bernardo.mrod
    - CVE-2019-13711: Cross-context information leak. Reported by David Erceg
    - CVE-2019-13713: Cross-origin data leak. Reported by David Erceg
    - CVE-2019-13714: CSS injection. Reported by Jun Kokatsu
    - CVE-2019-13715: Address bar spoofing. Reported by xisigr
    - CVE-2019-13716: Service worker state error. Reported by Barron Hagerman
    - CVE-2019-13717: Notification obscured. Reported by xisigr
    - CVE-2019-13718: IDN spoof. Reported by Khalil Zhani
    - CVE-2019-13719: Notification obscured. Reported by Khalil Zhani
    - CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and
      Alexey Kulaev
    - CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin
  * Drop support for building with gcc 6 and gtk 2.

 -- Michael Gilbert <email address hidden> Sat, 02 Nov 2019 22:30:42 +0000

Paul White (paulw2u)
affects: ubuntu → chromium-browser (Ubuntu)
Revision history for this message
Amr Ibrahim (amribrahim1987) wrote :

This is a request to sync a new source package from Debian, independently of the chromium-browser source, which only exists in Ubuntu and not in Debian. I don't think the chromium-browser source works here, it has to remain as it is after 20.04 LTS for the transition to the chromium snap to fully happen.

affects: chromium-browser (Ubuntu) → ubuntu
Revision history for this message
Olivier Tilloy (osomon) wrote :

This seems technically feasible, as there is no "chromium" source package in Ubuntu. It would probably be confusing though, from an end-user perspective.

Amr Ibrahim, have you tested the existing Debian package in Ubuntu?

Mathew Hodson (mhodson)
Changed in ubuntu:
importance: Undecided → Wishlist
affects: ubuntu → chromium (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium (Ubuntu):
status: New → Confirmed
Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

I came to file this exact issue and I saw that someone has already filed it; thank you Amr.

If chromium isn't provided in 20.04, then Ubuntu users that opt not to use snaps will have to install Google's Chrome instead.

I tested the Buster chromium package in Focal and it worked fine. Specifically, I just had to apt install these packages from Debian:

289896 Nov 22 15:12 chromium-common_78.0.3904.108-1~deb10u1_amd64.deb
55110204 Nov 22 15:12 chromium_78.0.3904.108-1~deb10u1_amd64.deb
176942 Jul 31 2017 libevent-2.1-6_2.1.8-stable-4_amd64.deb
133808 Dec 5 2017 libjpeg62-turbo_1.5.2-2+b1_amd64.deb
800224 Nov 27 12:58 libvpx5_1.7.0-3+deb10u1_amd64.deb

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

Hi, any progress on this? Ubuntu 20.04 is maturing, later on it will be too late to change it.

Personally I would greatly appreciate at least knowing if this change will make it for 20.04 or not.

This is because hundreds of Greek schools just purchased new computer labs and I'm preparing a new template image based on Ubuntu MATE 20.04, and I'm pondering if I should install google chrome on them or chromium.deb from Debian and let it auto-update later on when it reaches Ubuntu...

Thanks for any feedback!

Revision history for this message
Julian Andres Klode (juliank) wrote :

I don't think a chromium-browser in universe - without security support - is a sensible thing to provide. There's a reason chromium moved to a snap: It takes too much effort to maintain across all stable releases.

I'm not confident that the community can keep up with supporting chromium in universe across stable releases and provide the level of security necessary for something as critical as a web browser.

The security impact if the community cannot keep up with Chromium is too high to warrant the risk. And we don't want that to fallback to the security team like now, because a point of migrating to a snap was to reduce the burden there.

Hence I'll be setting the status to Won't Fix.

Changed in chromium (Ubuntu):
status: Confirmed → Won't Fix
Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

Thank you for resolving this.
I would like to mention that there are other browsers/snaps in Universe that are just synced from Debian, without any policy about preventing them from reaching Ubuntu, and that this decision will probably move users to Google Chrome rather than snaps, but ...alea iacta est. :)

Revision history for this message
Alkis Georgopoulos (alkisg) wrote :

After observing for months how schools handled this issue, I'd like to confirm my initial predictions; all of them now install google-chrome instead of chromium-browser in order to avoid snap.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.