Dear Maintainer,

Chromium 101.0.4951.64-1~deb11u1 has been accepted for bullseye-security, and the package
is present for the amd64 architecture. I think it has been built for arm64, but it has not
yet appeared at http://security.debian.org/debian-security/pool/main/c/chromium/ -- I know
there's a lag between amd64 and arm64 builds, but I think this is longer than usual.
Please let me know if there's a better place to report this kind of issue.

Thanks!

Unfortunately, bullseye-security buildd logs don't appear to be public,
so I actually have no idea whether 101.0.4951.64-1~deb11u1 ran into
problems building on arm64.


Security Team, is there a way for me to get access to the logs for
chromium's security builds by ssh'ing into a machine? Or some other way
for me to view them?

Thanks,

Andres

Hi Andres,

The build logs are not public but we can retrieve them. But in this
case from #debian-buildd:

[17:58] < carnil> Hi, can someone double check if chromium/arm64 build for bullseye-security is still really in building state?
[18:07] < jcristau> carnil: it is not
[18:07] < jcristau> guessing the host crashed a few days ago and it got a power cycle

Which I did and the package is not back in building state for arm64.

Regards,
Salvatore

clone 1011078 -1
retitle -1 chromium: i386 and armhf packages FTBFS in bullseye
tags -1 bullseye ftbfs
severity -1 serious
thanks

On Mon, 16 May 2022 20:33:46 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
[...]
build failures, they should show up in the archive in a day or two.
Chromium is a slow build. :)


While looking at this, I noticed that i386 and armhf in
bullseye-security were even older (last built circa chromium v99). The
build log shows this build failure on armhf:

[12837/50904] CXX obj/base/base/task_annotator.o
FAILED: obj/base/base/task_annotator.o
clang++ -MMD -MF obj/base/base/task_annotator.o.d -DPA_PCSCAN_STACK_SUPPORTED -DUSE_SYMBOLIZE
 -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -D__STDC_CONSTANT_MACROS
 -D__STDC_FORMAT_MACROS -D_FORTIFY_SOURCE=2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LAR
GEFILE64_SOURCE -DNO_UNWIND_TABLES -D_GNU_SOURCE -DCR_CLANG_REVISION=\"llvmorg-15-init-3677-g
8133778d-4\" -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -DBASE_IMPLEMENTATION -DGLI
B_VERSION_MAX_ALLOWED=GLIB_VERSION_2_40 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_40 -DU_USI
NG_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DUSE_CHROMIUM_ICU=1 -DU_ENABLE_TRACING=1 -DU_ENABLE_R
ESOURCE_TRACING=0 -DU_STATIC_IMPLEMENTATION -DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_FILE -I../.. -
Igen -I../../third_party/perfetto/include -Igen/third_party/perfetto/build_config -Igen/third
_party/perfetto -Igen/shim_headers/zlib_shim -Igen/shim_headers/libevent_shim -I../../third_p
arty/abseil-cpp -I../../third_party/boringssl/src/include -I../../third_party/protobuf/src -I
gen/protoc_out -Igen/third_party/perfetto -I../../third_party/icu/source/common -I../../third
_party/icu/source/i18n -Wall -Wextra -Wimplicit-fallthrough -Wunreachable-code-aggressive -Wt
hread-safety -Wextra-semi -Wno-missing-field-initializers -Wno-unused-parameter -Wloop-analys
is -Wno-unneeded-internal-declaration -Wenum-compare-conditional -Wno-psabi -Wno-ignored-prag
ma-optimize -Wshadow -fno-delete-null-pointer-checks -fno-ident -fno-strict-aliasing --param=
ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-tables -fPIC
-pthread -fcolor-diagnostics -fmerge-all-constants -fcrash-diagnostics-dir=../../tools/clang/
crashreports -mllvm -instcombine-lower-dbg-declare=0 -ffp-contract=off --target=arm-linux-gnu
eabihf -march=armv7-a -mfloat-abi=hard -mtune=generic-armv7-a -fdebug-compilation-dir=. -no-c
anonical-prefixes -mfpu=vfpv3-d16 -mthumb -ftrivial-auto-var-init=pattern -fno-omit-frame-poi
nter -g0 -fvisibility=hidden -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-comp
are -Wexit-time-destructors -Wglobal-constructors -I/usr/include/glib-2.0 -I/usr/lib/arm-linu
x-gnueabihf/glib-2.0/include -Wexit-time-destructors -fdata-sections -ffunction-sections -fno
-unique-section-names -DPROTOBUF_ALLOW_DEPRECATED=1 -std=c++17 -Wno-trigraphs -fno-aligned-ne
w -fno-exceptions -fno-rtti -fvisibility-inlines-hidden -Wdate-time -D_FORTIFY_SOURCE=2 -O2 -
fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-securit
y -Wno-conversion -Wno-unused-function -Wno-unused-variable -Wno-unused-private-field -Wno-de
precated-declarations -Wno-unknown-pragmas  -fno-delete-null-pointer-checks -c ../../base/tas
k/common/task_annotator.cc -o obj/base/base/task_annotator.o
In file included from ../../base/task/common/task_annotator.cc:15:
../../base/sys_byteorder.h:56:28: error: constexpr function never produces a constant express
ion [-Winvalid-constexpr]
inline constexpr uintptr_t ByteSwapUintPtrT(uintptr_t x) {

../../base/sys_byteorder.h:65:12: note: non-constexpr function 'ByteSwap' cannot be used in a constant expression
    return ByteSwap(static_cast<uint32_t>(x));
           ^
../../base/sys_byteorder.h:33:17: note: declared here
inline uint32_t ByteSwap(uint32_t x) {
                ^
1 error generated.



And this build failure on i386:

[12741/51668] CXX obj/base/base/sampling_heap_profiler.o
FAILED: obj/base/base/sampling_heap_profiler.o
clang++ -MMD -MF obj/base/base/sampling_heap_profiler.o.d -DPA_PCSCAN_STACK_SUPPORTED -DUSE_S
YMBOLIZE -DUSE_UDEV -DUSE_AURA=1 -DUSE_GLIB=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -D__STDC_CONSTAN
T_MACROS -D__STDC_FORMAT_MACROS -D_FORTIFY_SOURCE=2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURC
E -D_LARGEFILE64_SOURCE -DNO_UNWIND_TABLES -D_GNU_SOURCE -DCR_CLANG_REVISION=\"llvmorg-15-ini
t-3677-g8133778d-4\" -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -DBASE_IMPLEMENTATI
ON -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_40 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_40
 -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DUSE_CHROMIUM_ICU=1 -DU_ENABLE_TRACING=1 -DU_
ENABLE_RESOURCE_TRACING=0 -DU_STATIC_IMPLEMENTATION -DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_FILE -
I../.. -Igen -I../../third_party/perfetto/include -Igen/third_party/perfetto/build_config -Ig
en/third_party/perfetto -Igen/shim_headers/zlib_shim -Igen/shim_headers/libevent_shim -I../..
/third_party/abseil-cpp -I../../third_party/boringssl/src/include -I../../third_party/protobu
f/src -Igen/protoc_out -Igen/third_party/perfetto -I../../third_party/icu/source/common -I../
../third_party/icu/source/i18n -Wall -Wextra -Wimplicit-fallthrough -Wunreachable-code-aggres
sive -Wthread-safety -Wextra-semi -Wno-missing-field-initializers -Wno-unused-parameter -Wloo
p-analysis -Wno-unneeded-internal-declaration -Wenum-compare-conditional -Wno-psabi -Wno-igno
red-pragma-optimize -Wshadow -fno-delete-null-pointer-checks -fno-ident -fno-strict-aliasing
--param=ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-table
s -fPIC -pthread -fcolor-diagnostics -fmerge-all-constants -fcrash-diagnostics-dir=../../tool
s/clang/crashreports -mllvm -instcombine-lower-dbg-declare=0 -ffp-contract=off -m32 -mfpmath=
sse -msse3 -fdebug-compilation-dir=. -no-canonical-prefixes -ftrivial-auto-var-init=pattern -
fno-omit-frame-pointer -momit-leaf-frame-pointer -g0 -fvisibility=hidden -Wheader-hygiene -Ws
tring-conversion -Wtautological-overlap-compare -Wexit-time-destructors -Wglobal-constructors
 -I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include -Wexit-time-destructors -
fdata-sections -ffunction-sections -fno-unique-section-names -DPROTOBUF_ALLOW_DEPRECATED=1 -s
td=c++17 -Wno-trigraphs -fno-aligned-new -fno-exceptions -fno-rtti -fvisibility-inlines-hidde
n -Wdate-time -D_FORTIFY_SOURCE=2 -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector
-strong -Wformat -Werror=format-security -Wno-conversion -Wno-unused-function -Wno-unused-var
iable -Wno-unused-private-field -Wno-deprecated-declarations -Wno-unknown-pragmas  -fno-delet
e-null-pointer-checks -c ../../base/sampling_heap_profiler/sampling_heap_profiler.cc -o obj/b
ase/base/sampling_heap_profiler.o
In file included from ../../base/sampling_heap_profiler/sampling_heap_profiler.cc:12:
In file included from ../../base/allocator/partition_allocator/partition_alloc.h:10:
In file included from ../../base/allocator/partition_allocator/partition_root.h:53:
In file included from ../../base/allocator/partition_allocator/partition_direct_map_extent.h:
10:
In file included from ../../base/allocator/partition_allocator/partition_page.h:21:
In file included from ../../base/allocator/partition_allocator/partition_freelist_entry.h:21:
../../base/sys_byteorder.h:56:28: error: constexpr function never produces a constant express
ion [-Winvalid-constexpr]
inline constexpr uintptr_t ByteSwapUintPtrT(uintptr_t x) {
                           ^
../../base/sys_byteorder.h:65:12: note: non-constexpr function 'ByteSwap' cannot be used in a
 constant expression
    return ByteSwap(static_cast<uint32_t>(x));
           ^
../../base/sys_byteorder.h:33:17: note: declared here
inline uint32_t ByteSwap(uint32_t x) {
                ^
1 error generated.




Both are occurring in chromium's ./base/sys_byteorder.h header. ByteSwapUintPtrT is marked
constexpr but it includes a non-constexpr function (ByteSwap).  Clang-13 is smart enough to
inline ByteSwap this and not care about the differences in constexpr marking, but clang-11 is not.

I'll need to remove the constexpr, like I did in
debian/patches/bullseye/blink-constexpr.patch. And/or send a patch upstream to mark ByteSwap as
constexpr, which I couldn't do with blink-constexpr.patch because it was using a non-constexpr
function from the c++ std library.

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 25 May 2022 02:09:10 -0400
Source: chromium
Architecture: source
Version: 102.0.5005.61-1
Distribution: unstable
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1011096
Changes:
 chromium (102.0.5005.61-1) unstable; urgency=high
 .
   * New upstream stable release.
     - CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous
     - CVE-2022-1854: Use after free in ANGLE.
       Reported by SeongHwan Park (SeHwa)
     - CVE-2022-1855: Use after free in Messaging. Reported by Anonymous
     - CVE-2022-1856: Use after free in User Education. Reported by
       Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab
     - CVE-2022-1857: Insufficient policy enforcement in File System API.
       Reported by Daniel Rhea
     - CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad
     - CVE-2022-1859: Use after free in Performance Manager. Reported by
       Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab
     - CVE-2022-1860: Use after free in UI Foundations.
       Reported by @ginggilBesel
     - CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani
     - CVE-2022-1862: Inappropriate implementation in Extensions.
       Reported by Alesandro Ortiz
     - CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg
     - CVE-2022-1864: Use after free in WebApp Installs.
       Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab
     - CVE-2022-1865: Use after free in Bookmarks.
       Reported by Rong Jian of VRI
     - CVE-2022-1866: Use after free in Tablet Mode.
       Reported by @ginggilBesel
     - CVE-2022-1867: Insufficient validation of untrusted input in
       Data Transfer. Reported by Michał Bentkowski of Securitum
     - CVE-2022-1868: Inappropriate implementation in Extensions API.
       Reported by Alesandro Ortiz
     - CVE-2022-1869: Type Confusion in V8.
       Reported by Man Yue Mo of GitHub Security Lab
     - CVE-2022-1870: Use after free in App Service. Reported by
       Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab
     - CVE-2022-1871: Insufficient policy enforcement in File System API.
       Reported by Thomas Orlita
     - CVE-2022-1872: Insufficient policy enforcement in Extensions API.
       Reported by ChaobinZhang
     - CVE-2022-1873: Insufficient policy enforcement in COOP.
       Reported by NDevTK
     - CVE-2022-1874: Insufficient policy enforcement in Safe Browsing.
       Reported by hjy79425575
     - CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK
     - CVE-2022-1876: Heap buffer overflow in DevTools.
       Reported by @ginggilBesel
   * debian/patches:
     - system/jpeg.patch - straight refresh.
     - disable/swiftshader.patch - straight refresh.
     - disable/swiftshader-2.patch - refresh for upstream dropping of legacy
       swiftshader GL stuff; they now use ANGLE.
     - disable/angle-perftests.patch - refresh.
     - system/jsoncpp.patch - refresh for jsoncpp_no_deprecated_declarations
       argument change.
     - bullseye/clang11.patch - merge cast-call.patch into it, as well as
       dropping additional unsupported clang arguments.
     - bullseye/cast-call.patch - drop.
     - upstream/dawn-version-fix.patch - add patch to deal w/ FTBFS.
     - upstream/blink-ftbfs.patch - another FTBFS patch.
     - upstream/nested-nested-nested-nested-nested-nested-regex-patterns.patch -
       fix a build failure that only happens with clang + GNU's libstdc++.
     - upstream/byteswap-constexpr.patch - add this to fix bullsye builds on
       32-bit platforms (closes: #1011096).
   * Don't build unneccessary dawn build tests.
Checksums-Sha1:
 1755f43c4b66190af33ad27d1baacb7c0eae0fa1 3619 chromium_102.0.5005.61-1.dsc
 47331ae6f69d5a5878e82c8292f0725f1bf5346a 601246340 chromium_102.0.5005.61.orig.tar.xz
 a012906bef13f69455d036fb4e3a4b451cd438ba 210996 chromium_102.0.5005.61-1.debian.tar.xz
 019fb104beaf76e9cdde19590bc3c173cdcf65a0 20021 chromium_102.0.5005.61-1_source.buildinfo
Checksums-Sha256:
 abf209fa58d987758fa38e65c56af3cf2250aac2b8ac5367bc69906c061b9655 3619 chromium_102.0.5005.61-1.dsc
 9b44f0f42a3b11240bac0b62587994e0fa8f59a27a4e090a3513d62949423690 601246340 chromium_102.0.5005.61.orig.tar.xz
 07dfec4e095c8fc8c1ddcdebff11db9c6816744ce6a82159817de1e0aa4a51eb 210996 chromium_102.0.5005.61-1.debian.tar.xz
 49c4646085b38eac9d1748e6f07e4430eccfd1ea5d170a26fd56cc90af3be759 20021 chromium_102.0.5005.61-1_source.buildinfo
Files:
 bb0a07b0779b303abd143c58319abf1c 3619 web optional chromium_102.0.5005.61-1.dsc
 45045d678bc6e6184d7e4e3caf230732 601246340 web optional chromium_102.0.5005.61.orig.tar.xz
 c893a7574832f10afd1642d27a45b62a 210996 web optional chromium_102.0.5005.61-1.debian.tar.xz
 bec25e7836d73a209ab7e56c0b445a67 20021 web optional chromium_102.0.5005.61-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmKNyYIUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjdpbA//cLBoA28ZR0Cp4hj7pAdXIBtrGqms
niZSeW3FkfKdR4zlBOO8SQZ+TT0szmbpTJjdc5Y6EtuBUSaxL+1377rDumU1SYf+
7AQ/gwHXXoeDE7y8h1/VOZKQjRrHqEPi5gFw5sZStfwSQNMTTn799kZCjqBjL//u
twujP/Jt208ABABoUdQfKIlOHZ6QXV744Km1u4xU5LxnFEZIlTvoc0DxU7hkKsFN
RFu31TTw46bxhFO8YB9j9LlfpFffmCVcBihjnzsZLp4STG/nC49K8JAUWHJXXOb7
e4D98Mip/N8NbXF1cbWpIUJimF6CaVexfbukXcvjsZb92+NjaSsXHAdcalM7HZaJ
nraoOUq/3FcbSelXAK0JHdj2hUxMDySJLXuE5v95EwDkGmyPesTIfz0T3A8aOyxm
xhXe30bxrVnRq5alHQF5uYkoYEpM61M4Z45xbtjweY5+Mh8KdWp7CBirCSaTyRjK
l/aX+rHCtgdCFd4vz8e9k4CfkZdmYASmjNvnqVhkHFbizEk2RqJ+xaCvP9FUB3j9
SGrVAe2v7PpyUkl2+8+M/gPa4QfgFs/BNBYBiC+bQazQu4JTs/S0s90AGtoclGtm
ao9hKjkg1vOjvSbRsoOQKB1QAvkzKZfqc0Opb4MgZul460c19lpyK7TETJbQLJZK
D27siIzOJ0+j70U=
=Bv3A
-----END PGP SIGNATURE-----

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 10 Jun 2022 02:37:57 +0000
Source: chromium
Architecture: source
Version: 102.0.5005.115-1
Distribution: unstable
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1011096
Changes:
 chromium (102.0.5005.115-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri
     - CVE-2022-2008: Out of bounds memory access in WebGL.
       Reported by khangkito - Tran Van Khang (VinCSS)
     - CVE-2022-2010: Out of bounds read in compositing.
       Reported by Mark Brand of Google Project Zero
     - CVE-2022-2011: Use after free in ANGLE.
       Reported by SeongHwan Park (SeHwa)
   * debian/patches:
     - bullseye/byteswap-constexpr2.patch - additional fix for bullseye
       builds on 32-bit platforms (closes: #1011096).
     - debianization/support-i386.patch - re-enable support for i386 builds.
       Upstream no longer officially supports i386 builds on linux, so we
       are on our own here.
Checksums-Sha1:
 755cab8ebdcaaee66467902e85ca31955c88eda7 3626 chromium_102.0.5005.115-1.dsc
 b7a0248d615c878c5c307e23005a8f53088b9645 600028840 chromium_102.0.5005.115.orig.tar.xz
 f5c9dbf99713426208e0fb58fb6e7a85b66f466e 211552 chromium_102.0.5005.115-1.debian.tar.xz
 60666f7ff4a0c071c5c49c7ee496bf85b31082d4 20048 chromium_102.0.5005.115-1_source.buildinfo
Checksums-Sha256:
 b985952ea25216b3b4e893ad93038dfd41df61ac40abbac8d8dcdf7206b04433 3626 chromium_102.0.5005.115-1.dsc
 a3214c0b55d1f0ca2c796e48e06c2b91d694317d5fdc0e7804658117237457c1 600028840 chromium_102.0.5005.115.orig.tar.xz
 5767ee6a8effbf0158caf333b3f8a33450dc27ed07e1d1990d1528006a3e3abf 211552 chromium_102.0.5005.115-1.debian.tar.xz
 561d795f84c7b8ec5013a79b5bdb2836b4d35b5221a0a21c3c6b160aca41f18e 20048 chromium_102.0.5005.115-1_source.buildinfo
Files:
 bc112b5626055edca0e41434a84c1154 3626 web optional chromium_102.0.5005.115-1.dsc
 f9e07d6adac7ee406e5d30613cd5c51a 600028840 web optional chromium_102.0.5005.115.orig.tar.xz
 389db27523a5df9f101a0994971e7657 211552 web optional chromium_102.0.5005.115-1.debian.tar.xz
 b5276c6e9ace37915e9914c8c02f0dc3 20048 web optional chromium_102.0.5005.115-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmKj+7oUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjcDzA//S3e9KvWap1zQBkJOKQav/LY/5DGB
n+05sKwLmqMKo4sIZn9AAPqSAUGHmV1qwmS3xQ8YHwTwCqib4zqzfHTbZO82K+IF
dZvMGoE6WpDpBpwHcnIFyNYJblOxA/fW5u/EgkoKf+gyzk/rPDkge3pv/2bRK/VQ
az630L8l4rdccx0T/l8gVwP0slqeSEnizN59YQnmnjdKj0+MhAEWoPkH9dWDllCj
C6MIy7dJ/UMv4oO7EIpw0tUOXXnDSe6rKlOJWA18E5rTKgBJbUeCOZTglVsK3rCP
6Bq8QWlE3rZaDAOxGa/PpTwmQs0RYsi4n5h4nH8JXf88M1jxt0e4+BRkdqPKvW00
GB+mj6HTUToiDJbt7MYu5Mxpe+ghxc1rsA0nOsY3eKa7bVVwrK1h6hGvEeQESsUo
CYRZT5lIdW8aJ5N1doDeRdoJ3N1I5+bR+9D2C43J2/3YhlpeGhUKT7SrhL0OONMD
L7y/xZy66WF5XTnvbcADbxWJtuBoBMz5uEuw46hYrYdfWipMO3hjK2YtNswc11X1
+lwPnz43F4Gn8mwN3vkwYEQEASZhfRiX1/M+EAZ+zQvhkS7jQ2OrnnDVZOAfLc/l
//CbPVttxLId5ol6h+HhFu99G9YxxNI1qpNNpWKem/LEOciIqfqcVpJCeoOD8deJ
gBrJIxbj3LuenyA=
=iRri
-----END PGP SIGNATURE-----

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 25 May 2022 02:24:52 -0400
Source: chromium
Architecture: source
Version: 102.0.5005.61-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1011096
Changes:
 chromium (102.0.5005.61-1~deb11u1) bullseye-security; urgency=high
 .
   * New upstream stable release.
     - CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous
     - CVE-2022-1854: Use after free in ANGLE.
       Reported by SeongHwan Park (SeHwa)
     - CVE-2022-1855: Use after free in Messaging. Reported by Anonymous
     - CVE-2022-1856: Use after free in User Education. Reported by
       Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab
     - CVE-2022-1857: Insufficient policy enforcement in File System API.
       Reported by Daniel Rhea
     - CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad
     - CVE-2022-1859: Use after free in Performance Manager. Reported by
       Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab
     - CVE-2022-1860: Use after free in UI Foundations.
       Reported by @ginggilBesel
     - CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani
     - CVE-2022-1862: Inappropriate implementation in Extensions.
       Reported by Alesandro Ortiz
     - CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg
     - CVE-2022-1864: Use after free in WebApp Installs.
       Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab
     - CVE-2022-1865: Use after free in Bookmarks.
       Reported by Rong Jian of VRI
     - CVE-2022-1866: Use after free in Tablet Mode.
       Reported by @ginggilBesel
     - CVE-2022-1867: Insufficient validation of untrusted input in
       Data Transfer. Reported by Michał Bentkowski of Securitum
     - CVE-2022-1868: Inappropriate implementation in Extensions API.
       Reported by Alesandro Ortiz
     - CVE-2022-1869: Type Confusion in V8.
       Reported by Man Yue Mo of GitHub Security Lab
     - CVE-2022-1870: Use after free in App Service. Reported by
       Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab
     - CVE-2022-1871: Insufficient policy enforcement in File System API.
       Reported by Thomas Orlita
     - CVE-2022-1872: Insufficient policy enforcement in Extensions API.
       Reported by ChaobinZhang
     - CVE-2022-1873: Insufficient policy enforcement in COOP.
       Reported by NDevTK
     - CVE-2022-1874: Insufficient policy enforcement in Safe Browsing.
       Reported by hjy79425575
     - CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK
     - CVE-2022-1876: Heap buffer overflow in DevTools.
       Reported by @ginggilBesel
   * debian/patches:
     - system/jpeg.patch - straight refresh.
     - disable/swiftshader.patch - straight refresh.
     - disable/swiftshader-2.patch - refresh for upstream dropping of legacy
       swiftshader GL stuff; they now use ANGLE.
     - disable/angle-perftests.patch - refresh.
     - system/jsoncpp.patch - refresh for jsoncpp_no_deprecated_declarations
       argument change.
     - bullseye/clang11.patch - merge cast-call.patch into it, as well as
       dropping additional unsupported clang arguments.
     - bullseye/cast-call.patch - drop.
     - upstream/dawn-version-fix.patch - add patch to deal w/ FTBFS.
     - upstream/blink-ftbfs.patch - another FTBFS patch.
     - upstream/nested-nested-nested-nested-nested-nested-regex-patterns.patch -
       fix a build failure that only happens with clang + GNU's libstdc++.
     - upstream/byteswap-constexpr.patch - add this to fix bullsye builds on
       32-bit platforms (closes: #1011096).
   * Don't build unneccessary dawn build tests.
Checksums-Sha1:
 659cb2f8e5f2194d8228affad98732c5578febca 3689 chromium_102.0.5005.61-1~deb11u1.dsc
 47331ae6f69d5a5878e82c8292f0725f1bf5346a 601246340 chromium_102.0.5005.61.orig.tar.xz
 2762e85869f0bc512e38e30fc1f78bff7d0cf723 210856 chromium_102.0.5005.61-1~deb11u1.debian.tar.xz
 55398206dee6c91e7ca6b6300cde37c7eade57eb 20577 chromium_102.0.5005.61-1~deb11u1_source.buildinfo
Checksums-Sha256:
 67f2fbf807fa254e9504123c966a0c72eba787cdc591965bee9e14b9e90e3b9f 3689 chromium_102.0.5005.61-1~deb11u1.dsc
 9b44f0f42a3b11240bac0b62587994e0fa8f59a27a4e090a3513d62949423690 601246340 chromium_102.0.5005.61.orig.tar.xz
 3b7c2cdb3274e4784c4a5b2bfa3d255d5a23a1a2e844e271e24e11838742950e 210856 chromium_102.0.5005.61-1~deb11u1.debian.tar.xz
 d2459a4483776cf93b8b0fc377c6fc43216006e018314d18631740b3a14ed92e 20577 chromium_102.0.5005.61-1~deb11u1_source.buildinfo
Files:
 e16fcba11587074f8ac7bd9af01dc1c9 3689 web optional chromium_102.0.5005.61-1~deb11u1.dsc
 45045d678bc6e6184d7e4e3caf230732 601246340 web optional chromium_102.0.5005.61.orig.tar.xz
 a0dd0074ca7471d2b7b94309fe13abe3 210856 web optional chromium_102.0.5005.61-1~deb11u1.debian.tar.xz
 1c4475a13c68b398acc776d67a8bdab7 20577 web optional chromium_102.0.5005.61-1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmKNzz0UHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjfXtg//VMpQ7Z7ekjwzBeylGGU4MRNYtGzD
l+SoPO6xtJ24lpIesxY/CfBdkuuSXFMcgmquEg/BEFkO6Qsfz36vBZpeKL72U5vg
g2+py1c5waUatA8nGfDyu28J4QOhOzN5yM1EnQsmaWIjMS/WSMwHXEVBLGcoN4pd
YebnWgd4Ot/3fBd9HunlgJYacS9X7iCerck9ttM192zlS94MwUW9Pa5syUnRDShv
YqQqbJZYadCV7GKLmH+agT5PJZvyLBhCk5iwRzbVb4jjdf8ugREqGNhwDRhiiwvW
+YP5YU1/VLMYbm32WOyrI+w1doiT3dZwTlflJlTjNMsOTVEIBZrriE8OOzqcsP+t
rlwAc5Gv7bn6C6Jzkxfja7EgSiT9zB7nP82L2oZMSOR3PFpCfYUOCMY7BJ50qibp
Jcp+DJ7MUbuZolVl/JfoyeFK4hiSJItBNKmzfqi+I/CgRG1sBERmNHbixp7SePpB
rS1YscSJOeLcFJ1PVHHrvroxxbDkRLE6QPzWDR7xyTKkG78UfIwhrE92PvwhaQMw
lTJ1U/mxHJaBbSzTC9C5q+8ZtS4j1kqk3M1dE4yKxYKPEVGuYKWozglj5oA/wqxQ
R/6gbacoP+9L/SzqsLmjyZ3WtD0HuyN5K10vCtidYDtZV2zAGBf0oSI9Fh5Fu1Ta
gWUG4WGfpmqj94U=
=mEPb
-----END PGP SIGNATURE-----

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 10 Jun 2022 20:56:01 -0400
Source: chromium
Architecture: source
Version: 102.0.5005.115-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1011096
Changes:
 chromium (102.0.5005.115-1~deb11u1) bullseye-security; urgency=high
 .
   * New upstream security release.
     - CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri
     - CVE-2022-2008: Out of bounds memory access in WebGL.
       Reported by khangkito - Tran Van Khang (VinCSS)
     - CVE-2022-2010: Out of bounds read in compositing.
       Reported by Mark Brand of Google Project Zero
     - CVE-2022-2011: Use after free in ANGLE.
       Reported by SeongHwan Park (SeHwa)
   * debian/patches:
     - bullseye/byteswap-constexpr2.patch - additional fix for bullseye
       builds on 32-bit platforms (closes: #1011096).
     - debianization/support-i386.patch - re-enable support for i386 builds.
       Upstream no longer officially supports i386 builds on linux, so we
       are on our own here.
Checksums-Sha1:
 55b4b835bb585ada756769a2d0d43af8d03d5f8c 3696 chromium_102.0.5005.115-1~deb11u1.dsc
 b7a0248d615c878c5c307e23005a8f53088b9645 600028840 chromium_102.0.5005.115.orig.tar.xz
 1208f4e00106d66bd5cca03bf2a604962523977b 211492 chromium_102.0.5005.115-1~deb11u1.debian.tar.xz
 530ff6db7378c3b1550fb0195914dda4faf35f4c 20581 chromium_102.0.5005.115-1~deb11u1_source.buildinfo
Checksums-Sha256:
 a1de3dddd2554695f576b36efa25f4a285c4cd9d42369723406c0ec91343cac1 3696 chromium_102.0.5005.115-1~deb11u1.dsc
 a3214c0b55d1f0ca2c796e48e06c2b91d694317d5fdc0e7804658117237457c1 600028840 chromium_102.0.5005.115.orig.tar.xz
 8cc2018d763d43cbb4b475f2d39468473fe638bd16f45144da8b278fc848795d 211492 chromium_102.0.5005.115-1~deb11u1.debian.tar.xz
 79b655ce5f15f9c26c6d450d5326f4ae98ec68d47b56f071e8989126b0e93963 20581 chromium_102.0.5005.115-1~deb11u1_source.buildinfo
Files:
 8be309a1a0f4fe5e5828195f0e315d3c 3696 web optional chromium_102.0.5005.115-1~deb11u1.dsc
 f9e07d6adac7ee406e5d30613cd5c51a 600028840 web optional chromium_102.0.5005.115.orig.tar.xz
 e783f8d07d217cc87ff97614c4b6e433 211492 web optional chromium_102.0.5005.115-1~deb11u1.debian.tar.xz
 acac78fb173081c0dbe0e2eb7de9d5b9 20581 web optional chromium_102.0.5005.115-1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmKj6ZcUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjdE3xAAsAXArJNeH4wSqeswW4YGS3hhMrAI
yxrcmWp6YQroUf3kqBHoStWzJGq7hcoFyf5OjDzc9K8/PQBJqORB668ZLwfhDex7
MvQaLdQsQ0SjKVj2hf6ga/eWSMfi+rXF6MrU+jq2MF48FYbpYoql71tWS5wUpBZk
m4cYQqemarGzn/RvzZi3VuXkUDP2DEdRy6Jn4+YuFdxG4A0AHvbZ5Axk0kkwSGGu
PE+yN9EmZyLHx/tRxWVOXMBXXB9r0t7/l8cRfrWnkeDeLHe5liyqrsXLi6O2bw1I
Xl64EiLmWUBBsjIenYHmqm7tP0lNDYWfQkvwlHhkvtp2ajxgvEeW4+SgLfZ481+0
wx3xo2uBicJNDHiKiOPEqsJnvaPCf4yr5mBUOhhNoHFi6HiciXuCWqHETljWMUja
+2QMYJjvQRgEWiSj3A6N9zjDtObjY288IfnVSlXg0Nb7/HUQOWxWvYtQv3MLk+yT
vHIL7sNwGfFbJHiQa/7bwCGfKPX3JIViecfxVuFTlNIEbh5kwc6QgZETeamy9NP/
K0oVXCOwwBegKy089NVxhuCVKObCuUPjz6EPqgyq50rpmibk3wgqBY0XYFSI2mIT
hdxKWSHGKJfPNzU1sWKN2DDtvTXNk49IlKMu9RYEUw2DALw6PhMeeceI3NdX8zz3
/3w1xEkylpHmOOM=
=kKxZ
-----END PGP SIGNATURE-----