-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Apr 2024 12:33:38 -0400
Source: chromium
Binary: chromium-l10n
Architecture: all
Version: 124.0.6367.60-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Description:
 chromium-l10n - web browser - language packs
Changes:
 chromium (124.0.6367.60-1~deb12u1) bookworm-security; urgency=high
 .
   * New upstream stable release.
     - CVE-2024-3832: Object corruption in V8.
       Reported by Man Yue Mo of GitHub Security Lab.
     - CVE-2024-3833: Object corruption in WebAssembly.
       Reported by Man Yue Mo of GitHub Security Lab.
     - CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang
     - CVE-2024-3837: Use after free in QUIC.
       Reported by {rotiple, dch3ck} of CW Research Inc.
     - CVE-2024-3838: Inappropriate implementation in Autofill.
       Reported by Ardyan Vicky Ramadhan.
     - CVE-2024-3839: Out of bounds read in Fonts.
       Reported by Ronald Crane (Zippenhop LLC).
     - CVE-2024-3840: Insufficient policy enforcement in Site Isolation.
       Reported by Ahmed ElMasry.
     - CVE-2024-3841: Insufficient data validation in Browser Switcher.
       Reported by Oleg.
     - CVE-2024-3843: Insufficient data validation in Downloads.
       Reported by Azur.
     - CVE-2024-3844: Inappropriate implementation in Extensions.
       Reported by Alesandro Ortiz.
     - CVE-2024-3845: Inappropriate implementation in Network.
       Reported by Daniel Baulig.
     - CVE-2024-3846: Inappropriate implementation in Prompts.
       Reported by Ahmed ElMasry.
     - CVE-2024-3847: Insufficient policy enforcement in WebUI.
       Reported by Yan Zhu.
   * d/copyright:
     - delete __pycache__ directories to shut up dpkg warnings.
     - stop deleting bundled libwebp directory.
   * Drop build-dep on libwebp-dev and start building against the bundled
     libwebp. We need to do this because chromium uses features of libavif
     that require libsharpyuv-dev; but that's only available in sid/trixie.
   * d/patches:
     - upstream/std-to-address.patch: drop, merged upstream.
     - fixes/optional2.patch: drop, merged upstream.
     - fixes/blink-fonts-shape-result.patch: drop, merged upstream.
     - bookworm/constexpr-equality.patch: drop, merged upstream.
     - disable/catapult.patch: refresh.
     - disable/google-api-warning.patch: rework to be a smaller patch.
     - bookworm/clang16.patch: refresh.
     - ungoogled/disable-privacy-sandbox.patch: drop hunk related to deprecated
       preference.
     - upstream/mojo-null.patch: pull a (typescript) build fix from upstream.
     - upstream/uint-includes.patch: simple header build fix from upstream.
     - upstream/fps-optional.patch: add header build fix.
     - upstream/span-optional.patch: add header build fix.
     - upstream/extractor-bitset.patch: add header build fix.
     - upstream/atomic.patch: add header build fix.
     - upstream/webgpu-optional.patch: add header build fix.
     - fixes/absl-optional.patch: comment out assert() that caused crash.
       This could be another clang16/libstdc++ miscompilation issue, but
       needs further investigation.
     - fixes/bad-font-gc2.patch: drop a bunch of test-related pieces.
     - fixes/bad-font-gc0000.patch, fixes/bad-font-gc000.patch,
       fixes/bad-font-gc00.patch, fixes/bad-font-gc0.patch,
       fixes/bad-font-gc11.patch, fixes/bad-font-gc3.patch: revert a bunch
       more (new) upstream commits related to bad-font-gc2.patch. When the
       use-after-free bug gets fixed, all this can be dropped.
   * d/patches/ppc64le:
     - third_party/0002-third_party-libvpx-Remove-bad-ppc64-config.patch,
       third_party/0003-third_party-ffmpeg-Add-ppc64-generated-config.patch,
       workarounds/HACK-third_party-libvpx-use-generic-gnu.patch,
       breakpad/0001-Implement-support-for-ppc64-on-Linux.patch,
       ffmpeg/0001-Add-support-for-ppc64.patch,
       third_party/dawn-fix-typos.patch,
       third_party/use-sysconf-page-size-on-ppc64.patch: refresh.
     - third_party/skia-vsx-instructions.patch: refresh & update for header
       renaming.
     - third_party/0001-Add-PPC64-support-for-boringssl.patch,
       third_party/0002-third-party-boringssl-add-generated-files.patch:
       disable these two until Tim has a chance to look at them.
Checksums-Sha1:
 91efee19957ba3293e56aeab331fa33673eedf88 7115924 chromium-l10n_124.0.6367.60-1~deb12u1_all.deb
 ae056182f18c56aa62fbedb34e0768515d38a0d5 21829 chromium_124.0.6367.60-1~deb12u1_all-buildd.buildinfo
Checksums-Sha256:
 6b340afe809c5221e451cb3fcecc1bfed21b70bd266ce2cd8878a3df9c11fbe4 7115924 chromium-l10n_124.0.6367.60-1~deb12u1_all.deb
 fcdbbd7d68bf92275a9bfacfb5edbabee917a08e661235fc7141e94b97e9c568 21829 chromium_124.0.6367.60-1~deb12u1_all-buildd.buildinfo
Files:
 8e0ef74686ac5d2af205fe93eb810651 7115924 localization optional chromium-l10n_124.0.6367.60-1~deb12u1_all.deb
 6a2c9df9f9940661fdf44a472eb1b67b 21829 web optional chromium_124.0.6367.60-1~deb12u1_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQsM0t1ygJv2xcx3e4cagXJhOTXsFAmYjXyAACgkQ4cagXJhO
TXtrHxAAktLDKzz/Gbrmp0ldcENtPso7AvYWHBetXEQPaz83L3JycgKDra41bggZ
Ha7vnbSd1Q/5uMxW+7Vgwtpsns0KbGOQD7QKz5oKzZs4/qaj5/Y4vlU3mVfEvJhe
6oWQdRzGc+Ei98t6rz+NTcdCFcADZINUQ2dVBtfM+eSDbUv0hQPkD1k6PoPmhxTH
SSyDknEoNbEVDKv5G5a8v30oH9H/8g4ARFgfBj5zUTX0M2rPMdxU3D6o3FVVzIom
Z2u5nS4mbwPybnkvlgZ0XPnKvwGXSIyGarAsFo8wY+Z+Ay6YSVUNF8rdbEZDNFPo
570QFxwn1OoyN6AQHO19ns+ct/1dWKMeTzJaRs+ntneB7ncLE9WAwxKXsPoNCoxP
ZwwbRKcb9+Gh1iTih988MC73oR17AgPUtgDK4iLQWMB6lFsBmDIdsd0ADFs/oiXd
ctGQff/YlwFKYRxHdTaxfPwNH9xDJg+35OSuG4tV7wzeXWBCoWBqkFCG4lo1OXTw
Lu32ya4PD71Cv7dDEP/awu4Ord26w83hgPxSOChluGrPL5rZdjO8MZHt9/UQaiUC
k52+BOvD58+P93gxcn6K0f4Qc++we13tbnlsSLhSnKfbaRec+LYnAYhNSfJ9ES57
iXg3y1JCql3+vX4yOrCVYnyLMP7bSTsrdrBBpql4bBXq16xBc8k=
=OOV1
-----END PGP SIGNATURE-----