UbuntuUpdates.org

Package "chromium-browser"

Name: chromium-browser

Description:

Chromium web browser, open-source version of Chrome
Latest version: 80.0.3987.87-0ubuntu0.18.04.1
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://chromium.googlesource.com/chromium/src/

Links

Save this URL for the latest version of "chromium-browser": https://www.ubuntuupdates.org/chromium-browser

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "chromium-browser"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "chromium-browser" in Bionic

Repository Area Version
base universe 65.0.3325.181-0ubuntu1
updates universe 80.0.3987.87-0ubuntu0.18.04.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 80.0.3987.87-0ubuntu0.18.04.1 2020-02-13 23:07:01 UTC

  chromium-browser (80.0.3987.87-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 80.0.3987.87
    - CVE-2020-6381: Integer overflow in JavaScript.
    - CVE-2020-6382: Type Confusion in JavaScript.
    - CVE-2019-18197: Multiple vulnerabilities in XML.
    - CVE-2019-19926: Inappropriate implementation in SQLite.
    - CVE-2020-6385: Insufficient policy enforcement in storage.
    - CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite.
    - CVE-2020-6387: Out of bounds write in WebRTC.
    - CVE-2020-6388: Out of bounds memory access in WebAudio.
    - CVE-2020-6389: Out of bounds write in WebRTC.
    - CVE-2020-6390: Out of bounds memory access in streams.
    - CVE-2020-6391: Insufficient validation of untrusted input in Blink.
    - CVE-2020-6392: Insufficient policy enforcement in extensions.
    - CVE-2020-6393: Insufficient policy enforcement in Blink.
    - CVE-2020-6394: Insufficient policy enforcement in Blink.
    - CVE-2020-6395: Out of bounds read in JavaScript.
    - CVE-2020-6396: Inappropriate implementation in Skia.
    - CVE-2020-6397: Incorrect security UI in sharing.
    - CVE-2020-6398: Uninitialized use in PDFium.
    - CVE-2020-6399: Insufficient policy enforcement in AppCache.
    - CVE-2020-6400: Inappropriate implementation in CORS.
    - CVE-2020-6401: Insufficient validation of untrusted input in Omnibox.
    - CVE-2020-6402: Insufficient policy enforcement in downloads.
    - CVE-2020-6403: Incorrect security UI in Omnibox.
    - CVE-2020-6404: Inappropriate implementation in Blink.
    - CVE-2020-6405: Out of bounds read in SQLite.
    - CVE-2020-6406: Use after free in audio.
    - CVE-2019-19923: Out of bounds memory access in SQLite.
    - CVE-2020-6408: Insufficient policy enforcement in CORS.
    - CVE-2020-6409: Inappropriate implementation in Omnibox.
    - CVE-2020-6410: Insufficient policy enforcement in navigation.
    - CVE-2020-6411: Insufficient validation of untrusted input in Omnibox.
    - CVE-2020-6412: Insufficient validation of untrusted input in Omnibox.
    - CVE-2020-6413: Inappropriate implementation in Blink.
    - CVE-2020-6414: Insufficient policy enforcement in Safe Browsing.
    - CVE-2020-6415: Inappropriate implementation in JavaScript.
    - CVE-2020-6416: Insufficient data validation in streams.
    - CVE-2020-6417: Inappropriate implementation in installer.
  * debian/control:
    - add nodejs as a build dependency
    - bump the clang and llvm build dependencies to version 9 which was
      recently backported to bionic
  * debian/rules: build gn with clang 9
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-extra-arflags.patch: refreshed
  * debian/patches/node-use-system-wide.patch: added
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/use-clang-versioned.patch: updated
  * debian/patches/widevine-enable-version-string.patch: refreshed
  * debian/tests/html5test: update test expectations for the removal
    of the Web Components V0 APIs
    (see https://www.chromestatus.com/feature/5144752345317376)

 -- Olivier Tilloy <email address hidden> Wed, 05 Feb 2020 15:50:26 +0100
Source diff to previous version
CVE-2020-6381 Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap c
CVE-2020-6382 Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HT
CVE-2019-18197 In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to
CVE-2019-19926 multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE:
CVE-2020-6385 Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass site isolation via a crafted HT
CVE-2019-19880 exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER B
CVE-2019-19925 zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.
CVE-2020-6387 Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted v
CVE-2020-6388 Out of bounds access in WebAudio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafte
CVE-2020-6389 Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted v
CVE-2020-6390 Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a
CVE-2020-6391 Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to bypass content security policy
CVE-2020-6392 Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious
CVE-2020-6393 Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTM
CVE-2020-6394 Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a cra
CVE-2020-6395 Out of bounds read in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from pr
CVE-2020-6396 Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar)
CVE-2020-6397 Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page
CVE-2020-6398 Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a cra
CVE-2020-6399 Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted
CVE-2020-6400 Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML pa
CVE-2020-6401 Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via
CVE-2020-6402 Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a mal
CVE-2020-6403 Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL
CVE-2020-6404 Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to potentially exploit heap corruption via craf
CVE-2020-6405 Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from proces
CVE-2020-6406 Use after free in audio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML pa
CVE-2019-19923 flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view.
CVE-2020-6408 Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87 allowed a local attacker to obtain potentially sensitive information v
CVE-2020-6409 Inappropriate implementation in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker who convinced the user to enter a URI to byp
CVE-2020-6410 Insufficient policy enforcement in navigation in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to confuse the user via a crafted doma
CVE-2020-6411 Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via
CVE-2020-6412 Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via
CVE-2020-6413 Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass HTML validators via a crafted HTML p
CVE-2020-6414 Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass navigation restrictions v
CVE-2020-6415 Inappropriate implementation in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption vi
CVE-2020-6416 Insufficient data validation in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a
CVE-2020-6417 Inappropriate implementation in installer in Google Chrome prior to 80.0.3987.87 allowed a local attacker to execute arbitrary code via a crafted reg

Version: 79.0.3945.130-0ubuntu0.18.04.1 2020-02-05 15:06:54 UTC

  chromium-browser (79.0.3945.130-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 79.0.3945.130
    - CVE-2020-6378: Use-after-free in speech recognizer.
    - CVE-2020-6379: Use-after-free in speech recognizer.
    - CVE-2020-6380: Extension message verification error.
  * debian/control: remove libgnome-keyring-dev build dependency (LP: #1828192)
  * debian/rules: build with use_gnome_keyring=false
  * debian/known_gn_gen_args-*: change use_gnome_keyring build flag to false

 -- Olivier Tilloy <email address hidden> Mon, 27 Jan 2020 17:57:12 +0100
Source diff to previous version
1828192 Please stop build-depending on libgnome-keyring

Version: 79.0.3945.79-0ubuntu0.18.04.1 2019-12-16 22:07:04 UTC

  chromium-browser (79.0.3945.79-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 79.0.3945.79
    - CVE-2019-13725: Use after free in Bluetooth.
    - CVE-2019-13726: Heap buffer overflow in password manager.
    - CVE-2019-13727: Insufficient policy enforcement in WebSockets.
    - CVE-2019-13728: Out of bounds write in V8.
    - CVE-2019-13729: Use after free in WebSockets.
    - CVE-2019-13730: Type Confusion in V8.
    - CVE-2019-13732: Use after free in WebAudio.
    - CVE-2019-13734: Out of bounds write in SQLite.
    - CVE-2019-13735: Out of bounds write in V8.
    - CVE-2019-13764: Type Confusion in V8.
    - CVE-2019-13736: Integer overflow in PDFium.
    - CVE-2019-13737: Insufficient policy enforcement in autocomplete.
    - CVE-2019-13738: Insufficient policy enforcement in navigation.
    - CVE-2019-13739: Incorrect security UI in Omnibox.
    - CVE-2019-13740: Incorrect security UI in sharing.
    - CVE-2019-13741: Insufficient validation of untrusted input in Blink.
    - CVE-2019-13742: Incorrect security UI in Omnibox.
    - CVE-2019-13743: Incorrect security UI in external protocol handling.
    - CVE-2019-13744: Insufficient policy enforcement in cookies.
    - CVE-2019-13745: Insufficient policy enforcement in audio.
    - CVE-2019-13746: Insufficient policy enforcement in Omnibox.
    - CVE-2019-13747: Uninitialized Use in rendering.
    - CVE-2019-13748: Insufficient policy enforcement in developer tools.
    - CVE-2019-13749: Incorrect security UI in Omnibox.
    - CVE-2019-13750: Insufficient data validation in SQLite.
    - CVE-2019-13751: Uninitialized Use in SQLite.
    - CVE-2019-13752: Out of bounds read in SQLite.
    - CVE-2019-13753: Out of bounds read in SQLite.
    - CVE-2019-13754: Insufficient policy enforcement in extensions.
    - CVE-2019-13755: Insufficient policy enforcement in extensions.
    - CVE-2019-13756: Incorrect security UI in printing.
    - CVE-2019-13757: Incorrect security UI in Omnibox.
    - CVE-2019-13758: Insufficient policy enforcement in navigation.
    - CVE-2019-13759: Incorrect security UI in interstitials.
    - CVE-2019-13761: Incorrect security UI in Omnibox.
    - CVE-2019-13762: Insufficient policy enforcement in downloads.
    - CVE-2019-13763: Insufficient policy enforcement in payments.
  * debian/patches/chromium_useragent.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/default-allocator: refreshed
  * debian/patches/disable-sse2: refreshed
  * debian/patches/fix-extra-arflags.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/patches/widevine-enable-version-string.patch: updated
  * debian/patches/widevine-other-locations: updated

 -- Olivier Tilloy <email address hidden> Wed, 11 Dec 2019 10:17:07 +0100
Source diff to previous version
CVE-2019-13725 Use-after-free in Bluetooth in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2019-13726 Buffer overflow in password manager in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code via a crafted HTML pag
CVE-2019-13727 Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass same origin policy via a cra
CVE-2019-13728 Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a craft
CVE-2019-13729 Use-after-free in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HT
CVE-2019-13730 Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HT
CVE-2019-13732 Use-after-free in WebAudio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML
CVE-2019-13734 Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted H
CVE-2019-13735 Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to execute arbitrary code inside a sandbox via a c
CVE-2019-13764 Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HT
CVE-2019-13736 Integer overflow in PDFium in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF
CVE-2019-13737 Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive info
CVE-2019-13738 Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted
CVE-2019-13739 Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homogr
CVE-2019-13740 Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-13741 Insufficient validation of untrusted input in Blink in Google Chrome prior to 79.0.3945.79 allowed a local attacker to bypass same origin policy via
CVE-2019-13742 Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL ba
CVE-2019-13743 Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a craft
CVE-2019-13744 Insufficient policy enforcement in cookies in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted H
CVE-2019-13745 Insufficient policy enforcement in audio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTM
CVE-2019-13746 Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL
CVE-2019-13747 Uninitialized data in rendering in Google Chrome on Android prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption vi
CVE-2019-13748 Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive in
CVE-2019-13749 Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL ba
CVE-2019-13750 Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a cra
CVE-2019-13751 Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from proces
CVE-2019-13752 Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from proces
CVE-2019-13753 Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from proces
CVE-2019-13754 Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass navigation restrictions via
CVE-2019-13755 Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to disable extensions via a crafted HT
CVE-2019-13756 Incorrect security UI in printing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page
CVE-2019-13757 Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a
CVE-2019-13758 Insufficient policy enforcement in navigation in Google Chrome on Android prior to 79.0.3945.79 allowed a remote attacker to bypass navigation restri
CVE-2019-13759 Incorrect security UI in interstitials in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML
CVE-2019-13761 Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a
CVE-2019-13762 Insufficient policy enforcement in downloads in Google Chrome on Windows prior to 79.0.3945.79 allowed a local attacker to spoof downloaded files via
CVE-2019-13763 Insufficient policy enforcement in payments in Google Chrome prior to 79.0.3945.79 allowed a remote attacker who had compromised the renderer process

Version: 78.0.3904.108-0ubuntu0.18.04.1 2019-11-21 22:07:06 UTC

  chromium-browser (78.0.3904.108-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 78.0.3904.108 (LP: #1853149)
    - CVE-2019-13723: Use-after-free in Bluetooth.
    - CVE-2019-13724: Out-of-bounds access in Bluetooth.

 -- Olivier Tilloy <email address hidden> Tue, 19 Nov 2019 16:31:49 +0100
Source diff to previous version
1853149 78.0.3904.108-1 released for stable channel; fixes CVEs

Version: 78.0.3904.97-0ubuntu0.18.04.1 2019-11-15 04:06:19 UTC

  chromium-browser (78.0.3904.97-0ubuntu0.18.04.1) bionic; urgency=medium

  * Upstream release: 78.0.3904.97

 -- Olivier Tilloy <email address hidden> Thu, 07 Nov 2019 06:44:09 +0100


About   -   Send Feedback to @ubuntu_updates