-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Aug 2025 17:12:12 -0400 Source: chromium Architecture: source Version: 139.0.7258.127-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Chromium Team Changed-By: Andres Salomon Changes: chromium (139.0.7258.127-1~deb13u1) trixie-security; urgency=high . * New upstream security release. - CVE-2025-8879: Heap buffer overflow in libaom. Reported by Anonymous - CVE-2025-8880: Race in V8. Reported by Seunghyun Lee (@0x10n). - CVE-2025-8901: Out of bounds write in ANGLE. Reported by Google Big Sleep. - CVE-2025-8881: Inappropriate implementation in File Picker. Reported by Alesandro Ortiz. - CVE-2025-8882: Use after free in Aura. Reported by Umar Farooq. . chromium (139.0.7258.66-1) unstable; urgency=high . * New upstream stable release. - CVE-2025-8576: Use after free in Extensions. Reported by asnine. - CVE-2025-8577: Inappropriate implementation in Picture In Picture. Reported by Umar Farooq. - CVE-2025-8578: Use after free in Cast. Reported by Fayez. - CVE-2025-8579: Inappropriate implementation in Gemini Live in Chrome. Reported by Alesandro Ortiz. - CVE-2025-8580: Inappropriate implementation in Filesystems. Reported by Huuuuu. - CVE-2025-8581: Inappropriate implementation in Extensions. Reported by Vincent Dragnea. - CVE-2025-8582: Insufficient validation of untrusted input in DOM. Reported by Anonymous. - CVE-2025-8583: Inappropriate implementation in Permissions. Reported by Shaheen Fazim. * d/copyright: delete third_party/enterprise_companion, as it includes a binary. * d/control: Replace elfutils build-dep with llvm-19 for switch to llvm-strip. * d/rules: - drop enable_nacl=false; upstream removed NaCL. - set enable_enterprise_companion=false. - disable Gemini AI (enable_glic=false). * d/patches: - disable/catapult.patch: refresh. - disable/buildtools-libc.patch: refresh. - system/eu-strip.patch: drop, upstream switched to llvm-strip. - bookworm/gn-revert-path-exists.patch: refresh & drop unused part. - ungoogled/disable-privacy-sandbox.patch: refresh. - fixes/bindgen.patch: rename to bookworm/bindgen.patch, since trixie now has a newer bindgen. . [ Timothy Pearson ] * d/patches/ppc64le: - sandbox/0001-sandbox-linux-Update-syscall-helpers-lists-for-ppc64.patch: Refresh for upstream changes - sandbox/0009-sandbox-updates-138.patch: Properly handle IPC and send syscalls - third_party/0001-add-xnn-ppc64el-support.patch: Refresh for upstream changes - third_party/0002-regenerate-xnn-buildgn.patch: Regenerate from upstream sources - third_party/skia-vsx-instructions.patch: Refresh for upstream changes - fixes/fix-partition-alloc-compile.patch: Refresh for upstream changes Checksums-Sha1: 82efed7415403daa835c1d10d155758651db2b18 4027 chromium_139.0.7258.127-1~deb13u1.dsc 5a6bb7d858ff749f78b292c601e54dd6a924a5a4 970152272 chromium_139.0.7258.127.orig.tar.xz 1bea28815ba61b140b30fa3cb567d3fbd99b9b1d 396840 chromium_139.0.7258.127-1~deb13u1.debian.tar.xz a8e363c08c41ef957cef430546fe7ead5b74fb1e 26231 chromium_139.0.7258.127-1~deb13u1_source.buildinfo Checksums-Sha256: 362c3af4417d5bca0c67c0027058dd13e99d63b4b8b5cfeec5400c75a55a27b9 4027 chromium_139.0.7258.127-1~deb13u1.dsc 950be055598444f29aa5c4fd2210a1751d001259a068edf972d823eb0bfad5a5 970152272 chromium_139.0.7258.127.orig.tar.xz a4759b78113f7e01eda1b6b36a1b7d010ec70943d1e9affd05c656a28ce8d2ed 396840 chromium_139.0.7258.127-1~deb13u1.debian.tar.xz a72ad5b737055f39dd1f114c110cfe7297c603736eddb2fa6aaf7467adaca65f 26231 chromium_139.0.7258.127-1~deb13u1_source.buildinfo Files: d78d4388556a549184f44f8494431ddf 4027 web optional chromium_139.0.7258.127-1~deb13u1.dsc df4389306d542832f758b402f153ccee 970152272 web optional chromium_139.0.7258.127.orig.tar.xz fc8dc964f6f1ecde9569ef306f19afdf 396840 web optional chromium_139.0.7258.127-1~deb13u1.debian.tar.xz 8b4aa570ec507c51ac45fdef47004f15 26231 web optional chromium_139.0.7258.127-1~deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmib/swUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8Nudjd96BAAjGeKUHWqkzv/ZPb1BJPXjNC7xL/P yHDAUhYo7gB1v3ybz8ncdzCiM/l4kf5AnK5HiKUC6cUGBaRzfmCFXHHFwuGm44ji oQ3YXWkHxJecVJRTs0ZYCuN2wNUqLAu6XNLFPlGD6ycmdXLxLVoRf3CtRPcUshun P3Rr4f/MIEUoFi7mVMJaQ7RLxZclBWFt0y7K3su9FNfH1xHlx+EQprcn4W4c2hnM KXwZGvch3AKqN4ejVh20i7MgFT73IyKJYRXXgvy9+/eEuR9n6RmB4+kDT/4r/sHi JHR0vYS81p1dg/OYgZm6fYH/WfC1Oq9mLqs465ZYylw8FaGJ2X3VIy1m2rJwBOYy oxBu/jmooy5/rrsnBk9TFqLAXk9jJNjGH3SYB8lMIoBudWWpEXpzFiDVr2nyjxV3 lepP+flb+ecpWwF+blbO4jj5r1X09fT8PThrPczBpRGTk+7vbmK9d5dPa7tIKMuP v8MVurAogu2DjnKENnlOm3tYb7W6ewsouRU7sBU/+bExHEbVepNSF0F6X+m6bU3f CUffgzTdJcAGAnMsGDF/WZjGZZ6LUSZSQVuC/hgUMetYtF5M95xfnQ8q9kb733Oi Te9PejnQ6UIR1hea9IkGx3zE63Rd2iiYsUXp6HZaZWEl+IqmlS8gGAWhzOKBC3T4 KmRj10V5+jKboX4= =iG9/ -----END PGP SIGNATURE-----