Bug 6927 - Update Chromium to the last stable version
: Update Chromium to the last stable version
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: High Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/530372/
: MGA2-64-OK MGA2-32-OK
: validated_update
: 2317 8567
:
  Show dependency treegraph
 
Reported: 2012-08-01 17:55 CEST by Raphaël Vinet
Modified: 2013-04-10 10:18 CEST (History)
13 users (show)

See Also:
Source RPM: chromium-browser-stable-26.0.1410.51-1.mga2
CVE:


Attachments
My Spec File, Backported from ROSA (9.63 KB, text/x-rpm-spec)
2013-03-24 23:51 CET, Adrien D
Details

Description Raphaël Vinet 2012-08-01 17:55:13 CEST
Hi,


New stable release for Chromium is now 21.0.1180.57

As always the new version contains several security bug correction

--> http://googlechromereleases.blogspot.be/2012/07/stable-channel-release.html
Comment 1 Anderson Carvalho 2012-09-02 02:25:16 CEST
chromium-browser-stable-21.0.1180.81 is already in the cauldron, could be available in Mageia 2 repository /core/updates_testing/
Comment 2 Arnaud Vacquier 2012-12-04 21:59:33 CET
I up, last release is 23.x, still 21 :(

"http://www.chromium.org/getting-involved/dev-channel#TOC-Linux"

thank you
Comment 3 Arnaud Vacquier 2012-12-04 21:59:54 CET
oupsss, i want for mageia 3 sorry
Comment 4 Manuel Hiebel 2012-12-04 22:10:13 CET
*** Bug 8300 has been marked as a duplicate of this bug. ***
Comment 5 Manuel Hiebel 2012-12-08 02:10:20 CET
*** Bug 8327 has been marked as a duplicate of this bug. ***
Comment 6 David Walser 2012-12-21 16:22:41 CET
Probably would be a good idea to sync our package with OpenSuSE as much as possible, as they do the best job of any distro out there of keeping it updated.

Their most recent advisory for it is from today (December 21):
http://lists.opensuse.org/opensuse-updates/2012-12/msg00073.html

They updated it to 25.0.1362

It doesn't appear to be maintained anymore in Mandriva, who we used to sync with.

ROSA does maintain it and their package of course is based on Mandriva's.

ROSA most recently updated it to 23.0.1271.97 on December 12:
https://abf.rosalinux.ru/import/chromium-browser-stable/tree/rosa2012.1
Comment 7 David Walser 2013-01-01 02:40:44 CET
v8 should also be updated along with this, as there are two security issues.
Comment 8 R Topics 2013-01-04 20:35:52 CET
With the originating request for the version in Cauldron, not certain from the above comments whether Chromium in Mageia 2 is being considered for a security upgrade.

If not it should be.  Would that require a separate bug report?
Comment 9 Manuel Hiebel 2013-01-04 21:14:00 CET
nop we use the whiteboard when we have bugs that affect several release with version on the highest.
Comment 10 David Walser 2013-02-05 18:59:32 CET
OpenSuSE has issued an advisory on February 4:
http://lists.opensuse.org/opensuse-updates/2013-02/msg00005.html

It updates to 26.0.1383, fixing several more security issues.

from http://lwn.net/Vulnerabilities/536111/
Comment 11 Anderson Carvalho 2013-02-22 10:55:58 CET
The version of Chromium of Mageia 2 is very outdated, Google already have a stable version of Chrome 25.0.1364.97
Comment 12 Anderson Carvalho 2013-02-22 11:04:15 CET
Downloading continuous Chromium builds.

Chromium builds do not auto-update, and do not have symbols. This makes them most useful for checking whether a claimed fix actually works. The most recent Chromium build from the build waterfall is available at http://download-chromium.appspot.com. Use the following instructions to find earlier builds:
1. Head to http://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html
2. Choose your platform: Mac, Windows, Linux, ChromiumOS
3. Pick the Chromium build number you'd like to use
---1. The latest one is mentioned in the LAST_CHANGE file
4. Download the zip file containing Chromium
5. There is a binary executable within to run. ( $ ./chrome )
Please, file bugs as appropriate. http://code.google.com/p/chromium/issues/entry
Comment 13 David Walser 2013-03-14 19:04:19 CET
OpenSuSE has issued an advisory today (March 14):
http://lists.opensuse.org/opensuse-updates/2013-03/msg00045.html

It updates to 27.0.1425, fixing several more security issues.

from http://lwn.net/Vulnerabilities/542922/
Comment 14 Malo Deniélou 2013-03-21 19:41:24 CET
Any volunteer to update chromium?
Comment 15 Adrien D 2013-03-21 19:48:23 CET
I use chromium browser.

If you want, I build my own RPM (without signature) and I share my RPM on mageialinux-online.org.

You can test my RPM but I don't guarantee they do not break your machine.

http://linuxtricks.asso-linux-online.fr/adrien/rpm/mga2/x86_64/chromium-browser-stable-25.0.1364.172-1.mga2.x86_64.rpm

http://linuxtricks.asso-linux-online.fr/adrien/rpm/mga2/i586/chromium-browser-stable-25.0.1364.172-1.mga2.i586.rpm
Comment 16 Malo Deniélou 2013-03-21 19:52:17 CET
Adrien, you should join our packager team, and directly produce packages for everyone! I can mentor you if you want.
Comment 17 Sander Lepik 2013-03-21 19:52:49 CET
I still think we should drop Chromium.

The workaround is quite easy:

Google has repo for Chrome @ http://dl.google.com/linux/chrome/rpm/stable/<ARCH> - so long it seems to work fine on Mageia 2 and also on Mageia 3 (cauldron). We can add howto into errata.

Chromium has been problem since Mageia 1 and we shouldn't release software that we can't maintain.
Comment 18 Anderson Carvalho 2013-03-21 22:25:29 CET
Repository google-chrome:

# urpmi.addmedia --update google-chrome http://dl.google.com/linux/chrome/rpm/stable/$(uname -m | sed -e "s/i.86/i386/")
Comment 19 Adrien D 2013-03-21 22:31:09 CET
Google Chrome isn't opensource.

Chromium browser yes ;)

I would like use chromium for this thing.
Comment 20 Anderson Carvalho 2013-03-21 22:41:10 CET
I had mentioned how to get Chromium binaries:

https://bugs.mageia.org/show_bug.cgi?id=6927#c12
Comment 21 D Morgan 2013-03-23 13:56:09 CET
please test new cauldron package
Comment 22 Sander Lepik 2013-03-23 16:32:37 CET
What about Mageia 2? It should be updated there first..
Comment 23 David Walser 2013-03-24 00:29:42 CET
(In reply to Sander Lepik from comment #22)
> What about Mageia 2? It should be updated there first..

Actually things should always be updated in Cauldron first.

Of course in this particular case, I was under the impression we were dropping this for Cauldron due to being unable to consistently maintain it.
Comment 24 D Morgan 2013-03-24 09:14:03 CET
(In reply to Sander Lepik from comment #22)
> What about Mageia 2? It should be updated there first..

i need tests i won't upload broken stuffs in mga2
Comment 25 D Morgan 2013-03-24 09:14:31 CET
(In reply to David Walser from comment #23)
> (In reply to Sander Lepik from comment #22)
> > What about Mageia 2? It should be updated there first..
> 
> Actually things should always be updated in Cauldron first.
> 
> Of course in this particular case, I was under the impression we were
> dropping this for Cauldron due to being unable to consistently maintain it.

i worked on it.
Comment 26 Sander Lepik 2013-03-24 11:05:34 CET
(In reply to D Morgan from comment #24)
> (In reply to Sander Lepik from comment #22)
> > What about Mageia 2? It should be updated there first..
> 
> i need tests i won't upload broken stuffs in mga2

We have testing for that. You only work on the very late state on cauldron and then forget it. That's not the way to go. You did this during Mageia 2 release and you are doing it again. You are keeping users out there with unpatched version of Chromium - do you understand that?

Mageia 2 went out with version 18 and is now on version 20. WTF? Be honest and finally admit it that you can't keep it up to date and it's time to drop it.

Security related bugs should be taken care first on stable release!

Sorry for the harsh words but I'm quite pissed about it. It's been going on and on and on. It's time to stop..
Comment 27 Raphaël Vinet 2013-03-24 11:29:06 CET
Hi,


As I open this ticket ...

I am agree with Sander to drop Chromium from Mageia because it seems it is impossible to have a Chromium package up to date during all releases and all relases have always security fixes. Just see till the start of Mageia

Nobody's fault !!! just an observation --> it seems the only one browser to be supported must be Firefox even if I prefer Chrome/Chromium ;)

Personaly I use Chrome (red hat / fedora) RPM's that can be downloaded from Google.
I know it is not free as Chromium but with that I have latest stable version with all security fixes in time ...
Comment 28 David Walser 2013-03-24 11:39:49 CET
(In reply to Sander Lepik from comment #26)
> Mageia 2 went out with version 18 and is now on version 20. WTF? Be honest
> and finally admit it that you can't keep it up to date and it's time to drop
> it.

I agree with this.  I don't fault anyone for this either, it's a lot of work to maintain this package consistently, and nobody has the time and interest to do it.

> Security related bugs should be taken care first on stable release!

Again, that's absolutely incorrect.
Comment 29 Adrien D 2013-03-24 11:47:15 CET
There are some problems with PNG images :

http://img93.xooimage.com/files/d/1/c/screen12-3ce270a.png

(MGA 3 - 32bits)
Comment 30 Adrien D 2013-03-24 19:14:08 CET
If other people have the same problem, you can try to change the line 132 :

-         -Duse_system_libpng=1 \
+         -Duse_system_libpng=0 \

Thanks
Comment 31 D Morgan 2013-03-24 19:48:19 CET
yes but this is not really the good solution :( ( i would like a real fix instead ).

it seems this is not built with system png in fact, as in the terminal we can see : 

libpng warning: Application built with libpng-1.2.45 but running with 1.5.13
Comment 32 Adrien D 2013-03-24 22:25:15 CET
It's OK now ! Without libpng !
Comment 33 David Walser 2013-03-24 22:27:03 CET
D Morgan, looks like you just pushed a build to nonfree.  I'm guessing that was meant to be tainted.  Also, don't forget to fix v8 also (Bug 8567), especially since one of your builds is using the system one now.
Comment 34 Adrien D 2013-03-24 23:37:27 CET
minizip-devel couldn't exists on Mageia2.

You must change the spec file ;)
Comment 35 David Walser 2013-03-24 23:43:05 CET
The release tag should be set to 1 for the Mageia 2 build.
Comment 36 Adrien D 2013-03-24 23:51:43 CET
Created attachment 3653 [details]
My Spec File, Backported from ROSA

If you want, i share you my spec file for Mageia2, backported from ROSA Labs.
My chromium source isn't the same, but I do not lose anything to share my work.
Comment 37 D Morgan 2013-03-27 22:43:41 CET
we don't use rosa spec file. and rosa spec file is from mdv one ( which is use ).
For mga2 this is a linking issue because of the use of the bundle minizip.

I close this bugreport as cauldron is now updated.
Comment 38 Sander Lepik 2013-03-27 22:49:41 CET
(In reply to D Morgan from comment #37)
> we don't use rosa spec file. and rosa spec file is from mdv one ( which is
> use ).
> For mga2 this is a linking issue because of the use of the bundle minizip.
> 
> I close this bugreport as cauldron is now updated.

Seriously!? WTF?!? This bug is filed against Mageia 2 and you are closing it? What's wrong with you? :/ I repeat, if you can't keep it up-to-date on stable release it's time to drop it!
Comment 39 Raphaël Vinet 2013-03-28 18:05:16 CET
Hi,

It is really time to know what to do with Chromium !
Now it is more a 'bad joke' than anything else :/

Rmk:
And you probably know that you just have a new release --> 26.0.1410.43 ... so what ? new ticket and waiting 8 months ?

A+
Raph
Comment 40 D Morgan 2013-03-28 18:51:54 CET
chromium is now up to date ( building minizip in zlib ).

But help is welcome isn't of insulting. 

apologize expected ...


Please QA team test this new version. This maybe have pbs as i built with system libpng ( this can be detected by graphical issues in the main interface ).


This have to be pushed with zlib ( as we build with minizip coming from zlib and wasn't available with mga2 )
Comment 41 D Morgan 2013-03-28 18:53:31 CET
for the advisory here is the bug fixed in this new version :

    [$1000] [172342] High CVE-2013-0916: Use-after-free in Web Audio. Credit to Atte Kettunen of OUSPG.
    [180909] Low CVE-2013-0917: Out-of-bounds read in URL loader. Credit to Google Chrome Security Team (Cris Neckar).
    [180555] Low CVE-2013-0918: Do not navigate dev tools upon drag and drop. Credit to Vsevolod Vlasov of the Chromium development community.
    [Linux only] [178760] Medium CVE-2013-0919: Use-after-free with pop-up windows in extensions. Credit to Google Chrome Security Team (Mustafa Emre Acer).
    [177410] Medium CVE-2013-0920: Use-after-free in extension bookmarks API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
    [174943] High CVE-2013-0921: Ensure isolated web sites run in their own processes.
    [174129] Low CVE-2013-0922: Avoid HTTP basic auth brute force attempts. Credit to “t3553r”.
    [169981] [169972] [169765] Medium CVE-2013-0923: Memory safety issues in the USB Apps API. Credit to Google Chrome Security Team (Mustafa Emre Acer).
    [169632] Low CVE-2013-0924: Check an extension’s permissions API usage again file permissions. Credit to Benjamin Kalman of the Chromium development community.
    [168442] Low CVE-2013-0925: Avoid leaking URLs to extensions without the tabs permissions. Credit to Michael Vrable of Google.
    [112325] Medium CVE-2013-0926: Avoid pasting active tags in certain situations. Credit to Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com).
Comment 42 David Walser 2013-03-28 19:16:36 CET
(In reply to D Morgan from comment #41)
> for the advisory here is the bug fixed in this new version :

Some of those probably don't even apply to the version we currently have in 2.

If we're gonna do the advisory right, we need to list the CVEs that actually affect the version we currently have, that have since been fixed.  That would include ones fixed in previous versions, but not vulnerabilities introduced in intermediate versions...probably hard to determine the correct list.  Might be better just to say this update fixes multiple unspecified vulnerabilities.
Comment 43 D Morgan 2013-03-28 19:18:13 CET
i think yes this would be simpler to tell "this update fixes multiple unspecified vulnerabilities."
Comment 44 Adrien D 2013-03-28 19:25:51 CET
Thanks for chomium for MGA2.

But, I have dependances zlib-devel for me, but, for a dektop computer, i don't need devel library for zlib.

Is it possible to not force the devel library to install on these computers ?
Comment 45 D Morgan 2013-03-28 20:04:35 CET
it doesn't require zlib-devel but libminizip.so.1
Comment 46 Manuel Hiebel 2013-03-29 18:32:54 CET
you can reassign to the QA when it's ready (with the list of srpm) thanks
Comment 47 D Morgan 2013-04-02 19:10:45 CEST
@Raphaël Vinet: can you "end" this "bad joke" and test ?
Comment 48 Dave Hodgins 2013-04-02 21:33:07 CEST
The following packages will require linking:
libprotobuf6-2.4.1-1.mga2 (Core 32bit Release)
lib64protobuf6-2.4.1-1.mga2 (Core Release))

D Morgan, I've tested both arches.  If you'll assign this
to qa, I'll validate the update.
Comment 49 Raphaël Vinet 2013-04-03 19:08:35 CEST
Hi,

Last time with Chromium in Mageia for me because I don't believe anymore in the durability of this package and I will not recommend the use of this browser.

I installed the package (+ 2 dependancies).

Problem with Google synchronisation. 

In french 'Petit problème ... la synchronisation s'est arrêtée'. As written in help page frome Google I did:

- Disconnect from google account when using Chrome (no problem with it)
- Quit Chrome
- Be sure that no Chrome process was running
... but nothing good

Even after deleted all chrome / chromium directories / files, start a fresh Chromium session ... no way to do the connection and the synchronisation from Google
Comment 50 D Morgan 2013-04-04 07:31:03 CEST
i can reproduce on cauldron. i will ask chromium devs.
Comment 51 Dave Hodgins 2013-04-04 09:41:44 CEST
(In reply to D Morgan from comment #50)
> i can reproduce on cauldron. i will ask chromium devs.

While it worked fine for the testing I did,
I'll hold off validating the update till
this is clarified.
Comment 52 D Morgan 2013-04-05 17:59:11 CEST
as this fix a lot of CVE ( some HIGH ), i don't know if this is a good idea to hold off the update.

As i will push new updates as soon as they are available.
Comment 53 Dave Hodgins 2013-04-07 01:46:53 CEST
As per comment 52, I'll go ahead and validate this update.

Could someone from the sysadmin team push the srpm
chromium-browser-stable-26.0.1410.51-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.
and link the rpm packages
libprotobuf6-2.4.1-1.mga2 (Core 32bit Release)
lib64protobuf6-2.4.1-1.mga2 (Core Release))
from Core Release to Core Updates.

Please see comment 41 for the advisory.
Comment 54 D Morgan 2013-04-07 22:07:05 CEST
it needs libminizip too ( so a push on zlib )
Comment 55 Thomas Backlund 2013-04-10 00:04:00 CEST
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0113
Comment 56 Sander Lepik 2013-04-10 09:03:23 CEST
zlib is not pushed (comment #54).
Comment 57 Adrien D 2013-04-10 09:10:54 CEST
It's libminizip and libminizip-devel no ?

There are in Mageia Core Update Testing !
Comment 58 Sander Lepik 2013-04-10 09:13:30 CEST
(In reply to Adrien D from comment #57)
> It's libminizip and libminizip-devel no ?
> 
> There are in Mageia Core Update Testing !

They are all provided by zlib SRPM.
Comment 59 D Morgan 2013-04-10 09:27:52 CEST
should be OK Now
Comment 60 claire robinson 2013-04-10 10:18:52 CEST
Reassigning to QA so it stays in the right searches

Note You need to log in before you can comment on or make changes to this bug.