From unknown Fri Jun 20 07:24:56 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#47154 <47154@debbugs.gnu.org>
To: bug#47154 <47154@debbugs.gnu.org>
Subject: Status: ungoogled-chromium@88.0.4324.182 package vulnerable to
 various severe CVEs
Reply-To: bug#47154 <47154@debbugs.gnu.org>
Date: Fri, 20 Jun 2025 14:24:56 +0000

retitle 47154 ungoogled-chromium@88.0.4324.182 package vulnerable to variou=
s severe CVEs
reassign 47154 guix
submitter 47154 L=C3=A9o Le Bouter <lle-bout@zaclys.net>
severity 47154 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 15 04:44:36 2021
Received: (at submit) by debbugs.gnu.org; 15 Mar 2021 08:44:36 +0000
Received: from localhost ([127.0.0.1]:34853 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lLiq3-0005hD-Ta
	for submit@debbugs.gnu.org; Mon, 15 Mar 2021 04:44:36 -0400
Received: from lists.gnu.org ([209.51.188.17]:56620)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lLiq2-0005h3-Dr
 for submit@debbugs.gnu.org; Mon, 15 Mar 2021 04:44:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55842)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lLiq2-0003Na-6A
 for bug-guix@gnu.org; Mon, 15 Mar 2021 04:44:34 -0400
Received: from mail.zaclys.net ([178.33.93.72]:54111)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lLipz-0006uy-1H; Mon, 15 Mar 2021 04:44:33 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12F8iQ0c019193
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Mon, 15 Mar 2021 09:44:27 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12F8iQ0c019193
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615797867;
 bh=08MYtRU6xMLHnOPlT7c/AZK386lhBMpBM34L/W4cSMQ=;
 h=Subject:From:To:Cc:Date:From;
 b=rEdotJOqeIS1+JEl5zCh7M4yMkwsL44d+x7FSBsSMZb9bMxqLkVRd7hqba6Rn3mTr
 G7z4zod8Ctr5sxtamWnqDvcIH02dd5hUhGfYteD8NR9dk65ZWWMnl0zyUImLdoXK96
 6bTkLV9emrCC8RcbKABll2nmKB5FN7Wn4c35gRwk=
Message-ID: <93ae6853638adebc7ccaf5f861815954bf99bfb5.camel@zaclys.net>
Subject: ungoogled-chromium@88.0.4324.182 package vulnerable to various
 severe CVEs
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Mon, 15 Mar 2021 09:44:22 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-onvj1Hltp5yleoIte7E8"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: marius@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-onvj1Hltp5yleoIte7E8
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

Latest version is 89.0.4389.90

ungoogled-chromium upstream has it:=20
https://github.com/Eloston/ungoogled-chromium/commit/64cbcbcfee33fd56760173=
b3a17d2de52cd77258

Debian also upgraded:=20
https://salsa.debian.org/chromium-team/chromium/-/commit/8a1f530bdc3fc90993=
cdc1499e77f9e91468a686

I am not sure how to undertake this upgrade, I tried a little bit but
it failed at failing to delete some bundled third_party directories.

Would love to know in more detail what is the process for upgrading
ungoogled-chromium, license checking and patch rebasing if necessary.

Thank you!

--=-onvj1Hltp5yleoIte7E8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBPHmYACgkQRaix6GvN
EKYv2w/9HNV/qA4h0GAXj5Qh0HMtJhtb1hvqR8UVBlX5/YgJh36NngrJMfa62+NP
EL9cjVtEzWBSLC18IxKGrzFklhrPdciTu8O8PU/Hi0XClUPVgAF65Q0b2ckrWd10
R/PK5yMMGAmmJrY/BZctR60s5kYLSyqTTwBi7YPuYvQUfqKwmgUOFAXbenhkUsxc
HE/8xyYNaDiYOi6mF/htfQm4D3HPP8u1/ru+tl4Bf7fgomz6dX3FDBrWOw8UwNFl
O8nTedXogELmsY/pvj61VubHyfUqo4KfbGCamguZ411n831NN6FzjGCDshN3tYRP
BI2NBoh8Ma5DPR3OaGBUPSZjDPaozgzFj5VfiHo+Gfi1xwX84RBn/k2S+04bAhCT
3zU5bDaEdI/Ok+VwRzhBAi6ap8dqyXq87dbNtnjZB4Xi7rj/tw6o0Ephxmpw1/oT
DfCyI0HuUGOxb0uOxVOUsQjBpZ70CO874hyBBI7GE4LsYY2kT91zYWhZ4UNEK8KE
3Hw9jS+tEhYfQXNvj0Mn32hKEAUXGVonXnYiurZLpXjGOB7T+yf15F7KU/FE2Snu
hvOWa+CxlNpQl0Dd9gXtUqGvkTbyuNvHJTR2FeS36GWg6jJvOYoM0pCRPp5cxEBR
oSaAmS5YIAfHPCrLVjJ8sSeu8n15l2+YoWgQdp+nI3JyhF1f2mE=
=Qddl
-----END PGP SIGNATURE-----

--=-onvj1Hltp5yleoIte7E8--





From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 19 04:49:14 2021
Received: (at 47154-done) by debbugs.gnu.org; 19 Mar 2021 08:49:14 +0000
Received: from localhost ([127.0.0.1]:48784 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lNAok-00029Q-A4
	for submit@debbugs.gnu.org; Fri, 19 Mar 2021 04:49:14 -0400
Received: from mail.zaclys.net ([178.33.93.72]:34305)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lNAoi-00029C-AN
 for 47154-done@debbugs.gnu.org; Fri, 19 Mar 2021 04:49:13 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12J8n4Nl013877
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47154-done@debbugs.gnu.org>; Fri, 19 Mar 2021 09:49:05 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12J8n4Nl013877
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616143745;
 bh=gBE736QMePX1eAUXnTCmi0lqsjtqonbaasvmy9qpIVM=;
 h=Subject:From:To:Date:From;
 b=H7BItNTy+2ps3KegXw0pfRdLul4ZfvrPS30HvLDtgv7vz66AItgjHw2b/pK19A9gF
 ddALxJo+jZs0Pp7qnFzI1dsa84alw5ziuJkZAg3NTRZN0tYCq/dGuNjhMj6Qs1ZFsE
 p0ZNSnCwwdtkloGiObmPieMnvPfY38Rh81f18BEA=
Message-ID: <42246bbae075fe016da0c538c81a526cd4adf3a1.camel@zaclys.net>
Subject: ungoogled-chromium@88.0.4324.182 package vulnerable to various
 severe CVEs
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: 47154-done@debbugs.gnu.org
Date: Fri, 19 Mar 2021 09:48:59 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-mfrA4Q9r4lFRbV4J+qBw"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47154-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-mfrA4Q9r4lFRbV4J+qBw
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Fixed by 1155a88308df7649fe74bd5bb8279a4d103ce386

--=-mfrA4Q9r4lFRbV4J+qBw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUZXsACgkQRaix6GvN
EKYhjRAAsK0Carn2LO69V+Xxq4HN+jBZ4UVAI7l4neKznfVmF0g/JnLGCfb6+X8O
MRsa3RRNLmkyD60RFsvN+y7sd/2k+008Stg4uiYfAEEJuCNKjlaB8vUTrbP3eyXb
OcyS+qodfhxDkcekR4dZrljQSzSNCgsVFLk2pwWiXSxmx52tfe7MIEg9875lZahs
dPldYxc1/vYdBN2osIhlGAkZAMYUc3X4Y91AyqhcgQ0HNiVgto9cVoPJMjY+nk0y
wrBgWmYZQx42PE3cRgH/IeZYafU0DH2RVnFBc/OQI6ltY097BLPFRt5igwYs92Mt
4svBFq80lgDuTPR1beaTa9shGvVyXOZNZAEKiAePhQy1XUiU5SFJWiEY3NX2yke+
OsrZKn8mr2oOqZCtOAPNJC4TUWpGh+OQepEg6YpzTqWNwI876Te6Lw+QAADHIvif
AoXE6P/+tN+YTn0WTWUDLKyWorx3KAfuc2ddtc3C83Jlj1h7NrFuNIA3CeKcEbGn
OlKlaksb5If/5HVjJ9G881ZlbFJwfsfYxQiyp6t72Ymc2AuEEC0nS8mCwiMXb7Fx
7IBVhwnagvY/xAsWoEcPvt4aBcHKZXIWzeIKQ9Qd6S11+o9QXTDERVMHRLimZsq7
RiaMdAuciFPMVWcsnVYB8ThgHAJEEmPWoe2fGZXgoV64ACOgpFY=
=dhRR
-----END PGP SIGNATURE-----

--=-mfrA4Q9r4lFRbV4J+qBw--





From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 20 09:41:18 2021
Received: (at 47154) by debbugs.gnu.org; 20 Mar 2021 13:41:18 +0000
Received: from localhost ([127.0.0.1]:51675 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lNbqw-0006aS-4k
	for submit@debbugs.gnu.org; Sat, 20 Mar 2021 09:41:18 -0400
Received: from eggs.gnu.org ([209.51.188.92]:38584)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <marius@gnu.org>) id 1lNbqs-0006aC-Hl
 for 47154@debbugs.gnu.org; Sat, 20 Mar 2021 09:41:16 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:54344)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <marius@gnu.org>)
 id 1lNbqm-00069y-LT; Sat, 20 Mar 2021 09:41:08 -0400
Received: from host-37-191-226-238.lynet.no ([37.191.226.238]:59298
 helo=localhost)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <marius@gnu.org>)
 id 1lNbql-0001hj-PA; Sat, 20 Mar 2021 09:41:08 -0400
From: Marius Bakke <marius@gnu.org>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>, 47154@debbugs.gnu.org
Subject: Re: ungoogled-chromium@88.0.4324.182 package vulnerable to various
 severe CVEs
In-Reply-To: <93ae6853638adebc7ccaf5f861815954bf99bfb5.camel@zaclys.net>
References: <93ae6853638adebc7ccaf5f861815954bf99bfb5.camel@zaclys.net>
Date: Sat, 20 Mar 2021 14:41:04 +0100
Message-ID: <877dm20wpb.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47154
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

Sorry for not seeing this earlier.

L=C3=A9o Le Bouter <lle-bout@zaclys.net> skriver:

> I am not sure how to undertake this upgrade, I tried a little bit but
> it failed at failing to delete some bundled third_party directories.
>
> Would love to know in more detail what is the process for upgrading
> ungoogled-chromium, license checking and patch rebasing if necessary.

For major upgrades such as 88->89, I usually comment out the pruning
script from the snippet, and add a phase such as...

  (add-after 'unpack 'prune
    (lambda _
      (apply invoke "python"
             "build/linux/unbundle/remove_bundled_libraries.py"
             "--do-remove" (list ,@%preserved-third-party-files))))

...to avoid having to repack for every change to
%preserved-third-party-files.

Then just run './pre-inst-env guix build ...' as usual, see what the
configure phase reports, and adjust %preserved-third-party-files
accordingly.

Each "third_party" directory contains a README.chromium with license
information.  That file is not always correct (i.e. listing a single
license when multiple are involved), so I typically check the source
files too.

For patch rebasing, sometimes I make the necessary adjustments manually
and use plain old "diff"; other times I'll create a git repository from
the vanilla Chromium source, apply patches, branch out and try to
cherry-pick the patches to the new version in order to benefit from
git's conflict markers.

I also keep an eye on the Arch and Gentoo Chromium packages for
"inspiration" (that's how I found the recent Opus patch).

Hope this helps, and thanks for the interest in helping out with
maintaining this package.  :-)

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFCBAEBCgAtFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAmBV+3APHG1hcml1c0Bn
bnUub3JnAAoJEKKgbfKjOlT6tJAH901dwDiMhcHxqHYsBGPt5YV8IWulEZv3lhsm
ZjHaY5iWGxuimJwjHcNluBr/LZfRva7ydICyZ+ydUtytgH5yvX1rIkQ3ZXWCbDls
bxGvio/FLSeVBSZiidhGZxY1J/q4mrLDxKMKv/AkV9xMM0G+mF23L70py+RskLqS
YHj9PUDpTnuokSe97xRnM2AnFrG1mU5RHpEOR2yA1KYClWFC1y3D5PaJr4AjPZuX
uLYG0BCQq7r9J8nHcVBAXRJNh7el5gz2HitpFWpIx/NjREFjGQSFP6Znvb/hJfFF
SkEksNESvpEQYeTYhbyogyMDhQS3oywiEDOttnlWCe/2QAcKcA==
=Qzg2
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Fri Jun 20 07:24:56 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Sun, 18 Apr 2021 11:24:04 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator