chromium update: 5.0.375.127 -> 6.0.472.53

All done.

For maverick, everything is waiting for approval.
For lucid-security, it's all there: http://people.ubuntu.com/~fta/chromium/6.0.472.53~r57914-0ubuntu0.10.04.1/

it's also available in both the Beta and Stable PPAs.

Uploaded gyp, libvpx, chromium-codec-ffmpeg and chromium-browser for lucid to ubuntu-security-proposed.

This bug was fixed in the package chromium-browser - 6.0.472.53~r57914-0ubuntu1

---------------
chromium-browser (6.0.472.53~r57914-0ubuntu1) maverick; urgency=low

  * New upstream release from the Stable Channel (LP: #628924)
    This release fixes the following security issues:
    - [34414] Low, Pop-up blocker bypass with blank frame target. Credit to
      Google Chrome Security Team (Inferno) and “ironfist99”.
    - [37201] Medium, URL bar visual spoofing with homographic sequences.
      Credit to Chris Weber of Casaba Security.
    - [41654] Medium, Apply more restrictions on setting clipboard content.
      Credit to Brook Novak.
    - [45659] High, Stale pointer with SVG filters. Credit to Tavis Ormandy of
      the Google Security Team.
    - [45876] Medium, Possible installed extension enumeration. Credit to
      Lostmon.
    - [46750] [51846] Low, Browser NULL crash with WebSockets. Credit to Google
      Chrome Security Team (SkyLined), Google Chrome Security Team (Justin Schuh)
      and Keith Campbell.
    - [50386] High, Use-after-free in Notifications presenter. Credit to Sergey
      Glazunov.
    - [50839] High, Notification permissions memory corruption. Credit to
      Michal Zalewski of the Google Security Team and Google Chrome Security
      Team (SkyLined).
    - [51630] [51739] High, Integer errors in WebSockets. Credit to Keith
      Campbell and Google Chrome Security Team (Cris Neckar).
    - [51653] High, Memory corruption with counter nodes. Credit to kuzzcc.
    - [51727] Low, Avoid storing excessive autocomplete entries. Credit to
      Google Chrome Security Team (Inferno).
    - [52443] High, Stale pointer in focus handling. Credit to VUPEN
      Vulnerability Research Team (VUPEN-SR-2010-249).
    - [52682] High, Sandbox parameter deserialization error. Credit to Ashutosh
      Mehra and Vineet Batra of the Adobe Reader Sandbox Team.
    - [53001] Medium, Cross-origin image theft. Credit to Isaac Dawson.
  * Enable all codecs for HTML5 in Chromium, depending on which ffmpeg sumo lib
    is installed, the set of usable codecs (at runtime) will still vary.
    This is now done by setting proprietary_codecs=1 so we can drop our patch
    - update debian/rules
    - drop debian/patches/html5_video_mimetypes.patch
    - update debian/patches/series
  * Bump the Dependencies on chromium-codecs-ffmpeg to >= 0.6, needed for the new API
    - update debian/control
  * Add "libcups2-dev | libcupsys2-dev" (the latter for Hardy) to Build-Depends.
    This is needed for Cloud Printing
    - update debian/control
  * Add libppapi_tests.so and linker.lock to INSTALL_EXCLUDE_FILES and
    DumpRenderTree_resources/ to INSTALL_EXCLUDE_DIRS
    - update debian/rules
  * Install resources.pak in the main deb, and remove all resources/ accordingly
    - update debian/chromium-browser.install
  * Add libgnome-keyring-dev to Build-Depends. This is needed for the GNOME
    Keyring and KWallet integration. See http://crbug.com/12351
    - update debian/control
  * Ship empty policy dirs (for now) in /etc/chromium-browser/policies
    - update debian/rules
    - update debian/chromium-browser.dirs
  * Bump build-deps for gyp to >...

This bug was fixed in the package chromium-codecs-ffmpeg - 0.6+svn20100811r55740+56137-0ubuntu1

---------------
chromium-codecs-ffmpeg (0.6+svn20100811r55740+56137-0ubuntu1) maverick; urgency=low

  * New upstream snapshot (LP: #628924)
  * Drop the sse2 patch, it has been applied upstream, and set disable_sse2
    - drop debian/patches/*
    - update debian/rules
  * Unpack the sources during pre-build so quilt has access to all source files
    and set QUILT_PATCHES (for hardy)
    - update debian/rules
  * Add libvpx-dev to Build-Depends and set the use_system_vpx gyp knob
    - update debian/control
    - update debian/rules
  * Re-do the get-orig-source rule with 2 repos instead of 3 following
    the upstream reorganization and follow the revision requested by
    Chromium for now on
    - update debian/rules
  * FTBFS when an upstream patch fails to apply, as it could lead to weird
    situations
    - update debian/rules
  * Bump build-deps for gyp to >= 0.1~svn837
    - update debian/control
 -- Fabien Tassin <email address hidden> Sun, 15 Aug 2010 04:00:02 +0200

This bug was fixed in the package gyp - 0.1~svn840-0ubuntu1

---------------
gyp (0.1~svn840-0ubuntu1) maverick; urgency=low

    * New upstream snapshot (LP: #628924)
 -- Fabien Tassin <email address hidden> Thu, 02 Sep 2010 17:03:41 +0200

Marking libvpx on Maverick as Invalid-- it is already in Maverick.

Not that there is much choice in the matter due to upstream's release practices, but it should at least be mentioned that the size of the source tarball for chromium-browser_5.0.375.127~r55887.orig.tar.gz was 93M and for chromium-browser_6.0.472.53~r57914.orig.tar.gz it is a quite large 146M. This is approximately 6924398 lines of source vs 8348228-- that is a *lot* of new code.

chromium-codecs-ffmpeg FTBFS on lucid and maverick, which is a regression over chromium 5.0.

@Jamie

#6: i never asked for it, see the original description of this bug.

#7: i didn't change the get-orig-source rule recently. it's probably possible to go through all the deps once again and prune the tree a little bit more, but as it is, each time upstream adopts a new project in its tree, the tarball grows accordingly. I've already spent countless hours dropping unneeded code (win/mac only), but it's a moving target.

#8: i don't have access to any ARM machine, as such, i'm unable to proactively detect those situations.
I've already contacted upstream and i will update the package accordingly.

Pocket copied chromium-browser, gyp, chromium-codecs-ffmpeg, and libvpx to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Copied everything to lucid-proposed even though chromium-codecs-ffmpeg FTBFS on armel. Idea is that at a minimum, we can get testing on i386 amd64 while upstream fixes chromium-codecs-ffmpeg.

Fabien pointed out the arm FTBFS is http://code.google.com/p/chromium/issues/detail?id=49617.

Tested on amd64 with QRT and it works as well as the previous version.

As mentioned, this works well here, however unlike previous updates this will break ARM. It is my opinion that we should push this to -security and -updates regardless, since there are some rather important fixes in here. Due to the nature of the update, I am uncomfortable pushing to -security without the SRU team's input. Can someone from ubuntu-sru comment?

Fabien provided updated chromium-codecs-ffmpeg packages with ARM fixes which are now building in the security-proposed PPA. When done building, I will move them to lucid-proposed. Once these are verified I think we should copy all of them to lucid-security and lucid-updates immediately (since chromium-browser and the others are verified to work).

chromium-codecs-ffmpeg 0.6+svn20100904r58574+58998-0ubuntu0.10.04.1 uploaded to lucid-proposed, which fixes the arm FTBFS.

chromium-codecs-ffmpeg tested with www.youtube.com/watch?v=_hTiRnqnvDs (html5 green lantern trailer, see www.webmproject.org/users/).

$ apt-cache policy chromium-codecs-ffmpeg-extra
chromium-codecs-ffmpeg-extra:
  Installed: 0.6+svn20100904r58574+58998-0ubuntu0.10.04.1
  Candidate: 0.6+svn20100904r58574+58998-0ubuntu0.10.04.1
  Version table:
 *** 0.6+svn20100904r58574+58998-0ubuntu0.10.04.1 0
        100 /var/lib/dpkg/status

@ubuntu-sru: it is my opinion that we should pocket copy at your earliest convenience.

I don't see that we have any option. Acked.

Copied to lucid-security and lucid-updates.