-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 05 Aug 2025 17:48:13 -0400
Source: chromium
Architecture: source
Version: 139.0.7258.66-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
 chromium (139.0.7258.66-1~deb12u1) bookworm-security; urgency=high
 .
   * New upstream stable release.
     - CVE-2025-8576: Use after free in Extensions. Reported by asnine.
     - CVE-2025-8577: Inappropriate implementation in Picture In Picture.
       Reported by Umar Farooq.
     - CVE-2025-8578: Use after free in Cast. Reported by Fayez.
     - CVE-2025-8579: Inappropriate implementation in Gemini Live in
       Chrome. Reported by Alesandro Ortiz.
     - CVE-2025-8580: Inappropriate implementation in Filesystems.
       Reported by Huuuuu.
     - CVE-2025-8581: Inappropriate implementation in Extensions.
       Reported by Vincent Dragnea.
     - CVE-2025-8582: Insufficient validation of untrusted input in DOM.
       Reported by Anonymous.
     - CVE-2025-8583: Inappropriate implementation in Permissions.
       Reported by Shaheen Fazim.
   * d/copyright: delete third_party/enterprise_companion, as it includes
     a binary.
   * d/control:
     - Replace elfutils build-dep with llvm-19 for switch to llvm-strip.
     - Update rustc-web build-dep to >= 1.84.
   * d/rules:
     - drop enable_nacl=false; upstream removed NaCL.
     - set enable_enterprise_companion=false.
     - disable Gemini AI (enable_glic=false).
   * d/patches:
     - disable/catapult.patch: refresh.
     - disable/buildtools-libc.patch: refresh.
     - system/eu-strip.patch: drop, upstream switched to llvm-strip.
     - bookworm/gn-revert-path-exists.patch: refresh & drop unused part.
     - ungoogled/disable-privacy-sandbox.patch: refresh.
     - fixes/bindgen.patch: rename to bookworm/bindgen.patch, since trixie
       now has a newer bindgen.
     - bookworm/gn-absl.patch: refresh.
     - bookworm/rust-is-none-or.patch: drop, thanks to newer rustc-web.
     - bookworm/rust-unstable-features.patch: drop - newer rustc-web.
     - bookworm/bubble-contents.patch: drop, no longer needed.
 .
   [ Timothy Pearson ]
   * d/patches/ppc64le:
     - sandbox/0001-sandbox-linux-Update-syscall-helpers-lists-for-ppc64.patch:
       Refresh for upstream changes
     - sandbox/0009-sandbox-updates-138.patch: Properly handle IPC and send
       syscalls
     - third_party/0001-add-xnn-ppc64el-support.patch: Refresh for upstream
       changes
     - third_party/0002-regenerate-xnn-buildgn.patch: Regenerate from upstream
       sources
     - third_party/skia-vsx-instructions.patch: Refresh for upstream changes
     - fixes/fix-partition-alloc-compile.patch: Refresh for upstream changes
Checksums-Sha1:
 7376757ce96fc0619302d7f199aa9ab7174ef5af 4056 chromium_139.0.7258.66-1~deb12u1.dsc
 a9d30fc0a4c991d014aaa4df199346dd67064583 970141088 chromium_139.0.7258.66.orig.tar.xz
 1d651ecffa2440eff413365d51bc9864409abafe 8484128 chromium_139.0.7258.66-1~deb12u1.debian.tar.xz
 e82264a52e58bad5b691800f6c3805757a6af8af 26745 chromium_139.0.7258.66-1~deb12u1_source.buildinfo
Checksums-Sha256:
 961e2123ebabdbe450470f3d4f5b52d254f72639ff24a31c43682f9ee153b827 4056 chromium_139.0.7258.66-1~deb12u1.dsc
 b1eeb141ab939de93b7dc090497b906dc7515a2a4dc332fa2203b3510a419b7b 970141088 chromium_139.0.7258.66.orig.tar.xz
 c8b499eecaa9094ecd4ad33233cac5c5cc09041fcf910e1636497bec1ee49100 8484128 chromium_139.0.7258.66-1~deb12u1.debian.tar.xz
 f5faa3b26c1bf207c2444c436596e3bae6682abc6f41f9f5b7e0f773e9db0c1a 26745 chromium_139.0.7258.66-1~deb12u1_source.buildinfo
Files:
 983f80ba2eba794062ed23f9113f0201 4056 web optional chromium_139.0.7258.66-1~deb12u1.dsc
 217173c1f07c9482f1edca4e5f5846c6 970141088 web optional chromium_139.0.7258.66.orig.tar.xz
 edbab0e4a4371e16224d62e1cadaaf6a 8484128 web optional chromium_139.0.7258.66-1~deb12u1.debian.tar.xz
 3a9bea72c42eea45b99adf61837cb84f 26745 web optional chromium_139.0.7258.66-1~deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmiS3Q4UHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8Nudjdtqw//T4wqRKbqa+6zVfxNVf1gIRRkbL06
yKgUeXCCWPdzOnLplrgBSaaREhLrEYny/WnkrN5XrCm1HcMKZ7hNyvEuRazSRFj2
ugNnPRXkFzwf7kP7D+Kwmt6LANv5Zx9bCRWBQWXRStG9RF9obGs7S8ZbiMj98m3D
8a1N7eAgCl7vweLZolAmigwG4QuEo1IOFesuAKAjlp82NuTQ5CbX6ePYNhBmd0os
TUBG7xCq/EUaKo1wUTRUT1Gcbo+s1lscQMCO87MwmrbI5G5sQHYdfW8lwWhZ/k7B
lAdwiz6PajarhHgZxNvrjuxcOr2pesUa1HUSTT4r9KMsJsPjjQ+eDVeaSI2ttcCX
vqemBieurmEca2u9fuGiEfrF19Y5mx5AeVIfsdQPQeh3Z5P3IHSJg4rfoKqxS0eR
J3SouDUY57NKwLa6ZJ1qVZQYFCzrt//DRMFmruExjZus97TtRgzGE9qDk6Vh1Ldf
M83quy7cAoD1EeetkBKYDC0RNcNvrnNSZ3RpJ7QbxZXH0RjkuTyFtO9n2HP7EHnf
3L6VMNduRVB3x8qjIAv+SNvNZLgnsVCW1wIQCnFRV8dflRXC/FxqG+2xpgh5gK+a
qfw3fNfp5tk4BiS0BiOM7+O4uE+7iw1XKMEUz58XEn4Iq9bQfa4FIQwMpyIT6/9a
/3P5vMawDxD2Sg4=
=YRzy
-----END PGP SIGNATURE-----