-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Apr 2026 12:42:51 -0400
Source: chromium
Architecture: source
Version: 146.0.7680.177-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
 chromium (146.0.7680.177-1~deb13u1) trixie-security; urgency=high
 .
   [ Andres Salomon ]
   * New upstream security release.
     - CVE-2026-5272: Heap buffer overflow in GPU.
       Reported by inspector-ambitious.
     - CVE-2026-5273: Use after free in CSS. Reported by Anonymous.
     - CVE-2026-5274: Integer overflow in Codecs.
       Reported by heapracer (@heapracer).
     - CVE-2026-5275: Heap buffer overflow in ANGLE.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5276: Insufficient policy enforcement in WebUSB.
       Reported by Ariel Simon.
     - CVE-2026-5277: Integer overflow in ANGLE.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5278: Use after free in Web MIDI.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5279: Object corruption in V8.
       Reported by Hyeonjun Ahn (@_deayzl).
     - CVE-2026-5280: Use after free in WebCodecs.
       Reported by heapracer (@heapracer).
     - CVE-2026-5281: Use after free in Dawn.
       Reported by 86ac1f1587b71893ed2ad792cd7dde32.
     - CVE-2026-5282: Out of bounds read in WebCodecs.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5283: Inappropriate implementation in ANGLE.
       Reported by sweetchip.
     - CVE-2026-5284: Use after free in Dawn.
       Reported by 86ac1f1587b71893ed2ad792cd7dde32.
     - CVE-2026-5285: Use after free in WebGL.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-5286: Use after free in Dawn. Reported by sweetchip.
     - CVE-2026-5287: Use after free in PDF. Reported by Syn4pse.
     - CVE-2026-5288: Use after free in WebView. Reported by Google.
     - CVE-2026-5289: Use after free in Navigation. Reported by Google.
     - CVE-2026-5290: Use after free in Compositing. Reported by Google.
     - CVE-2026-5291: Inappropriate implementation in WebGL.
       Reported by heapracer (@heapracer).
     - CVE-2026-5292: Out of bounds read in WebCodecs. Reported by Google.
   * d/patches:
     - upstream/Fix-blink-compilation-for-platforms-other-than-x86-and-arm.patch:
       drop, merged upstream.
     - ungoogled/disable-ai.patch: resync with u-c.
 .
   [ Daniel Richard G. ]
   * d/copyright: Exclude *.pb (protobuf) binary files.
   * d/patches: Various ungoogled-chromium-related updates.
     - disable/glic.patch: Drop, replaced with disable-ai.patch from the
       ungoogled-chromium project.
     - ungoogled/disable-ai.patch: Import new patch from ungoogled-chromium
       that zaps glic, screen_ai, and various other adjacent AI-based features.
     - ungoogled/disable-mei-preload.patch: Import patch to allow building
       without *.pb files.
     - ungoogled/disable-privacy-sandbox.patch: Update imported patch.
 .
   [ Timothy Pearson ]
   * d/patches/ppc64le:
     - third_party/0005-blink-add-audio-vector-support.patch: Fix FBTFS from
       upstream adding vector-accelerated audio delay functions
 .
   [ Jianfeng Liu ]
   * d/patches/upstream:
     - Fix-blink-compilation-for-platforms-other-than-x86-and-arm.patch: Fix
       FBTFS from upstream for blink audio delay function on loong64
Checksums-Sha1:
 6952ff3076a75f167445d6e6f0f2483dd7110b55 4099 chromium_146.0.7680.177-1~deb13u1.dsc
 41b4ac22684ced460e9212915c484c1051ddc552 785637692 chromium_146.0.7680.177.orig.tar.xz
 6353dc8ea34719dc5b638a9548665bf57f4a270a 481516 chromium_146.0.7680.177-1~deb13u1.debian.tar.xz
 5f241b1a10db2ba08604f06024d13f2f99b3eeb2 26801 chromium_146.0.7680.177-1~deb13u1_source.buildinfo
Checksums-Sha256:
 413586e87730bc99c712b96a1bc40eb5ba5dea0f02383b96c99131d36f9c44f0 4099 chromium_146.0.7680.177-1~deb13u1.dsc
 2b8322234ce8cd272a47923a772088b29b65fbdde8fe871eb2cc833d9acf5cdc 785637692 chromium_146.0.7680.177.orig.tar.xz
 cc6baf8aeb72c24cc7c74d4bc782804480deb4ed850b3e439f7cab3da6296d97 481516 chromium_146.0.7680.177-1~deb13u1.debian.tar.xz
 c73219cd967b84ce2eb3d4acaa45b672b4f5abc570820ed6106c4b7676be4d35 26801 chromium_146.0.7680.177-1~deb13u1_source.buildinfo
Files:
 a3d275c8222e3ac5f9ce8cc0c106352d 4099 web optional chromium_146.0.7680.177-1~deb13u1.dsc
 96240fa6e716a879c557e8c22fe212d4 785637692 web optional chromium_146.0.7680.177.orig.tar.xz
 9a85ff112db6f01e57b05f54abb9512a 481516 web optional chromium_146.0.7680.177-1~deb13u1.debian.tar.xz
 23568418caf8c5447282baa11c39a7c4 26801 web optional chromium_146.0.7680.177-1~deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmnNzlIUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjcHSA/6AhrTp4Ur0MVtDWw17Lmu8IqfPChk
U+2crieXH04tbdnVMUNtSazPB0HASpGDZkP4NDS8vGO5augcSkE9lsl1s9B3SREn
vluPuiisX+5Zs+8u56fP1b7mdoNtyiENQJkSz5h98ARBwxCix8IkaJnxNFVjvDqO
9fKnXoq9JLfTsdcn+5diwJ59xEgjrLL2md4MGAst38YJto1vjKxDkJ8wFujK73hF
umLKexNw0I5KnOY+eI6tItcy1HE73wG/3yjacg2YnGIhgUZCDn3R4Vs+zdnzrvAx
7dmiVXOk3uKJVVir1XE5tUIp5TEOwGhsqMFv8lmVq6+G3MGpbna7srTIrlGlP/lk
nxGIuCZyEcL95rHRcygPdmfP3uQ27z1wwCkopSB0I8RKSMigC5+q2JyBoqIehGed
GjJwgGUjvJI2uaOkuV6t1YH4A9C8/k6+UIPBAJbAsjgSsvvaftjKVe21C0rJVX7M
kttCjBkAHyxxhEfChX3W1iaQfPe2A8H4czFAHXHkeTPMBp2NClAEH0eMvtUWzmsg
pKjNcdpbJ/pmBu3UAn/IdhHHJofZAzovzGIa6YN6ItmiOVVRUTfcYuTTl1mLuLmD
Orvh7ztRNqa6BGJNeslbGa5EY8629WWWd+0Su8ugh5HVVhkm1jCHzTHi0U+JplVw
rsuiJMrGvra2L4k=
=q4Ri
-----END PGP SIGNATURE-----