[Nix-dev] Chromium: Unpatched CVEs or Missing Features?
Graham Christensen
graham at grahamc.com
Mon Nov 7 01:50:58 CET 2016
> can you give a sense of the severity of the CVEs in question?
>From one LWN summary[0], it looks pretty serious:
Multiple flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Chromium to crash,
execute arbitrary code, or disclose sensitive information when visited
by the victim.
> Now that i've installed that build into my System profile, it does work.
> It would be great to have clarity on the situation
I've applied the patches to 16.09 in my own branch[1] to test this, if
anyone would like to try it on stable. Interesting that it might work
globally installed. Not sure I understand why that is possible. I'll
report how it goes after the (very long) chromium build :)
Thank you,
Graham
[0] https://lwn.net/Vulnerabilities/703767/
[1] https://github.com/grahamca/nixpkgs/tree/chromium-16.09 (note: this
is against the channel version, so no chance of a massive rebuild...
other than chrome :) )
More information about the nix-dev
mailing list