Version in base suite: 143.0.7499.169-1~deb13u1
Version in overlay suite: 144.0.7559.109-1~deb13u1

Base version: chromium_144.0.7559.109-1~deb13u1
Target version: chromium_144.0.7559.109-2~deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/chromium/chromium_144.0.7559.109-1~deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/chromium/chromium_144.0.7559.109-2~deb13u1.dsc

 changelog                   |    9 ++++
 patches/CVE-2026-1861.patch |   87 ++++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-1862.patch |   68 ++++++++++++++++++++++++++++++++++
 patches/series              |    2 +
 4 files changed, 166 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1d6myla2/chromium_144.0.7559.109-1~deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1d6myla2/chromium_144.0.7559.109-2~deb13u1.dsc: no acceptable signature found
diff -Nru chromium-144.0.7559.109/debian/changelog chromium-144.0.7559.109/debian/changelog
--- chromium-144.0.7559.109/debian/changelog	2026-01-29 01:19:05.000000000 +0000
+++ chromium-144.0.7559.109/debian/changelog	2026-02-04 03:40:28.000000000 +0000
@@ -1,3 +1,12 @@
+chromium (144.0.7559.109-2~deb13u1) trixie-security; urgency=high
+
+  * Backport security fixes:
+    - CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google.
+    - CVE-2026-1862: Type Confusion in V8.
+      Reported by Chaoyuan Peng (@ret2happy).
+
+ -- Andres Salomon <dilinger@debian.org>  Tue, 03 Feb 2026 22:40:28 -0500
+
 chromium (144.0.7559.109-1~deb13u1) trixie-security; urgency=high
 
   * New upstream security release.
diff -Nru chromium-144.0.7559.109/debian/patches/CVE-2026-1861.patch chromium-144.0.7559.109/debian/patches/CVE-2026-1861.patch
--- chromium-144.0.7559.109/debian/patches/CVE-2026-1861.patch	1970-01-01 00:00:00.000000000 +0000
+++ chromium-144.0.7559.109/debian/patches/CVE-2026-1861.patch	2026-02-04 03:40:28.000000000 +0000
@@ -0,0 +1,87 @@
+commit 14cd170a941f88e6fb145ebb873a3c8f87645834
+Author: Wan-Teh Chang <wtc@google.com>
+Date:   Wed Jan 21 18:03:55 2026 -0800
+
+    write_superframe_index: return 0 if buffer is full
+    
+    write_superframe_index() should return the number of bytes written to
+    ctx->pending_cx_data. If ctx->pending_cx_data is full,
+    write_superframe_index() doesn't write the optional superframe index, so
+    it should return 0 in this case. Add an assertion that would have
+    detected this bug. Add and clarify comments for code related to this
+    bug.
+    
+    Also fix the buffer full check. The check should not assume that
+    ctx->pending_cx_data is equal to ctx->cx_data, and the check had an
+    off-by-one error.
+    
+    The bug was introduced when write_superframe_index() was added in the
+    following CLs:
+    https://chromium-review.googlesource.com/c/webm/libvpx/+/44659
+    https://chromium-review.googlesource.com/c/webm/libvpx/+/45268
+    
+    Bug: oss-fuzz:476466137
+    Change-Id: Ie113568cf25acc73f8af640a3c51cfdb5b900613
+    (cherry picked from commit d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1)
+
+diff --git a/third_party/libvpx/source/libvpx/vp9/vp9_cx_iface.c b/third_party/libvpx/source/libvpx/vp9/vp9_cx_iface.c
+index 3e896848f..fca71290e 100644
+--- a/third_party/libvpx/source/libvpx/vp9/vp9_cx_iface.c
++++ b/third_party/libvpx/source/libvpx/vp9/vp9_cx_iface.c
+@@ -8,7 +8,9 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
++#include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -122,6 +124,7 @@ struct vpx_codec_alg_priv {
+   VP9_COMP *cpi;
+   unsigned char *cx_data;
+   size_t cx_data_sz;
++  // pending_cx_data either is a null pointer or points into the cx_data buffer.
+   unsigned char *pending_cx_data;
+   size_t pending_cx_data_sz;
+   int pending_frame_count;
+@@ -1252,8 +1255,12 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ 
+   // Write the index
+   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
+-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
+-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
++  unsigned char *pending_cx_data_end =
++      ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
++  if (index_sz <= space_remaining) {
++    uint8_t *x = pending_cx_data_end;
+     int i, j;
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     uint8_t marker_test = 0xc0;
+@@ -1284,6 +1291,8 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     index_sz += index_sz_test;
+ #endif
++  } else {
++    index_sz = 0;
+   }
+   return index_sz;
+ }
+@@ -1612,9 +1621,12 @@ static vpx_codec_err_t encoder_encode(vpx_codec_alg_priv_t *ctx,
+               ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
+             ctx->pending_frame_magnitude |= size;
+             ctx->pending_cx_data_sz += size;
+-            // write the superframe only for the case when
+-            if (!ctx->output_cx_pkt_cb.output_cx_pkt)
++            // write the superframe only for the case when the callback function
++            // for getting per-layer packets is not registered.
++            if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
+               size += write_superframe_index(ctx);
++              assert(size <= cx_data_sz);
++            }
+             pkt.data.frame.buf = ctx->pending_cx_data;
+             pkt.data.frame.sz = ctx->pending_cx_data_sz;
+             ctx->pending_cx_data = NULL;
diff -Nru chromium-144.0.7559.109/debian/patches/CVE-2026-1862.patch chromium-144.0.7559.109/debian/patches/CVE-2026-1862.patch
--- chromium-144.0.7559.109/debian/patches/CVE-2026-1862.patch	1970-01-01 00:00:00.000000000 +0000
+++ chromium-144.0.7559.109/debian/patches/CVE-2026-1862.patch	2026-02-04 03:40:28.000000000 +0000
@@ -0,0 +1,68 @@
+commit 87d8ea13e6e3b22d1c161f500184d4abc02aa049
+Author: Victor Gomes <victorgomes@chromium.org>
+Date:   Fri Jan 30 15:18:32 2026 +0100
+
+    Merge: [maglev] Module variables can be the hole
+    
+    Module variables are lowered in Maglev to
+    LoadTaggedField(cell, Cell:kValueOffset).
+    
+    Drive-by: order opcodes alphabetically in CanBeTheHoleValue.
+    
+    Fixed: 479726070
+    
+    (cherry picked from commit 4508b5dfb26e86f975fc57cf04350d67071fe98e)
+    
+    Change-Id: I7487d9a83de83b1af7eb2917820d179b576676cf
+    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7535119
+    Commit-Queue: Marja Hölttä <marja@chromium.org>
+    Reviewed-by: Marja Hölttä <marja@chromium.org>
+    Auto-Submit: Victor Gomes <victorgomes@chromium.org>
+    Cr-Commit-Position: refs/branch-heads/14.4@{#46}
+    Cr-Branched-From: 80acc26727d5a34e77dabeebe7c9213ec1bd4768-refs/heads/14.4.258@{#1}
+    Cr-Branched-From: ce7e597e90f6df3fa4b6df224bc613b80c635450-refs/heads/main@{#104020}
+
+diff --git a/v8/src/maglev/maglev-ir.cc b/v8/src/maglev/maglev-ir.cc
+index fa8d01e37f9..ee6af1a841d 100644
+--- a/v8/src/maglev/maglev-ir.cc
++++ b/v8/src/maglev/maglev-ir.cc
+@@ -621,6 +621,13 @@ Tribool ValueNode::IsTheHole() const {
+   if (const RootConstant* cst = TryCast<RootConstant>()) {
+     return ToTribool(cst->index() == RootIndex::kTheHoleValue);
+   }
++  if (const LoadTaggedField* load = TryCast<LoadTaggedField>()) {
++    // Modules variables can be the hole.
++    if (load->offset() == Cell::kValueOffset) {
++      return Tribool::kMaybe;
++    }
++    return Tribool::kFalse;
++  }
+   if (const LoadFixedArrayElement* load = TryCast<LoadFixedArrayElement>()) {
+     if (load->load_type() != LoadType::kUnknown) {
+       return Tribool::kFalse;
+diff --git a/v8/src/maglev/maglev-ir.h b/v8/src/maglev/maglev-ir.h
+index 7866f05de7a..f099ff641d4 100644
+--- a/v8/src/maglev/maglev-ir.h
++++ b/v8/src/maglev/maglev-ir.h
+@@ -710,17 +710,18 @@ constexpr bool CanBeStoreToNonEscapedObject(Opcode opcode) {
+ 
+ constexpr bool CanBeTheHoleValue(Opcode opcode) {
+   switch (opcode) {
+-    case Opcode::kInitialValue:
+-    case Opcode::kCallRuntime:
+     // TODO(victorgomes): Should we have a list of builtins that could
+     // return the hole?
+     case Opcode::kCallBuiltin:
++    case Opcode::kCallRuntime:
+     case Opcode::kGeneratorRestoreRegister:
+-    case Opcode::kRootConstant:
++    case Opcode::kInitialValue:
+     case Opcode::kLoadContextSlot:
+     case Opcode::kLoadContextSlotNoCells:
+     case Opcode::kLoadFixedArrayElement:
++    case Opcode::kLoadTaggedField:
+     case Opcode::kPhi:
++    case Opcode::kRootConstant:
+       return true;
+     default:
+       return false;
diff -Nru chromium-144.0.7559.109/debian/patches/series chromium-144.0.7559.109/debian/patches/series
--- chromium-144.0.7559.109/debian/patches/series	2026-01-21 10:06:03.000000000 +0000
+++ chromium-144.0.7559.109/debian/patches/series	2026-02-04 03:40:28.000000000 +0000
@@ -31,6 +31,8 @@
 
 # Fixes upstream bug 464638992. We can drop it at v145.
 upstream/fix-rk3588-v4l2-av1-decoder.patch
+CVE-2026-1861.patch
+CVE-2026-1862.patch
 
 disable/tests.patch
 disable/tests-swiftshader.patch