Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679530 - <www-client/chromium-72.0.3626.121: Use-after-free in FileReader (CVE-2019-5786)
Summary: <www-client/chromium-72.0.3626.121: Use-after-free in FileReader (CVE-2019-5786)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal major
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: CVE-2019-5787, CVE-2019-5788, CVE-2019-5789, CVE-2019-5790, CVE-2019-5791, CVE-2019-5792, CVE-2019-5793, CVE-2019-5794, CVE-2019-5795, CVE-2019-5796, CVE-2019-5797, CVE-2019-5798, CVE-2019-5799, CVE-2019-5800, CVE-2019-5801, CVE-2019-5802, CVE-2019-5803, CVE-2019-5804
Blocks: CVE-2019-5786
  Show dependency tree
 
Reported: 2019-03-05 15:24 UTC by Agostino Sarubbo
Modified: 2019-03-28 02:23 UTC (History)
2 users (show)

See Also:
Package list:
www-client/chromium-72.0.3626.121
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-05 15:24:44 UTC 
From ${URL} :

The stable channel has been updated to 72.0.3626.121 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain 
restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 This update includes 1 security fix. Please see the Chrome Security Page for more information.
[$N/A][936448] High CVE-2019-5786: Use-after-free in FileReader 


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2019-03-06 20:51:37 UTC 
Also affects dev-qt/qtwebengine.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-06 20:55:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/qt.git/commit/?id=32d376215b9ba05ff3d8abe9b76a36b08b1a6f7b

commit 32d376215b9ba05ff3d8abe9b76a36b08b1a6f7b
Author:     Jimi Huotari <chiitoo@gentoo.org>
AuthorDate: 2019-03-06 20:48:36 +0000
Commit:     Jimi Huotari <chiitoo@gentoo.org>
CommitDate: 2019-03-06 20:50:45 +0000

    dev-qt/qtwebengine: fix CVE-2019-5786
    
    Bug: https://bugs.gentoo.org/679530
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Jimi Huotari <chiitoo@gentoo.org>

 .../files/qtwebengine-5.12.1-CVE-2019-5786.patch   | 29 ++++++++++++++++++++++
 dev-qt/qtwebengine/qtwebengine-5.12.9999.ebuild    |  1 +
 dev-qt/qtwebengine/qtwebengine-5.13.9999.ebuild    |  2 ++
 dev-qt/qtwebengine/qtwebengine-5.9999.ebuild       |  5 +++-
 4 files changed, 36 insertions(+), 1 deletion(-)
Comment 3 Mike Gilbert gentoo-dev 2019-03-06 21:26:41 UTC 
(In reply to Andreas Sturmlechner from comment #1)
> Also affects dev-qt/qtwebengine.

Please file a separate bug for that so we can stablize packages independently.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-06 22:15:09 UTC 
Freeing alias for tracker bug.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-07 17:06:57 UTC 
amd64 stable
Comment 6 Frédéric Barthelery 2019-03-07 17:27:17 UTC 
Is the beta channel affected too ? I can't find the info
Comment 7 Mike Gilbert gentoo-dev 2019-03-07 19:35:05 UTC 
(In reply to Frédéric Barthelery from comment #6)
> Is the beta channel affected too ? I can't find the info

Google does not publish security advisories for the beta channel, and we never mark it stable.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-07 21:13:24 UTC 
(In reply to Frédéric Barthelery from comment #6)
> Is the beta channel affected too ? I can't find the info

Yes, beta is vulnerable. Fix is:

Beta: https://github.com/chromium/chromium/commit/0b8ac062693ce67019dfef28f76e0c79db8fa0a3

Nightly: https://github.com/chromium/chromium/commit/ba9748e78ec7e9c0d594e7edf7b2c07ea2a90449


@ Maintainer(s): Please don't forget to bump beta channel to >=73.0.3683.60.
Comment 9 Mike Gilbert gentoo-dev 2019-03-08 02:47:31 UTC 
You don't need to remind me how to maintain a package.
Comment 10 Michael Palimaka (kensington) gentoo-dev 2019-03-11 06:52:53 UTC 
Since bug #679650 has been filed to track dev-qt/qtwebgine, I will remove qt@ from CC here.
Comment 11 Mike Gilbert gentoo-dev 2019-03-17 02:50:30 UTC 
www-client/chromium-73.0.3683.75 has been added to the repo and will be stabilized under bug 680242.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:23:41 UTC 
This issue was resolved and addressed in
 GLSA 201903-23 at https://security.gentoo.org/glsa/201903-23
by GLSA coordinator Aaron Bauman (b-man).