Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684238 - <www-client/google-chrome-74.0.3729.108: Multiple Vulnerabilities (CVE-2019-{5805, 5806, 5807, 5808, 5809, 5810, 5811, 5812, 5813, 5814, 5815, 5816, 5817, 5818, 5819, 5820, 5821, 5822, 5823})
Summary: <www-client/google-chrome-74.0.3729.108: Multiple Vulnerabilities (CVE-2019-{...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-24 09:10 UTC by Ulenrich
Modified: 2019-09-08 18:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulenrich 2019-04-24 09:10:29 UTC 
Here are the release infos of yesterday:
https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_23.html
Comment 1 Larry the Git Cow gentoo-dev 2019-04-24 14:50:17 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ba620a6298bf6925991a7bf131387831cfb7e2b

commit 8ba620a6298bf6925991a7bf131387831cfb7e2b
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-04-24 14:48:52 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-04-24 14:49:54 +0000

    www-client/google-chrome: automated update (74.0.3729.108)
    
    Closes: https://bugs.gentoo.org/684238
    Package-Manager: Portage-2.3.62_p4, Repoman-2.3.12_p87
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...e-chrome-73.0.3683.103.ebuild => google-chrome-74.0.3729.108.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 07:50:18 UTC 
jer, please do not close security bugs. Thank you!
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 07:54:47 UTC 
(In reply to Yury German from comment #2)
> jer, please do not close security bugs. Thank you!

My apologies... it was not you.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 08:00:01 UTC 
[$3000][913320] High CVE-2019-5805: Use after free in PDFium. Reported by Anonymous on 2018-12-10

[$3000][943087] High CVE-2019-5806: Integer overflow in Angle. Reported by Wen Xu of SSLab, Georgia Tech on 2019-03-18

[$3000][945644] High CVE-2019-5807: Memory corruption in V8. Reported by TimGMichaud of Leviathan Security Group. on 2019-03-26

[$3000][947029] High CVE-2019-5808: Use after free in Blink. Reported by cloudfuzzer on 2019-03-28

[$N/A][941008] High CVE-2019-5809: Use after free in Blink. Reported by Mark Brand of Google Project Zero on 2019-03-12

[$2000+$1,337][916838] Medium CVE-2019-5810: User information disclosure in Autofill. Reported by Mark Amery on 2018-12-20

[$2000][771815] Medium CVE-2019-5811: CORS bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04

[$2000][925598] Medium CVE-2019-5812: URL spoof in Omnibox on iOS. Reported by Khalil Zhani on 2019-01-26

[$2000][942699] Medium CVE-2019-5813: Out of bounds read in V8. Reported by Aleksandar Nikolic of Cisco Talos on 2019-03-15

[$1000][930057] Medium CVE-2019-5814: CORS bypass in Blink. Reported by @AaylaSecura1138 on 2019-02-08

[$1000][930663] Medium CVE-2019-5815: Heap buffer overflow in Blink. Reported by Nicolas Grégoire, Agarri on 2019-02-11

[$1000][940245] Medium CVE-2019-5816: Exploit persistence extension on Android. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2019-03-10

[$1000][943709] Medium CVE-2019-5817: Heap buffer overflow in Angle on Windows. Reported by Wen Xu of SSLab, Georgia Tech on 2019-03-19

[$500][929962] Medium CVE-2019-5818: Uninitialized value in media reader. Reported by Adrian Tolbaru on 2019-02-08

[$N/A][919356] Medium CVE-2019-5819: Incorrect escaping in developer tools. Reported by Svyat Mitin on 2019-01-06

[$N/A][919635] Medium CVE-2019-5820: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07

[$N/A][919640] Medium CVE-2019-5821: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07

[$500][926105] Low CVE-2019-5822: CORS bypass in download manager. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-01-29

[$500][930154] Low CVE-2019-5823: Forced navigation from service worker. Reported by David Erceg on 2019-02-08

______________________________

New GLSA Opened.
Comment 5 Mike Gilbert gentoo-dev 2019-04-27 22:41:55 UTC 
(In reply to Ulenrich from comment #0)

Thanks, but in the future, please do not file version bump bugs for google-chrome. They are not useful.
Comment 6 Ulenrich 2019-04-27 22:57:22 UTC 
(In reply to Mike Gilbert from comment #5)
> (In reply to Ulenrich from comment #0)
> 
> Thanks, but in the future, please do not file version bump bugs for
> google-chrome. They are not useful.

@Mike, for me pernonally it is just a simple renaming version bump. Since I know it might probalby effect www-client/chromium AND it had such a bunch of security issues related, I bugged it for the sake of other Gentoo users. Should I name it then in future:
www-client/chromium-xxx version bump please
even if I don't know nothing about chromium? Or just nothing?
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 16:03:03 UTC 
This issue was resolved and addressed in
 GLSA 201908-18 at https://security.gentoo.org/glsa/201908-18
by GLSA coordinator Aaron Bauman (b-man).
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-08 18:21:19 UTC 
Restricting spam comment.