956774 – (CVE-2025-5280, CVE-2025-5281, CVE-2025-5283) <www-client/chromium-137.0.7151.55, <www-client/google-chrome-137.0.7151.55, www-client/microsoft-edge, www-client/opera: Multiple vulnerabilities

Bug 956774 (CVE-2025-5280, CVE-2025-5281, CVE-2025-5283) - <www-client/chromium-137.0.7151.55, <www-client/google-chrome-137.0.7151.55, www-client/microsoft-edge, www-client/opera: Multiple vulnerabilities

Summary: <www-client/chromium-137.0.7151.55, <www-client/google-chrome-137.0.7151.55, ...

Status:	CONFIRMED

Alias:	CVE-2025-5280, CVE-2025-5281, CVE-2025-5283

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://chromereleases.googleblog.com...
Whiteboard:
Keywords:

Depends on:	956775
Blocks:
	Show dependency tree

Reported:	2025-05-28 22:00 UTC by Matt Jolly
Modified:	2025-05-28 23:32 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2025-5063, CVE-2025-5064, CVE-2025-5065, CVE-2025-5066, CVE-2025-5067
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Jolly gentoo-dev

2025-05-28 22:00:00 UTC

Chrome 137.0.7151.55 contains a number of fixes and improvements.

This update includes 11 security fixes.

[TBD][411573532] High CVE-2025-5063: Use after free in Compositing. Reported by Anonymous on 2025-04-18

[TBD][417169470] High CVE-2025-5280: Out of bounds write in V8. Reported by [pwn2car] on 2025-05-12

[$4000][40058068] Medium CVE-2025-5064: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer  on 2021-11-29

[$2000][40059071] Medium CVE-2025-5065: Inappropriate implementation in FileSystemAccess API. Reported by NDevTK on 2022-03-11

[$1000][356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639)  on 2024-07-31

[TBD][417215501] Medium CVE-2025-5281: Inappropriate implementation in BFCache. Reported by Jesper van den Ende (Pelican Party Studios) on 2025-05-12

[TBD][419467315] Medium CVE-2025-5283: Use after free in libvpx. Reported by Mozilla on 2025-05-22

[$500][40075024] Low CVE-2025-5067: Inappropriate implementation in Tab Strip. Reported by Khalil Zhani on 2023-10-17

CVEs CVE-2025-5063, CVE-2025-5064, CVE-2025-5065, CVE-2025-5066, CVE-2025-5067 already aliased in last week's early stable bump / security update from upstream.

Comment 1 Larry the Git Cow gentoo-dev

2025-05-28 23:30:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b386ab460485f067e6ddd4ca830c9ac3cb69385c

commit b386ab460485f067e6ddd4ca830c9ac3cb69385c
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2025-05-28 22:01:02 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2025-05-28 23:23:17 +0000

    www-client/google-chrome: automated update (137.0.7151.55)
    
    Bug: https://bugs.gentoo.org/956774
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...-chrome-136.0.7103.113.ebuild => google-chrome-137.0.7151.55.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c178c38438a95b88f70a2480a5fd45c34a92f49e

commit c178c38438a95b88f70a2480a5fd45c34a92f49e
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2025-05-27 22:50:19 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2025-05-28 23:23:17 +0000

    www-client/chromium: add 137.0.7151.55
    
    Bug: https://bugs.gentoo.org/956774
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/chromium/Manifest                      |    2 +
 www-client/chromium/chromium-137.0.7151.55.ebuild | 1551 +++++++++++++++++++++
 2 files changed, 1553 insertions(+)