Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 581524 (CVE-2016-1660, CVE-2016-1661, CVE-2016-1662, CVE-2016-1663, CVE-2016-1664, CVE-2016-1665, CVE-2016-1666)

Summary: <www-client/chromium-50.0.2661.94: multiple vulnerabilities {CVE-2016-(1660,1661,1662,1663,1664,1665,1666)}
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chromium, phmagic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://googlechromereleases.blogspot.fr/2016/04/stable-channel-update_28.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-04-29 11:25:38 UTC
From ${URL} :

The stable channel has been updated to 50.0.2661.94 for Windows, Mac, and Linux.
 Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated 
with a fix. We will also retain restrictions if the bug exists in a third party library that other 
projects similarly depend on, but haven’t yet fixed.
 This update includes 9 security fixes. Below, we highlight fixes that were contributed by external 
researchers. Please see the Chromium security page for more information. 
 [$3000][574802] High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of 
OUSPG.
[$3000][601629] High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih 
Matar.
[$3000][603732] High CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu.
[$3000][603987] High CVE-2016-1663: Use-after-free in Blink’s V8 bindings. Credit to anonymous.
[$1000][597322] Medium CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar.
[$1000][606181] Medium CVE-2016-1665: Information leak in V8. Credit to gksgudtjr456.
 We would also like to thank all security researchers that worked with us during the development 
cycle to prevent security bugs from ever reaching the stable channel. 
 As usual, our ongoing internal security work was responsible for a wide range of fixes:
[607652] CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2016-05-01 00:35:37 UTC
I committed 50.0.2661.94. Feel free to stabilize it.
Comment 2 Alexander Bezrukov 2016-05-02 14:02:00 UTC
(In reply to Mike Gilbert from comment #1)
> I committed 50.0.2661.94. Feel free to stabilize it.

Either manifest or distfile propagated with errors to mirrors (I tried several before reporting the issue). This is perhaps deserves a separate bug report but I would like to make you aware about the issue.

>>> Fetching (1 of 1) www-client/chromium-50.0.2661.94::gentoo
>>> Downloading 'http://mirror.yandex.ru/gentoo-distfiles/distfiles/chromium-50.0.2661.94.tar.xz'
--2016-05-02 16:51:08--  http://mirror.yandex.ru/gentoo-distfiles/distfiles/chromium-50.0.2661.94.tar.xz
Resolving mirror.yandex.ru (mirror.yandex.ru)... 213.180.204.183
Connecting to mirror.yandex.ru (mirror.yandex.ru)|213.180.204.183|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 531491584 (507M) [application/octet-stream]
Saving to: ‘/scratch/portage/distfiles/chromium-50.0.2661.94.tar.xz’

/scratch/portage/distfiles/chromium-50.0.2661.94 100%[==========================================================================================================>] 506.87M  6.78MB/s   in 86s    

2016-05-02 16:52:34 (5.91 MB/s) - ‘/scratch/portage/distfiles/chromium-50.0.2661.94.tar.xz’ saved [531491584/531491584]

!!! Fetched file: chromium-50.0.2661.94.tar.xz VERIFY FAILED!
!!! Reason: Failed on SHA256 verification
!!! Got:      85549f4f044bcb3f67f30c7726cfce4485dfb263651a577791549319ea0a0af2
!!! Expected: 66f0516b076d42b3f00a5fa4ebf31304cb98973179b1cb2fecda8e0b186dba19

and so on.
Comment 3 Mike Gilbert gentoo-dev 2016-05-04 00:34:59 UTC
The current Manifest entry is correct, and I had not problem downloading the file from distfiles.gentoo.org.
Comment 4 Mike Gilbert gentoo-dev 2016-05-04 00:35:37 UTC
Adding archs.
Comment 5 Agostino Sarubbo gentoo-dev 2016-05-04 07:14:52 UTC
the targeted version is stable. Do we need to do something?

I had not problem too to download from distfiles.gentoo.org.
Comment 6 Alexander Bezrukov 2016-05-04 07:20:34 UTC
(In reply to Agostino Sarubbo from comment #5)
> the targeted version is stable. Do we need to do something?
> 
> I had not problem too to download from distfiles.gentoo.org.

Someone created bug #581924 after my comment #2 here. There is (or was) error in propagating the distfile across mirrors, and the corruption seems to be different across different distfiles mirrors.

I downloaded the distfile from google and it passed checksum checks. Any mirrors I tried yesterday (quite many) returned broken files.
Comment 7 Mike Gilbert gentoo-dev 2016-05-04 11:58:20 UTC
(In reply to Agostino Sarubbo from comment #5)
> the targeted version is stable. Do we need to do something?

There was no comment on the bug, so I did not realize you had stabilized it.
Comment 8 Mike Gilbert gentoo-dev 2016-05-04 12:00:10 UTC
Cleanup is done.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2016-05-14 22:55:59 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-05-17 05:36:31 UTC
This issue was resolved and addressed in
 GLSA 201605-02 at https://security.gentoo.org/glsa/201605-02
by GLSA coordinator Yury German (BlueKnight).