Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 666502 (CVE-2018-17458, CVE-2018-17459)

Summary: <www-client/chromium-69.0.3497.100: multiple vulnerabilities
Product: Gentoo Security Reporter: Mike Gilbert <floppym>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chromium
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
www-client/chromium-69.0.3497.100
 Runtime testing required: ---

Description Mike Gilbert gentoo-dev 2018-09-18 19:47:29 UTC 
https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop_11.html

The stable channel has been updated to 69.0.3497.92 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 2 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$3000][875322] High (CVE to be assigned): Function signature mismatch in WebAssembly. Reported by Kevin Cheung from Autodesk on 2018-08-17

[$TBD][880759] Medium (CVE to be assigned): URL Spoofing in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-09-05


https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop_17.html

The stable channel has been updated to 69.0.3497.100 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 1 security fix from our ongoing internal security work:
[884726] Fixes from internal audits, fuzzing and other initiatives
Comment 1 Larry the Git Cow gentoo-dev 2018-09-18 23:28:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd87e959015a2e89664ffd6bf789b85d644f63e5

commit dd87e959015a2e89664ffd6bf789b85d644f63e5
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2018-09-18 23:28:23 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2018-09-18 23:28:23 +0000

    www-client/chromium: amd64 stable
    
    Bug: https://bugs.gentoo.org/666502
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 www-client/chromium/chromium-69.0.3497.100.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 Richard Freeman gentoo-dev 2018-09-18 23:29:18 UTC 
amd64 stable
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2018-11-09 23:44:21 UTC 
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-11-23 18:01:38 UTC 
This issue was resolved and addressed in
 GLSA 201811-10 at https://security.gentoo.org/glsa/201811-10
by GLSA coordinator Aaron Bauman (b-man).