Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 679530

Summary: <www-client/chromium-72.0.3626.121: Use-after-free in FileReader (CVE-2019-5786)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chromium, info
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: All   
URL: https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
Whiteboard: B2 [glsa+ cve]
Package list:
www-client/chromium-72.0.3626.121
Runtime testing required: ---
Bug Depends on: 680242    
Bug Blocks: 679646    

Description Agostino Sarubbo gentoo-dev 2019-03-05 15:24:44 UTC
From ${URL} :

The stable channel has been updated to 72.0.3626.121 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain 
restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 This update includes 1 security fix. Please see the Chrome Security Page for more information.
[$N/A][936448] High CVE-2019-5786: Use-after-free in FileReader 


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2019-03-06 20:51:37 UTC
Also affects dev-qt/qtwebengine.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-06 20:55:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/qt.git/commit/?id=32d376215b9ba05ff3d8abe9b76a36b08b1a6f7b

commit 32d376215b9ba05ff3d8abe9b76a36b08b1a6f7b
Author:     Jimi Huotari <chiitoo@gentoo.org>
AuthorDate: 2019-03-06 20:48:36 +0000
Commit:     Jimi Huotari <chiitoo@gentoo.org>
CommitDate: 2019-03-06 20:50:45 +0000

    dev-qt/qtwebengine: fix CVE-2019-5786
    
    Bug: https://bugs.gentoo.org/679530
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Jimi Huotari <chiitoo@gentoo.org>

 .../files/qtwebengine-5.12.1-CVE-2019-5786.patch   | 29 ++++++++++++++++++++++
 dev-qt/qtwebengine/qtwebengine-5.12.9999.ebuild    |  1 +
 dev-qt/qtwebengine/qtwebengine-5.13.9999.ebuild    |  2 ++
 dev-qt/qtwebengine/qtwebengine-5.9999.ebuild       |  5 +++-
 4 files changed, 36 insertions(+), 1 deletion(-)
Comment 3 Mike Gilbert gentoo-dev 2019-03-06 21:26:41 UTC
(In reply to Andreas Sturmlechner from comment #1)
> Also affects dev-qt/qtwebengine.

Please file a separate bug for that so we can stablize packages independently.
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-03-06 22:15:09 UTC
Freeing alias for tracker bug.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-07 17:06:57 UTC
amd64 stable
Comment 6 Frédéric Barthelery 2019-03-07 17:27:17 UTC
Is the beta channel affected too ? I can't find the info
Comment 7 Mike Gilbert gentoo-dev 2019-03-07 19:35:05 UTC
(In reply to Frédéric Barthelery from comment #6)
> Is the beta channel affected too ? I can't find the info

Google does not publish security advisories for the beta channel, and we never mark it stable.
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-03-07 21:13:24 UTC
(In reply to Frédéric Barthelery from comment #6)
> Is the beta channel affected too ? I can't find the info

Yes, beta is vulnerable. Fix is:

Beta: https://github.com/chromium/chromium/commit/0b8ac062693ce67019dfef28f76e0c79db8fa0a3

Nightly: https://github.com/chromium/chromium/commit/ba9748e78ec7e9c0d594e7edf7b2c07ea2a90449


@ Maintainer(s): Please don't forget to bump beta channel to >=73.0.3683.60.
Comment 9 Mike Gilbert gentoo-dev 2019-03-08 02:47:31 UTC
You don't need to remind me how to maintain a package.
Comment 10 Michael Palimaka (kensington) gentoo-dev 2019-03-11 06:52:53 UTC
Since bug #679650 has been filed to track dev-qt/qtwebgine, I will remove qt@ from CC here.
Comment 11 Mike Gilbert gentoo-dev 2019-03-17 02:50:30 UTC
www-client/chromium-73.0.3683.75 has been added to the repo and will be stabilized under bug 680242.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:23:41 UTC
This issue was resolved and addressed in
 GLSA 201903-23 at https://security.gentoo.org/glsa/201903-23
by GLSA coordinator Aaron Bauman (b-man).