Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 816984 (CVE-2021-37977, CVE-2021-37978, CVE-2021-37979)

Summary: <www-client/chromium-94.0.4606.81 <www-client/google-chrome-94.0.4606.81: Multiple vulnerabilities (CVE-2021-{37977,37978,37979})
Product: Gentoo Security Reporter: Stephan Hartmann <sultan>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: chromium
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html
Whiteboard: A2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 816996    
Bug Blocks:    

Description Stephan Hartmann gentoo-dev 2021-10-08 17:35:33 UTC
See ${URL}.

CVE-2021-37980 is for Windows only.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-08 19:32:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4864f73611be3ad9c1d6f3d61ae5def31d84299b

commit 4864f73611be3ad9c1d6f3d61ae5def31d84299b
Author:     Stephan Hartmann <sultan@gentoo.org>
AuthorDate: 2021-10-08 19:31:05 +0000
Commit:     Stephan Hartmann <sultan@gentoo.org>
CommitDate: 2021-10-08 19:31:43 +0000

    www-client/chromium: stable channel bump to 94.0.4606.81
    
    Enable official build by default.
    
    Bug: https://bugs.gentoo.org/816984
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Stephan Hartmann <sultan@gentoo.org>

 www-client/chromium/Manifest                     |   1 +
 www-client/chromium/chromium-94.0.4606.81.ebuild | 943 +++++++++++++++++++++++
 2 files changed, 944 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-10-11 06:29:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b924f713b3df104597d6c0e410ebb016054c99f1

commit b924f713b3df104597d6c0e410ebb016054c99f1
Author:     Stephan Hartmann <sultan@gentoo.org>
AuthorDate: 2021-10-11 06:28:33 +0000
Commit:     Stephan Hartmann <sultan@gentoo.org>
CommitDate: 2021-10-11 06:28:33 +0000

    www-client/chromium: security cleanup
    
    Bug: https://bugs.gentoo.org/816984
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Stephan Hartmann <sultan@gentoo.org>

 www-client/chromium/Manifest                     |   1 -
 www-client/chromium/chromium-94.0.4606.71.ebuild | 943 -----------------------
 2 files changed, 944 deletions(-)
Comment 3 Matt Whitlock 2021-10-11 18:27:24 UTC
(In reply to Larry the Git Cow from comment #1)
>     Enable official build by default.

@Stephan: What's the reason for enabling "official" build by default? Is this required to mitigate the CVEs? If so, then shouldn't the flag be forced on?
Comment 4 Stephan Hartmann gentoo-dev 2021-10-11 19:39:49 UTC
(In reply to Matt Whitlock from comment #3)
> (In reply to Larry the Git Cow from comment #1)
> >     Enable official build by default.
> 
> @Stephan: What's the reason for enabling "official" build by default? Is
> this required to mitigate the CVEs? If so, then shouldn't the flag be forced
> on?

It is not needed to mitigate one of the CVEs here, only recommended upstream to enable it by default for end users. My goal was to avoid a rebuild with the flip and did the change together with a bump.