Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873217 (CVE-2022-3304, CVE-2022-3305, CVE-2022-3306, CVE-2022-3307, CVE-2022-3308, CVE-2022-3309, CVE-2022-3310, CVE-2022-3311, CVE-2022-3312, CVE-2022-3313, CVE-2022-3314, CVE-2022-3315, CVE-2022-3316, CVE-2022-3317, CVE-2022-3318)

Summary: <www-client/chromium-106.0.5249.61 <www-client/chromium-bin-106.0.5249.61 <www-client/google-chrome-106.0.5249.61: Multiple vulnerabilities
Product: Gentoo Security Reporter: Stephan Hartmann (RETIRED) <sultan>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_27.html
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 873223    
Bug Blocks: 873214, 874855    

Description Stephan Hartmann (RETIRED) gentoo-dev 2022-09-27 18:15:25 UTC
[1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01

[1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09

[1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24

[1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27

[1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08

[1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08

[1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29

[1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16

[1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04

[1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06

[1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20

[1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24

[1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05

[1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07

[1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24

[1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
Comment 1 Larry the Git Cow gentoo-dev 2022-10-01 09:58:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a634979cfccf3a758b953f30df483d044396c2dd

commit a634979cfccf3a758b953f30df483d044396c2dd
Author:     Stephan Hartmann <sultan@gentoo.org>
AuthorDate: 2022-10-01 09:57:57 +0000
Commit:     Stephan Hartmann <sultan@gentoo.org>
CommitDate: 2022-10-01 09:58:11 +0000

    www-client/chromium: drop 105.0.5195.125
    
    Bug: https://bugs.gentoo.org/873217
    Signed-off-by: Stephan Hartmann <sultan@gentoo.org>

 www-client/chromium/Manifest                       |    2 -
 www-client/chromium/chromium-105.0.5195.125.ebuild | 1186 --------------------
 .../files/chromium-104-tflite-system-zlib.patch    |   70 --
 3 files changed, 1258 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 16:06:19 UTC
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-10-31 01:42:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=dfce1d922a94358986e3eff8611ec64f6ed883e9

commit dfce1d922a94358986e3eff8611ec64f6ed883e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:11:15 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:15 +0000

    [ GLSA 202210-16 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/873217
    Bug: https://bugs.gentoo.org/873817
    Bug: https://bugs.gentoo.org/874855
    Bug: https://bugs.gentoo.org/876855
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-16.xml | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:52 UTC
GLSA released, all done!