Bug 914350 (CVE-2023-4900, CVE-2023-4901, CVE-2023-4902, CVE-2023-4903, CVE-2023-4904, CVE-2023-4905, CVE-2023-4906, CVE-2023-4907, CVE-2023-4908, CVE-2023-4909)

Summary:	<www-client/chromium-117.0.5938.88 <www-client/google-chrome-117.0.5938.88 <www-client/microsoft-edge-117.0.2045.31: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Matt Jolly <kangie>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, chromium, kangie
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html
See Also:	https://github.com/gentoo/gentoo/pull/32877
Whiteboard:	A2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	914778
Bug Blocks:

Description Matt Jolly gentoo-dev

2023-09-17 10:57:00 UTC

[$3000][1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06

[$3000][1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29

[$2000][1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14

[$1000][1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18

[$1000][1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09

[$500][1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29

[$6000][1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30

[$2000][1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639)  on 2023-07-04

[$TBD][1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06

[$TBD][1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09

This technically covers https://bugs.gentoo.org/914010 too, but as discussed we use system libwebp and we're not vulnerable.

Comment 1 Matt Jolly gentoo-dev

2023-09-17 22:32:37 UTC

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

Comment 2 Sam James archtester

2023-09-18 00:16:19 UTC

fwiw we only put fixed versions in tree in the summary, so just bare 'www-client/chromium' for now

Comment 3 Larry the Git Cow gentoo-dev

2023-09-18 01:28:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0dea65dfb708e0d2fd79f222d487a7439255f911

commit 0dea65dfb708e0d2fd79f222d487a7439255f911
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-09-17 09:37:04 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2023-09-18 01:26:15 +0000

    www-client/chromium: add 117.0.5938.88
    
    - added USE=system-zstd
    - USE=system-* moved to IUSE_SYSTEM_LIBS
    
    Bug: https://bugs.gentoo.org/914350
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/32877
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 www-client/chromium/Manifest                      |    2 +-
 www-client/chromium/chromium-117.0.5938.88.ebuild | 1275 +++++++++++++++++++++
 www-client/chromium/metadata.xml                  |   11 +-
 3 files changed, 1282 insertions(+), 6 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-01-31 15:39:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8064a0b694d29fb2fca491d65494098fb43c2ffa

commit 8064a0b694d29fb2fca491d65494098fb43c2ffa
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-31 15:39:13 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-31 15:39:35 +0000

    [ GLSA 202401-34 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/907999
    Bug: https://bugs.gentoo.org/908471
    Bug: https://bugs.gentoo.org/909283
    Bug: https://bugs.gentoo.org/910522
    Bug: https://bugs.gentoo.org/911675
    Bug: https://bugs.gentoo.org/912364
    Bug: https://bugs.gentoo.org/913016
    Bug: https://bugs.gentoo.org/913710
    Bug: https://bugs.gentoo.org/914350
    Bug: https://bugs.gentoo.org/914871
    Bug: https://bugs.gentoo.org/915137
    Bug: https://bugs.gentoo.org/915560
    Bug: https://bugs.gentoo.org/915961
    Bug: https://bugs.gentoo.org/916252
    Bug: https://bugs.gentoo.org/916620
    Bug: https://bugs.gentoo.org/917021
    Bug: https://bugs.gentoo.org/917357
    Bug: https://bugs.gentoo.org/918882
    Bug: https://bugs.gentoo.org/919321
    Bug: https://bugs.gentoo.org/919802
    Bug: https://bugs.gentoo.org/920442
    Bug: https://bugs.gentoo.org/921337
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-34.xml | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 229 insertions(+)