| Summary: | <www-client/chromium-121.0.6167.85 <www-client/google-chrome-121.0.6167.85 <www-client/microsoft-edge-121.0.2277.83: Multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matt Jolly <kangie> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, chromium, kangie |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://github.com/gentoo/gentoo/pull/35001 | ||
| Whiteboard: | A3 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 922982, 927746 | ||
| Bug Blocks: | |||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=854bb6e5e3268bdfbfc94fbdfdfe234afbcbe16c commit 854bb6e5e3268bdfbfc94fbdfdfe234afbcbe16c Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-12-09 00:45:06 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-27 07:31:57 +0000 www-client/chromium: add 121.0.6167.85 This update includes a number of changes: - Rust is now a mandatory part of the build - The start of an implementation that enables the use of the bundled toolchain. It likely requires aditional work before it is useful. - Libxml dependency updated to >= 2.12.0 - Dropped legacy gcc fixes Bug: https://bugs.gentoo.org/922903 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> www-client/chromium/Manifest | 3 + www-client/chromium/chromium-121.0.6167.85.ebuild | 1342 +++++++++++++++++++++ www-client/chromium/metadata.xml | 1 + 3 files changed, 1346 insertions(+) What about unmasking the profiler use flag of rust which is needed to build this version ? (In reply to François Valenduc from comment #2) > What about unmasking the profiler use flag of rust which is needed to build > this version ? We already did: commit 84db944af3d5e48473c5b59b25fd9b14fe6d2cba Author: Matt Jolly <Matt.Jolly@footclan.ninja> Date: Sat Jan 27 18:18:46 2024 +1000 profiles/base: unmask dev-lang/rust[profiler] for stable The profiler is required to build chromium >=121. With the initial justification for masking the USE being somewhat flimsy, in the absence of rust maintainers to tell us otherwise we'll unmask it for stable and deal with any consequences. Bug: https://bugs.gentoo.org/922982 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Closes: https://github.com/gentoo/gentoo/pull/35039 Signed-off-by: Sam James <sam@gentoo.org> Please file new bugs for issues though. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7a125f7a086a739d056063da56386fef4fe01284 commit 7a125f7a086a739d056063da56386fef4fe01284 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-19 05:58:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-19 06:10:22 +0000 [ GLSA 202402-23 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/922062 Bug: https://bugs.gentoo.org/922340 Bug: https://bugs.gentoo.org/922903 Bug: https://bugs.gentoo.org/923370 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-23.xml | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) |
The Stable channel has been updated to 121.0.6167.85 for Mac and Linux This update includes 17 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. [$11000][1505080] High CVE-2024-0807: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25 [$9000][1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19 [$6000][1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24 [$2000][1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26 [$1000][1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11 [$1000][1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30 [$1000][1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25 [TBD][1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01 [TBD][1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03 [N/A][1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21 [TBD][1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31 As usual, our ongoing internal security work was responsible for a wide range of fixes: [1520680] Various fixes from internal audits, fuzzing and other initiatives