Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 928462 (CVE-2024-3156, CVE-2024-3158, CVE-2024-3159)

Summary: <www-client/chromium-123.0.6312.105 <www-client/google-chrome-123.0.6312.105 <www-client/microsoft-edge-123.0.2420.81 <www-client/opera-110.0.5130.23: multiple vulnerabilities
Product: Gentoo Security Reporter: Matt Jolly <kangie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: chromium, kangie
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 928542, 928543    
Bug Blocks:    

Description Matt Jolly gentoo-dev 2024-04-02 23:21:25 UTC
The Stable channel has been updated to 123.0.6312.105 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 3 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$7000][329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
[$3000][329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17
[N/A][330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
Comment 1 Larry the Git Cow gentoo-dev 2024-04-03 00:36:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52b8de1528b627fefd88f0dec80d4b79a5fda44c

commit 52b8de1528b627fefd88f0dec80d4b79a5fda44c
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-04-02 23:13:22 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-04-02 23:24:38 +0000

    www-client/google-chrome: automated update (123.0.6312.105)
    
    Bug: https://bugs.gentoo.org/928462
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...-chrome-123.0.6312.86.ebuild => google-chrome-123.0.6312.105.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-04-03 13:45:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4734c503b5903680329cb45b54c3d708164d0bb6

commit 4734c503b5903680329cb45b54c3d708164d0bb6
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-04-03 10:05:36 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-04-03 13:43:30 +0000

    www-client/chromium: add 123.0.6312.105
    
    Prepare for binpkg by enabling some USE flags by default
    that are often desirable and we don''t want users to need
    to compile for:
    
    - lto
    - screencast (webrtc) - reqs wayland
    - widevine
    
    Bug: https://bugs.gentoo.org/928462
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/chromium/Manifest                       |    2 +
 www-client/chromium/chromium-123.0.6312.105.ebuild | 1438 ++++++++++++++++++++
 2 files changed, 1440 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-04-10 05:45:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6258db5cae130a2cadf86db220fe66d8e25146e

commit a6258db5cae130a2cadf86db220fe66d8e25146e
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-04-10 01:48:34 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-04-10 05:40:54 +0000

    www-client/microsoft-edge: automated bump (123.0.2420.81)
    
    Bug: https://bugs.gentoo.org/928462
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/microsoft-edge/Manifest                 |   1 +
 .../microsoft-edge-123.0.2420.81.ebuild            | 126 +++++++++++++++++++++
 2 files changed, 127 insertions(+)