From ${URL} : The stable channel has been updated to 49.0.2623.108 for Windows, Mac, and Linux. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. [$7500][594574] High CVE-2016-1646: Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab. [$5500][590284] High CVE-2016-1647: Use-after-free in Navigation. Credit to anonymous. [$5000][590455] High CVE-2016-1648: Use-after-free in Extensions. Credit to anonymous. [595836] High CVE-2016-1649: Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own. As usual, our ongoing internal security work was responsible for a wide range of fixes: [597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives. Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
chromium-49.0.2623.108 has been added and may be stabilized.
@arches, please stabilize the following: =www-client/chromium-49.0.2623.108
CVE-2016-1650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1650): Various fixes from internal audits, fuzzing and other initiatives. CVE-2016-1649 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1649): Buffer overflow in libANGLE. Credit to lokihardt working with HP’s Zero Day Initiative / Pwn2Own. CVE-2016-1648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1648): Use-after-free in Extensions. Credit to anonymous. CVE-2016-1647 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1647): Use-after-free in Navigation. Credit to anonymous. CVE-2016-1646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1646): Out-of-bounds read in V8. Credit to Wen Xu from Tencent KeenLab.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
GLSA request opened. @arches, thanks!
This issue was resolved and addressed in GLSA 201605-02 at https://security.gentoo.org/glsa/201605-02 by GLSA coordinator Yury German (BlueKnight).