Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679530 - <www-client/chromium-72.0.3626.121: Use-after-free in FileReader (CVE-2019-5786)
Summary: <www-client/chromium-72.0.3626.121: Use-after-free in FileReader (CVE-2019-5786)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on: CVE-2019-5787, CVE-2019-5788, CVE-2019-5789, CVE-2019-5790, CVE-2019-5791, CVE-2019-5792, CVE-2019-5793, CVE-2019-5794, CVE-2019-5795, CVE-2019-5796, CVE-2019-5797, CVE-2019-5798, CVE-2019-5799, CVE-2019-5800, CVE-2019-5801, CVE-2019-5802, CVE-2019-5803, CVE-2019-5804
Blocks: CVE-2019-5786
  Show dependency tree
Reported: 2019-03-05 15:24 UTC by Agostino Sarubbo
Modified: 2019-03-28 02:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-05 15:24:44 UTC
From ${URL} :

The stable channel has been updated to 72.0.3626.121 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain 
restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 This update includes 1 security fix. Please see the Chrome Security Page for more information.
[$N/A][936448] High CVE-2019-5786: Use-after-free in FileReader 

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2019-03-06 20:51:37 UTC
Also affects dev-qt/qtwebengine.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-06 20:55:04 UTC
The bug has been referenced in the following commit(s):

commit 32d376215b9ba05ff3d8abe9b76a36b08b1a6f7b
Author:     Jimi Huotari <>
AuthorDate: 2019-03-06 20:48:36 +0000
Commit:     Jimi Huotari <>
CommitDate: 2019-03-06 20:50:45 +0000

    dev-qt/qtwebengine: fix CVE-2019-5786
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Jimi Huotari <>

 .../files/qtwebengine-5.12.1-CVE-2019-5786.patch   | 29 ++++++++++++++++++++++
 dev-qt/qtwebengine/qtwebengine-5.12.9999.ebuild    |  1 +
 dev-qt/qtwebengine/qtwebengine-5.13.9999.ebuild    |  2 ++
 dev-qt/qtwebengine/qtwebengine-5.9999.ebuild       |  5 +++-
 4 files changed, 36 insertions(+), 1 deletion(-)
Comment 3 Mike Gilbert gentoo-dev 2019-03-06 21:26:41 UTC
(In reply to Andreas Sturmlechner from comment #1)
> Also affects dev-qt/qtwebengine.

Please file a separate bug for that so we can stablize packages independently.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-06 22:15:09 UTC
Freeing alias for tracker bug.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-07 17:06:57 UTC
amd64 stable
Comment 6 Frédéric Barthelery 2019-03-07 17:27:17 UTC
Is the beta channel affected too ? I can't find the info
Comment 7 Mike Gilbert gentoo-dev 2019-03-07 19:35:05 UTC
(In reply to Frédéric Barthelery from comment #6)
> Is the beta channel affected too ? I can't find the info

Google does not publish security advisories for the beta channel, and we never mark it stable.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-07 21:13:24 UTC
(In reply to Frédéric Barthelery from comment #6)
> Is the beta channel affected too ? I can't find the info

Yes, beta is vulnerable. Fix is:



@ Maintainer(s): Please don't forget to bump beta channel to >=73.0.3683.60.
Comment 9 Mike Gilbert gentoo-dev 2019-03-08 02:47:31 UTC
You don't need to remind me how to maintain a package.
Comment 10 Michael Palimaka (kensington) gentoo-dev 2019-03-11 06:52:53 UTC
Since bug #679650 has been filed to track dev-qt/qtwebgine, I will remove qt@ from CC here.
Comment 11 Mike Gilbert gentoo-dev 2019-03-17 02:50:30 UTC
www-client/chromium-73.0.3683.75 has been added to the repo and will be stabilized under bug 680242.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:23:41 UTC
This issue was resolved and addressed in
 GLSA 201903-23 at
by GLSA coordinator Aaron Bauman (b-man).