Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829190 (CVE-2021-4098, CVE-2021-4099, CVE-2021-4100, CVE-2021-4101, CVE-2021-4102) - <www-client/chromium-96.0.4664.110 <www-client/google-chrome-96.0.4664.110: Multiple vulnerabilities
Summary: <www-client/chromium-96.0.4664.110 <www-client/google-chrome-96.0.4664.110: M...
Status: RESOLVED FIXED
Alias: CVE-2021-4098, CVE-2021-4099, CVE-2021-4100, CVE-2021-4101, CVE-2021-4102
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 829191
Blocks:
  Show dependency tree
 
Reported: 2021-12-14 17:28 UTC by Stephan Hartmann (RETIRED)
Modified: 2022-01-31 05:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hartmann (RETIRED) gentoo-dev 2021-12-14 17:28:57 UTC
Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26

[1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16

[1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19

[1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair  on 2021-10-21

[1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09

Bumps done already.
Comment 1 Larry the Git Cow gentoo-dev 2021-12-15 11:57:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e8530b49fe16e3fc5e669843ba77bd8837838a1

commit 0e8530b49fe16e3fc5e669843ba77bd8837838a1
Author:     Stephan Hartmann <sultan@gentoo.org>
AuthorDate: 2021-12-15 11:56:39 +0000
Commit:     Stephan Hartmann <sultan@gentoo.org>
CommitDate: 2021-12-15 11:56:39 +0000

    www-client/chromium: security cleanup
    
    Bug: https://bugs.gentoo.org/829190
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Stephan Hartmann <sultan@gentoo.org>

 www-client/chromium/Manifest                     |   1 -
 www-client/chromium/chromium-96.0.4664.93.ebuild | 963 -----------------------
 2 files changed, 964 deletions(-)
Comment 2 Stephan Hartmann (RETIRED) gentoo-dev 2021-12-15 12:02:21 UTC
Maybe we should add www-client/microsoft-edge here too:

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel

Fixed version is in ::gentoo already.
Comment 3 Larry the Git Cow gentoo-dev 2022-01-31 05:31:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a5cb3b8ed2294fbfe4dfaf3e992220585c749f25

commit a5cb3b8ed2294fbfe4dfaf3e992220585c749f25
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-01-31 05:00:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-01-31 05:00:26 +0000

    [ GLSA 202201-02 ] Chromium, Google Chrome: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/803167
    Bug: https://bugs.gentoo.org/806223
    Bug: https://bugs.gentoo.org/808715
    Bug: https://bugs.gentoo.org/811348
    Bug: https://bugs.gentoo.org/813035
    Bug: https://bugs.gentoo.org/814221
    Bug: https://bugs.gentoo.org/814617
    Bug: https://bugs.gentoo.org/815673
    Bug: https://bugs.gentoo.org/816984
    Bug: https://bugs.gentoo.org/819054
    Bug: https://bugs.gentoo.org/820689
    Bug: https://bugs.gentoo.org/824274
    Bug: https://bugs.gentoo.org/829190
    Bug: https://bugs.gentoo.org/830642
    Bug: https://bugs.gentoo.org/831624
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202201-02.xml | 257 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 257 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-31 05:35:02 UTC
All done! \o/