"CVE-2022-0796: Use after free in Media87-based Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3482463: Guard BatchingMediaLog::event_handlers_ with lock It seems that despite MediaLog::OnWebMediaPlayerDestroyed and MediaLog::AddLogRecord both grabbing a lock, BatchingMediaLog::AddLogRecordLocked can escape the lock handle by posting BatchingMediaLog::SendQueuedMediaEvents, causing a race. When the addition of an event is interrupted by the deletion of a player due to player culling in MediaInspectorContextImpl, a UAF can occur." https://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?h=87-based&id=ecc2bb74f1f7140fc52650042299be18e826b27b
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e66f923a9e2f5bc4ac35e24502c159cbfe759f6b commit e66f923a9e2f5bc4ac35e24502c159cbfe759f6b Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-07-06 09:18:25 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-07-06 10:27:27 +0000 dev-qt/qtwebengine: Cleanup vulnerable 5.15.4_p20220526 Bug: https://bugs.gentoo.org/853229 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtwebengine/Manifest | 1 - .../qtwebengine-5.15.4_p20220526.ebuild | 280 --------------------- 2 files changed, 281 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5 commit 3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:29:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-25 ] Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/773040 Bug: https://bugs.gentoo.org/787950 Bug: https://bugs.gentoo.org/800181 Bug: https://bugs.gentoo.org/810781 Bug: https://bugs.gentoo.org/815397 Bug: https://bugs.gentoo.org/828519 Bug: https://bugs.gentoo.org/829161 Bug: https://bugs.gentoo.org/834477 Bug: https://bugs.gentoo.org/835397 Bug: https://bugs.gentoo.org/835761 Bug: https://bugs.gentoo.org/836011 Bug: https://bugs.gentoo.org/836381 Bug: https://bugs.gentoo.org/836777 Bug: https://bugs.gentoo.org/836830 Bug: https://bugs.gentoo.org/837497 Bug: https://bugs.gentoo.org/838049 Bug: https://bugs.gentoo.org/838433 Bug: https://bugs.gentoo.org/838682 Bug: https://bugs.gentoo.org/841371 Bug: https://bugs.gentoo.org/843035 Bug: https://bugs.gentoo.org/843728 Bug: https://bugs.gentoo.org/847370 Bug: https://bugs.gentoo.org/847613 Bug: https://bugs.gentoo.org/848864 Bug: https://bugs.gentoo.org/851003 Bug: https://bugs.gentoo.org/851009 Bug: https://bugs.gentoo.org/853229 Bug: https://bugs.gentoo.org/853643 Bug: https://bugs.gentoo.org/854372 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-25.xml | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 284 insertions(+)
GLSA done, all done.