Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878825 (CVE-2022-3723) - <www-client/chromium-107.0.5304.87 <www-client/google-chrome-107.0.5304.87 <www-client/chromium-bin-108.0.5359.124: multiple vulnerabilities
Summary: <www-client/chromium-107.0.5304.87 <www-client/google-chrome-107.0.5304.87 <w...
Status: IN_PROGRESS
Alias: CVE-2022-3723
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: A2 [glsa]
Keywords: PullRequest
: 879579 (view as bug list)
Depends on: 879957
Blocks:
  Show dependency tree
 
Reported: 2022-10-30 13:48 UTC by Michael
Modified: 2023-01-25 20:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael 2022-10-30 13:48:56 UTC 
Google Chrome relase from 27/10-2022 reports a type confusion vulnerability in V8. Vulnerability assigned CVE-2022-3723.
"Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild."
I assume vulnerabilty affects chromium-bin & Chromium-derivates google-chrome, google-chrome-bin, opera, Vivaldi & microsoft-edge as well.

Reproducible: Didn't try
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-30 18:53:02 UTC 
Thanks.
Comment 2 Ooblick 2022-11-04 07:05:43 UTC 
The affected versions of these packages, which are still being distributed by Gentoo, includes a remote code execution vulnerability which has been seen in the wild.

The vulnerable packages have not been updated for nearly a month, and don't appear to be being worked on. Should they be masked until they do get the security fix?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-06 06:09:29 UTC 
*** Bug 879579 has been marked as a duplicate of this bug. ***
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-06 06:09:56 UTC 
(In reply to Ooblick from comment #2)
> The affected versions of these packages, which are still being distributed
> by Gentoo, includes a remote code execution vulnerability which has been
> seen in the wild.
> 
> The vulnerable packages have not been updated for nearly a month, and don't
> appear to be being worked on. Should they be masked until they do get the
> security fix?

They were being worked on and were pushed a few days ago:

commit 74692ef14eb7c74deaf262d09acf4d05b491b249
Author: Marek Behún <kabel@kernel.org>
Date:   Wed Nov 2 12:54:41 2022 +0100

    www-client/chromium: promote M107 to stable

    Signed-off-by: Marek Behún <kabel@kernel.org>
    Closes: https://github.com/gentoo/gentoo/pull/28100
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

commit d14c195edacaa061b80a60b6c786be89dc48e8aa
Author: Marek Behún <kabel@kernel.org>
Date:   Wed Nov 2 12:53:56 2022 +0100

    www-client/chromium: beta channel bump to 107.0.5304.87

    Signed-off-by: Marek Behún <kabel@kernel.org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Comment 5 wbrana 2022-11-10 18:35:24 UTC 
The Stable channel has been updated to 107.0.5304.110 for Mac and Linux
Comment 6 devsk 2022-11-25 18:58:52 UTC 
Are we going to address https://amp-thehackernews-com.cdn.ampproject.org/c/s/amp.thehackernews.com/thn/2022/11/update-chrome-browser-now-to-patch-new.html

chromium-bin ebuilds need to be updated.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 20:26:14 UTC 
GLSA request filed, see https://bugs.gentoo.org/876855#c10 wrt edge.