Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927928 (CVE-2024-2883, CVE-2024-2885, CVE-2024-2886, CVE-2024-2887) - <www-client/chromium-123.0.6312.86, <www-client/google-chrome-123.0.6312.86, www-client/microsoft-edge, www-client/opera: multiple vulnerabilities
Summary: <www-client/chromium-123.0.6312.86, <www-client/google-chrome-123.0.6312.86, ...
Status: CONFIRMED
Alias: CVE-2024-2883, CVE-2024-2885, CVE-2024-2886, CVE-2024-2887
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: A2 [stable]
Keywords:
Depends on: 927965
Blocks:
  Show dependency tree
 
Reported: 2024-03-27 03:27 UTC by Matt Jolly
Modified: 2024-03-30 10:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2024-03-27 03:27:55 UTC 
The Stable channel has been updated to 123.0.6312.86 to Linux which will roll out over the coming days/weeks.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 7 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$10000][327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
[TBD][328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
[N/A][330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
[N/A][330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21

[331221727] Various fixes from internal audits, fuzzing and other initiatives
Comment 1 Larry the Git Cow gentoo-dev 2024-03-27 03:31:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=369e473ae345295eb573b977d00100599737a765

commit 369e473ae345295eb573b977d00100599737a765
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-03-27 03:18:25 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-03-27 03:29:15 +0000

    www-client/google-chrome: automated update (123.0.6312.86)
    
    Bug: https://bugs.gentoo.org/927928
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...e-chrome-123.0.6312.58.ebuild => google-chrome-123.0.6312.86.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-03-27 14:34:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2654967dea4583c0facea7f4fdfe013b2a79423

commit d2654967dea4583c0facea7f4fdfe013b2a79423
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-03-27 12:25:00 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-03-27 14:32:37 +0000

    www-client/chromium: add 123.0.6312.86
    
    Backport the 124 rust fixes and binhost/binpkg ebuild
    fixes
    
    Bug: https://bugs.gentoo.org/927928
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/chromium/Manifest                      |    1 +
 www-client/chromium/chromium-123.0.6312.86.ebuild | 1438 +++++++++++++++++++++
 2 files changed, 1439 insertions(+)