The Chrome team is delighted to announce the promotion of Chrome 58 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
Chrome 58.0.3029.81 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 58.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 29 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information:
High CVE-2017-5057: Type confusion in PDFium.
High CVE-2017-5058: Heap use after free in Print Preview.
High CVE-2017-5059: Type confusion in Blink.
Medium CVE-2017-5060: URL spoofing in Omnibox.
Medium CVE-2017-5061: URL spoofing in Omnibox.
Medium CVE-2017-5062: Use after free in Chrome Apps.
Medium CVE-2017-5063: Heap overflow in Skia.
Medium CVE-2017-5064: Use after free in Blink.
Medium CVE-2017-5065: Incorrect UI in Blink.
Medium CVE-2017-5066: Incorrect signature handing in Networking.
Medium CVE-2017-5067: URL spoofing in Omnibox.
Low CVE-2017-5069: Cross-origin bypass in Blink.
www-client/google-chrome never gets stabilized, so we don't bother filing security bugs for it.
Changing the summary to www-client/chromium.
(In reply to Mike Gilbert from comment #1)
> www-client/google-chrome never gets stabilized, so we don't bother filing
> security bugs for it.
We should still have it in the summary. Reason is that even non-stable packages need clean-up. Even though I know you clean up both.
(In reply to Yury German from comment #2)
google-chrome distfiles are removed immediately upstream, and the ebuild has RESTRICT="mirror".
Any "cleanup" in the Gentoo side is cosmetic, and happens via a scripted update anyway.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work.
New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Author: Mike Gilbert <firstname.lastname@example.org>
Date: Fri Apr 28 10:52:45 2017 -0400
www-client/chromium: remove old
Package-Manager: Portage-2.3.5_p31, Repoman-2.3.2_p61
www-client/chromium/Manifest | 3 -
www-client/chromium/chromium-57.0.2987.133.ebuild | 645 ---------------------
www-client/chromium/chromium-58.0.3029.14.ebuild | 651 ---------------------
www-client/chromium/chromium-58.0.3029.19.ebuild | 652 ----------------------
4 files changed, 1951 deletions(-)
This issue was resolved and addressed in
GLSA 201705-02 at https://security.gentoo.org/glsa/201705-02
by GLSA coordinator Thomas Deutschmann (whissi).