Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621886 (CVE-2017-5084, CVE-2017-5087, CVE-2017-5088, CVE-2017-5089) - <www-client/chromium-59.0.3071.104: multiple vulnerabilities
Summary: <www-client/chromium-59.0.3071.104: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-5084, CVE-2017-5087, CVE-2017-5088, CVE-2017-5089
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-16 08:12 UTC by GLSAMaker/CVETool Bot
Modified: 2017-06-20 19:05 UTC (History)
1 user (show)

See Also:
Package list:
www-client/chromium-59.0.3071.104
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-16 08:12:36 UTC
Incoming details
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-16 08:16:01 UTC
On Thursday, June 9, 2017 
=========================
The Stable channel has been updated to 59.0.3071.91, 59.0.3071.92 (Platform version: 9460.60.0, 9460.60.2) for all Chrome OS devices except the Google Chromebook Pixel (2015). This build contains a number of bug fixes, security updates, and feature enhancements. Systems will be receiving updates over the next several days.

Security Fixes:
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

$N/A] [702030] Low CVE-2017-5084: Local access to local files via dbus. Reported by Rory McNamara on 2017-03-17 


On Thursday, June 15, 2017
==========================
The stable channel has been updated to 59.0.3071.104 for Windows, Mac, and Linux.

This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers:

[$10,500][725032] High CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by Ned Williamson on 2017-05-22

[$4,000][729991] High CVE-2017-5088: Out of bounds read in V8. Reported by Xiling Gong of Tencent Security Platform Department on 2017-06-06

[$2,000][714196] Medium CVE-2017-5089: Domain spoofing in Omnibox. Reported by Michał Bentkowski on 2017-04-21.
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-17 15:37:27 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-17 17:27:04 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-20 17:17:00 UTC
Added to an existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 19:05:57 UTC
This issue was resolved and addressed in
 GLSA 201706-20 at https://security.gentoo.org/glsa/201706-20
by GLSA coordinator Kristian Fiskerstrand (K_F).