Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 666502 (CVE-2018-17458, CVE-2018-17459) - <www-client/chromium-69.0.3497.100: multiple vulnerabilities
Summary: <www-client/chromium-69.0.3497.100: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-17458, CVE-2018-17459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-18 19:47 UTC by Mike Gilbert
Modified: 2018-11-23 18:01 UTC (History)
1 user (show)

See Also:
Package list:
www-client/chromium-69.0.3497.100
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2018-09-18 19:47:29 UTC 
https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop_11.html

The stable channel has been updated to 69.0.3497.92 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 2 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$3000][875322] High (CVE to be assigned): Function signature mismatch in WebAssembly. Reported by Kevin Cheung from Autodesk on 2018-08-17

[$TBD][880759] Medium (CVE to be assigned): URL Spoofing in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-09-05


https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop_17.html

The stable channel has been updated to 69.0.3497.100 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 1 security fix from our ongoing internal security work:
[884726] Fixes from internal audits, fuzzing and other initiatives
Comment 1 Larry the Git Cow gentoo-dev 2018-09-18 23:28:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd87e959015a2e89664ffd6bf789b85d644f63e5

commit dd87e959015a2e89664ffd6bf789b85d644f63e5
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2018-09-18 23:28:23 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2018-09-18 23:28:23 +0000

    www-client/chromium: amd64 stable
    
    Bug: https://bugs.gentoo.org/666502
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 www-client/chromium/chromium-69.0.3497.100.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 Richard Freeman gentoo-dev 2018-09-18 23:29:18 UTC 
amd64 stable
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2018-11-09 23:44:21 UTC 
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-11-23 18:01:38 UTC 
This issue was resolved and addressed in
 GLSA 201811-10 at https://security.gentoo.org/glsa/201811-10
by GLSA coordinator Aaron Bauman (b-man).