Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 816984 (CVE-2021-37977, CVE-2021-37978, CVE-2021-37979) - <www-client/chromium-94.0.4606.81 <www-client/google-chrome-94.0.4606.81: Multiple vulnerabilities (CVE-2021-{37977,37978,37979})
Summary: <www-client/chromium-94.0.4606.81 <www-client/google-chrome-94.0.4606.81: Mul...
Status: IN_PROGRESS
Alias: CVE-2021-37977, CVE-2021-37978, CVE-2021-37979
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: A2 [glsa?]
Keywords:
Depends on: 816996
Blocks:
  Show dependency tree
 
Reported: 2021-10-08 17:35 UTC by Stephan Hartmann
Modified: 2021-10-11 19:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hartmann gentoo-dev 2021-10-08 17:35:33 UTC
See ${URL}.

CVE-2021-37980 is for Windows only.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-08 19:32:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4864f73611be3ad9c1d6f3d61ae5def31d84299b

commit 4864f73611be3ad9c1d6f3d61ae5def31d84299b
Author:     Stephan Hartmann <sultan@gentoo.org>
AuthorDate: 2021-10-08 19:31:05 +0000
Commit:     Stephan Hartmann <sultan@gentoo.org>
CommitDate: 2021-10-08 19:31:43 +0000

    www-client/chromium: stable channel bump to 94.0.4606.81
    
    Enable official build by default.
    
    Bug: https://bugs.gentoo.org/816984
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Stephan Hartmann <sultan@gentoo.org>

 www-client/chromium/Manifest                     |   1 +
 www-client/chromium/chromium-94.0.4606.81.ebuild | 943 +++++++++++++++++++++++
 2 files changed, 944 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-10-11 06:29:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b924f713b3df104597d6c0e410ebb016054c99f1

commit b924f713b3df104597d6c0e410ebb016054c99f1
Author:     Stephan Hartmann <sultan@gentoo.org>
AuthorDate: 2021-10-11 06:28:33 +0000
Commit:     Stephan Hartmann <sultan@gentoo.org>
CommitDate: 2021-10-11 06:28:33 +0000

    www-client/chromium: security cleanup
    
    Bug: https://bugs.gentoo.org/816984
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Stephan Hartmann <sultan@gentoo.org>

 www-client/chromium/Manifest                     |   1 -
 www-client/chromium/chromium-94.0.4606.71.ebuild | 943 -----------------------
 2 files changed, 944 deletions(-)
Comment 3 Matt Whitlock 2021-10-11 18:27:24 UTC
(In reply to Larry the Git Cow from comment #1)
>     Enable official build by default.

@Stephan: What's the reason for enabling "official" build by default? Is this required to mitigate the CVEs? If so, then shouldn't the flag be forced on?
Comment 4 Stephan Hartmann gentoo-dev 2021-10-11 19:39:49 UTC
(In reply to Matt Whitlock from comment #3)
> (In reply to Larry the Git Cow from comment #1)
> >     Enable official build by default.
> 
> @Stephan: What's the reason for enabling "official" build by default? Is
> this required to mitigate the CVEs? If so, then shouldn't the flag be forced
> on?

It is not needed to mitigate one of the CVEs here, only recommended upstream to enable it by default for end users. My goal was to avoid a rebuild with the flip and did the change together with a bump.