Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 876855 (CVE-2022-3445, CVE-2022-3446, CVE-2022-3447, CVE-2022-3448, CVE-2022-3449, CVE-2022-3450) - <www-client/chromium-106.0.5249.119 <www-client/chromium-bin-106.0.5249.119 <www-client/google-chrome-106.0.5249.119: Multiple vulnerabilities
Summary: <www-client/chromium-106.0.5249.119 <www-client/chromium-bin-106.0.5249.119 <...
Status: RESOLVED FIXED
Alias: CVE-2022-3445, CVE-2022-3446, CVE-2022-3447, CVE-2022-3448, CVE-2022-3449, CVE-2022-3450
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 876871
Blocks:
  Show dependency tree
 
Reported: 2022-10-12 10:28 UTC by Stephan Hartmann (RETIRED)
Modified: 2023-05-03 09:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hartmann (RETIRED) gentoo-dev 2022-10-12 10:28:01 UTC
[1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16

[1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26

[1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22

[1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13

[1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17

[1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 16:21:39 UTC
For Edge, as of the 11th, "Microsoft is aware of the recent Chromium security fixes. We are actively working on releasing a security fix."

https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#october-11-2022

So still blocked here on Edge I guess. Hopefully they'll release soon.
Comment 2 Larry the Git Cow gentoo-dev 2022-10-31 01:41:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=dfce1d922a94358986e3eff8611ec64f6ed883e9

commit dfce1d922a94358986e3eff8611ec64f6ed883e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:11:15 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:15 +0000

    [ GLSA 202210-16 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/873217
    Bug: https://bugs.gentoo.org/873817
    Bug: https://bugs.gentoo.org/874855
    Bug: https://bugs.gentoo.org/876855
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-16.xml | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
Comment 3 devsk 2022-11-28 01:40:17 UTC
@Stephan Hartmann: Are we going to see a release for chromium-bin that addresses all the latest known CVEs?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 02:17:13 UTC
(In reply to devsk from comment #3)
> @Stephan Hartmann: Are we going to see a release for chromium-bin that
> addresses all the latest known CVEs?

The summary indicates that the fixed versions for Chrome, Chromium, and chromium-bin are 106.0.5249.119. Thus, all of these packages is fixed in tree.

What do you mean?
Comment 5 devsk 2022-11-30 18:47:21 UTC
Stephan, The current recommended version for Linux is 107.0.5304.121 as per https://amp-thehackernews-com.cdn.ampproject.org/c/s/amp.thehackernews.com/thn/2022/11/update-chrome-browser-now-to-patch-new.html

I think there are more 0-day CVEs which need to be addressed than this bug is listing.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-30 19:22:24 UTC
(In reply to devsk from comment #5)
> Stephan, The current recommended version for Linux is 107.0.5304.121 as per
> https://amp-thehackernews-com.cdn.ampproject.org/c/s/amp.thehackernews.com/
> thn/2022/11/update-chrome-browser-now-to-patch-new.html
> 
> I think there are more 0-day CVEs which need to be addressed than this bug
> is listing.

I'm not clicking the Google AMP link, but that version is wrong (or at least outdated) even though that apparently posted today. We need a bump to 108.0.5359.71 according to bug 883697.
Comment 7 devsk 2022-12-02 19:55:55 UTC
The point is that both of these versions:

/usr/portage/www-client/chromium-bin/:
total 32
-rw-r--r--  1 root root  480 May 25  2022 metadata.xml
-rw-r--r--  1 root root 7288 Oct 15 20:10 chromium-bin-107.0.5304.29-r1.ebuild
-rw-r--r--  1 root root 7244 Oct 15 20:10 chromium-bin-106.0.5249.119.ebuild

have several 0-day CVEs. We should move quickly.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-02 20:32:41 UTC
(In reply to devsk from comment #7)
> The point is that both of these versions:
> 
> /usr/portage/www-client/chromium-bin/:
> total 32
> -rw-r--r--  1 root root  480 May 25  2022 metadata.xml
> -rw-r--r--  1 root root 7288 Oct 15 20:10
> chromium-bin-107.0.5304.29-r1.ebuild
> -rw-r--r--  1 root root 7244 Oct 15 20:10 chromium-bin-106.0.5249.119.ebuild
> 
> have several 0-day CVEs. We should move quickly.

Patches welcome. The scripts that generate chromium-bin binaries are in chromiumm-tools.git.
Comment 9 devsk 2022-12-03 08:13:49 UTC
(In reply to John Helmert III from comment #8)
> (In reply to devsk from comment #7)
> > The point is that both of these versions:
> > 
> > /usr/portage/www-client/chromium-bin/:
> > total 32
> > -rw-r--r--  1 root root  480 May 25  2022 metadata.xml
> > -rw-r--r--  1 root root 7288 Oct 15 20:10
> > chromium-bin-107.0.5304.29-r1.ebuild
> > -rw-r--r--  1 root root 7244 Oct 15 20:10 chromium-bin-106.0.5249.119.ebuild
> > 
> > have several 0-day CVEs. We should move quickly.
> 
> Patches welcome. The scripts that generate chromium-bin binaries are in
> chromiumm-tools.git.

These are binary builds hosted by Stephan, right? Is he no longer maintaining these? 

Are you asking me if I want to build and host binaries for these?
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 20:24:05 UTC
Due to being hard to effectively track, lets drop Edge here. It's seen many releases which "incorporate the latest Security Updates of the Chromium project" since this bug was opened.

GLSA request filed.
Comment 11 Larry the Git Cow gentoo-dev 2023-05-03 09:54:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3df173efb2982a5d08d6bff00cd84eb619e793cd

commit 3df173efb2982a5d08d6bff00cd84eb619e793cd
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:53:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:54:22 +0000

    [ GLSA 202305-10 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/876855
    Bug: https://bugs.gentoo.org/878825
    Bug: https://bugs.gentoo.org/883031
    Bug: https://bugs.gentoo.org/883697
    Bug: https://bugs.gentoo.org/885851
    Bug: https://bugs.gentoo.org/886479
    Bug: https://bugs.gentoo.org/890726
    Bug: https://bugs.gentoo.org/890728
    Bug: https://bugs.gentoo.org/891501
    Bug: https://bugs.gentoo.org/891503
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-10.xml | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 143 insertions(+)