Google Chrome relase from 27/10-2022 reports a type confusion vulnerability in V8. Vulnerability assigned CVE-2022-3723. "Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild." I assume vulnerabilty affects chromium-bin & Chromium-derivates google-chrome, google-chrome-bin, opera, Vivaldi & microsoft-edge as well. Reproducible: Didn't try
Thanks.
The affected versions of these packages, which are still being distributed by Gentoo, includes a remote code execution vulnerability which has been seen in the wild. The vulnerable packages have not been updated for nearly a month, and don't appear to be being worked on. Should they be masked until they do get the security fix?
*** Bug 879579 has been marked as a duplicate of this bug. ***
(In reply to Ooblick from comment #2) > The affected versions of these packages, which are still being distributed > by Gentoo, includes a remote code execution vulnerability which has been > seen in the wild. > > The vulnerable packages have not been updated for nearly a month, and don't > appear to be being worked on. Should they be masked until they do get the > security fix? They were being worked on and were pushed a few days ago: commit 74692ef14eb7c74deaf262d09acf4d05b491b249 Author: Marek Behún <kabel@kernel.org> Date: Wed Nov 2 12:54:41 2022 +0100 www-client/chromium: promote M107 to stable Signed-off-by: Marek Behún <kabel@kernel.org> Closes: https://github.com/gentoo/gentoo/pull/28100 Signed-off-by: Mike Gilbert <floppym@gentoo.org> commit d14c195edacaa061b80a60b6c786be89dc48e8aa Author: Marek Behún <kabel@kernel.org> Date: Wed Nov 2 12:53:56 2022 +0100 www-client/chromium: beta channel bump to 107.0.5304.87 Signed-off-by: Marek Behún <kabel@kernel.org> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
The Stable channel has been updated to 107.0.5304.110 for Mac and Linux
Are we going to address https://amp-thehackernews-com.cdn.ampproject.org/c/s/amp.thehackernews.com/thn/2022/11/update-chrome-browser-now-to-patch-new.html chromium-bin ebuilds need to be updated.
GLSA request filed, see https://bugs.gentoo.org/876855#c10 wrt edge.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3df173efb2982a5d08d6bff00cd84eb619e793cd commit 3df173efb2982a5d08d6bff00cd84eb619e793cd Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:53:05 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:54:22 +0000 [ GLSA 202305-10 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/876855 Bug: https://bugs.gentoo.org/878825 Bug: https://bugs.gentoo.org/883031 Bug: https://bugs.gentoo.org/883697 Bug: https://bugs.gentoo.org/885851 Bug: https://bugs.gentoo.org/886479 Bug: https://bugs.gentoo.org/890726 Bug: https://bugs.gentoo.org/890728 Bug: https://bugs.gentoo.org/891501 Bug: https://bugs.gentoo.org/891503 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-10.xml | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+)