Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 904560 (CVE-2023-2133, CVE-2023-2134, CVE-2023-2135, CVE-2023-2136, CVE-2023-2137) - <www-client/chromium-112.0.5615.165 <www-client/google-chrome-112.0.5615.165 <www-client/microsoft-edge-112.0.1722.58: Multiple vulnerabilities. Exploit exists.
Summary: <www-client/chromium-112.0.5615.165 <www-client/google-chrome-112.0.5615.165 ...
Status: RESOLVED FIXED
Alias: CVE-2023-2133, CVE-2023-2134, CVE-2023-2135, CVE-2023-2136, CVE-2023-2137
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 904838
Blocks:
  Show dependency tree
 
Reported: 2023-04-19 07:39 UTC by gentoo
Modified: 2023-09-30 09:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gentoo 2023-04-19 07:39:51 UTC
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html

Google is aware that an exploit for CVE-2023-2136 exists in the wild.

[$8000][1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API.

[$8000][1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API.

[$3000][1424337] High CVE-2023-2135: Use after free in DevTools.

[$NA][1432603] High CVE-2023-2136: Integer overflow in Skia.

[$1000][1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 07:43:56 UTC
fwiw we use < ... in the summary when there's a fixed version in tree
Comment 2 Larry the Git Cow gentoo-dev 2023-04-22 23:29:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b80bfab7c8aba8c3a358b2fa87a1e00e335376d3

commit b80bfab7c8aba8c3a358b2fa87a1e00e335376d3
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2023-04-22 23:26:46 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2023-04-22 23:28:44 +0000

    www-client/chromium: add 112.0.5615.165
    
    Bug: https://bugs.gentoo.org/904455
    Bug: https://bugs.gentoo.org/904725
    Bug: https://bugs.gentoo.org/904560
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 www-client/chromium/Manifest                       |    1 +
 www-client/chromium/chromium-112.0.5615.165.ebuild | 1259 ++++++++++++++++++++
 .../chromium/files/chromium-112-swiftshader.patch  |   74 ++
 3 files changed, 1334 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 00:04:41 UTC
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2023-06-10 05:31:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab0da6660785c2f89a93ffda79f5ec7169378003

commit ab0da6660785c2f89a93ffda79f5ec7169378003
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-10 05:29:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-10 05:30:32 +0000

    www-client/chromium: drop 112.0.5615.165, 113.0.5672.63, 113.0.5672.92
    
    Bug: https://bugs.gentoo.org/906586
    Bug: https://bugs.gentoo.org/905620
    Bug: https://bugs.gentoo.org/904560
    Signed-off-by: Sam James <sam@gentoo.org>

 www-client/chromium/Manifest                       |    4 -
 www-client/chromium/chromium-112.0.5615.165.ebuild | 1261 -------------------
 www-client/chromium/chromium-113.0.5672.63.ebuild  | 1265 --------------------
 www-client/chromium/chromium-113.0.5672.92.ebuild  | 1265 --------------------
 .../chromium/files/chromium-112-compiler.patch     |  256 ----
 .../files/chromium-112-gcc-mno-outline.patch       |   29 -
 .../chromium/files/chromium-112-libstdc++-1.patch  |   59 -
 .../chromium/files/chromium-112-libstdc++.patch    |   63 -
 .../chromium/files/chromium-112-sql-relax.patch    |   46 -
 .../chromium/files/chromium-112-swiftshader.patch  |  122 --
 10 files changed, 4370 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2023-09-30 08:57:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=de793de405f9e13d0d29d94de3f236ce0b5b3338

commit de793de405f9e13d0d29d94de3f236ce0b5b3338
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-30 08:56:23 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-30 08:57:27 +0000

    [ GLSA 202309-17 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/893660
    Bug: https://bugs.gentoo.org/904252
    Bug: https://bugs.gentoo.org/904394
    Bug: https://bugs.gentoo.org/904560
    Bug: https://bugs.gentoo.org/905297
    Bug: https://bugs.gentoo.org/905620
    Bug: https://bugs.gentoo.org/905883
    Bug: https://bugs.gentoo.org/906586
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-17.xml | 152 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 152 insertions(+)