Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915560 (CVE-2023-5218, CVE-2023-5473, CVE-2023-5474, CVE-2023-5475, CVE-2023-5476, CVE-2023-5477, CVE-2023-5478, CVE-2023-5479, CVE-2023-5481, CVE-2023-5483, CVE-2023-5484, CVE-2023-5485, CVE-2023-5486, CVE-2023-5487) - <www-client/chromium-118.0.5993.70 <www-client/google-chrome-118.0.5993.70 <www-client/microsoft-edge-118.0.2088.46: Multiple vulnerabilities
Summary: <www-client/chromium-118.0.5993.70 <www-client/google-chrome-118.0.5993.70 <w...
Status: RESOLVED FIXED
Alias: CVE-2023-5218, CVE-2023-5473, CVE-2023-5474, CVE-2023-5475, CVE-2023-5476, CVE-2023-5477, CVE-2023-5478, CVE-2023-5479, CVE-2023-5481, CVE-2023-5483, CVE-2023-5484, CVE-2023-5485, CVE-2023-5486, CVE-2023-5487
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard: A2 [glsa+]
Keywords: PullRequest
: 915584 (view as bug list)
Depends on: 915465 916016
Blocks:
  Show dependency tree
 
Reported: 2023-10-10 20:45 UTC by Sam James
Modified: 2024-01-31 15:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-10 20:45:11 UTC
This update includes 20 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[TBD][1487110] Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦想改造家 on 2023-09-27

[$5000][1062251] Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17

[$5000][1414936] Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11

[$2000][1476952] Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30

[$1000][1425355] Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17

[$1000][1458934] Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28

[$1000][1474253] Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20

[$1000][1483194] Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15

[$500][1471253] Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09

[$6000][1395164] Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02

[$3000][1472404] Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12

[$3000][1472558] Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13

[$1000][1357442] Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29

[$1000][1484000] Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-10 20:46:21 UTC
Please bump to 118.0.5993.70.

Note that some extra stuff is needed:
[17:49:08]  <sultan> Kangie: Yesterdays stable cut of M118 missed three patches
[17:49:31]  <sultan> https://chromium.googlesource.com/chromium/src/+/60e39e7dbe956ab78ef3745981cc05e16683d934 (probably not critical)
[17:49:57]  <sultan> https://chromium-review.googlesource.com/c/chromium/src/+/4926575 (critical)
[17:50:41]  <sultan> https://pdfium.googlesource.com/pdfium/+/e3593d6470b21372772459968aec121dcc6d885d (looks like Windows only)
[17:53:01]  <sultan> Hope that helps.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-11 09:12:33 UTC
*** Bug 915584 has been marked as a duplicate of this bug. ***
Comment 3 Larry the Git Cow gentoo-dev 2023-10-12 06:24:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb0eea1ee35033113d7af9c3d629f91814c2db2

commit 3fb0eea1ee35033113d7af9c3d629f91814c2db2
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-10-11 10:45:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-12 06:23:34 +0000

    www-client/chromium: add 118.0.5993.70
    
    Bug: https://bugs.gentoo.org/915560
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-client/chromium/Manifest                      |    3 +
 www-client/chromium/chromium-118.0.5993.70.ebuild | 1221 +++++++++++++++++++++
 2 files changed, 1224 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-12 06:29:56 UTC
google-chrome still needs doing
Comment 5 Larry the Git Cow gentoo-dev 2023-10-12 10:46:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=313e9df7edaacb617dd623309b594ec720033460

commit 313e9df7edaacb617dd623309b594ec720033460
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-10-12 06:58:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-12 10:42:39 +0000

    www-plugins/chrome-binary-plugins: automated update (118.0.5993.70)
    
    Bug: https://bugs.gentoo.org/915560
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/33308
    Signed-off-by: Sam James <sam@gentoo.org>

 www-plugins/chrome-binary-plugins/Manifest                              | 2 +-
 ...117.0.5938.149.ebuild => chrome-binary-plugins-118.0.5993.70.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc18e39ea86af9528193a81a06501a695a91e6ac

commit cc18e39ea86af9528193a81a06501a695a91e6ac
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-10-12 06:58:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-12 10:42:35 +0000

    www-client/google-chrome: automated update (118.0.5993.70)
    
    Bug: https://bugs.gentoo.org/915560
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...-chrome-117.0.5938.149.ebuild => google-chrome-118.0.5993.70.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2024-01-31 15:40:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8064a0b694d29fb2fca491d65494098fb43c2ffa

commit 8064a0b694d29fb2fca491d65494098fb43c2ffa
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-31 15:39:13 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-31 15:39:35 +0000

    [ GLSA 202401-34 ] Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/907999
    Bug: https://bugs.gentoo.org/908471
    Bug: https://bugs.gentoo.org/909283
    Bug: https://bugs.gentoo.org/910522
    Bug: https://bugs.gentoo.org/911675
    Bug: https://bugs.gentoo.org/912364
    Bug: https://bugs.gentoo.org/913016
    Bug: https://bugs.gentoo.org/913710
    Bug: https://bugs.gentoo.org/914350
    Bug: https://bugs.gentoo.org/914871
    Bug: https://bugs.gentoo.org/915137
    Bug: https://bugs.gentoo.org/915560
    Bug: https://bugs.gentoo.org/915961
    Bug: https://bugs.gentoo.org/916252
    Bug: https://bugs.gentoo.org/916620
    Bug: https://bugs.gentoo.org/917021
    Bug: https://bugs.gentoo.org/917357
    Bug: https://bugs.gentoo.org/918882
    Bug: https://bugs.gentoo.org/919321
    Bug: https://bugs.gentoo.org/919802
    Bug: https://bugs.gentoo.org/920442
    Bug: https://bugs.gentoo.org/921337
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-34.xml | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 229 insertions(+)