Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 941600 (CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, CVE-2024-9966) - <www-client/chromium-130.0.6723.58, <www-client/google-chrome-130.0.6723.58, <www-client/microsoft-edge-130.0.2849.46, www-client/opera: multiple vulnerabilities
Summary: <www-client/chromium-130.0.6723.58, <www-client/google-chrome-130.0.6723.58, ...
Status: CONFIRMED
Alias: CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, CVE-2024-9966
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://chromereleases.googleblog.com...
Whiteboard:
Keywords:
Depends on: 941720
Blocks:
  Show dependency tree
 
Reported: 2024-10-16 03:11 UTC by Matt Jolly
Modified: 2024-10-25 23:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2024-10-16 03:11:23 UTC
The Stable channel has been updated to 130.0.6723.58 for Linux.

This update includes 17 security fixes. 

[$36000][367755363] High CVE-2024-9954: Use after free in AI. Reported by DarkNavy on 2024-09-18

[$6000][370133761] Medium CVE-2024-9955: Use after free in Web Authentication. Reported by anonymous on 2024-09-29

[$6000][370482421] Medium CVE-2024-9956: Inappropriate implementation in Web Authentication. Reported by mastersplinter on 2024-09-30

[$5000][358151317] Medium CVE-2024-9957: Use after free in UI. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-08

[$5000][40076120] Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture. Reported by Lyra Rebane (rebane2001) on 2023-11-02

[$4000][368672129] Medium CVE-2024-9959: Use after free in DevTools. Reported by Sakana.S on 2024-09-21

[$2000][354748063] Medium CVE-2024-9960: Use after free in Dawn. Reported by Anonymous on 2024-07-23

[$2000][357776197] Medium CVE-2024-9961: Use after free in Parcel Tracking. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-06

[$1000][364508693] Medium CVE-2024-9962: Inappropriate implementation in Permissions. Reported by Shaheen Fazim on 2024-09-04

[TBD][328278718] Medium CVE-2024-9963: Insufficient data validation in Downloads. Reported by Anonymous on 2024-03-06

[$3000][361711121] Low CVE-2024-9964: Inappropriate implementation in Payments. Reported by Hafiizh on 2024-08-23

[$1000][352651673] Low CVE-2024-9965: Insufficient data validation in DevTools. Reported by Shaheen Fazim on 2024-07-12

[$1000][364773822] Low CVE-2024-9966: Inappropriate implementation in Navigations. Reported by Harry Chen on 2024-09-05
Comment 1 Matt Jolly gentoo-dev 2024-10-16 07:41:00 UTC
Might be a while for Chromium; Google's CI has been failing for days.

https://groups.google.com/a/chromium.org/g/chromium-packagers/c/9X0k0IXCkKY
Comment 2 Larry the Git Cow gentoo-dev 2024-10-17 18:26:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f9fe78e9c3310cae4c81c8a50e8fb8e8891cd44

commit 2f9fe78e9c3310cae4c81c8a50e8fb8e8891cd44
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-10-17 18:08:58 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-10-17 18:25:46 +0000

    www-client/google-chrome: automated update (130.0.6723.58)
    
    Bug: https://bugs.gentoo.org/941600
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...-chrome-129.0.6668.100.ebuild => google-chrome-130.0.6723.58.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8193542153403e450b913dd937a82399aedc013b

commit 8193542153403e450b913dd937a82399aedc013b
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-10-17 10:50:59 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-10-17 18:25:46 +0000

    www-client/chromium: add 130.0.6723.58
    
    Bug: https://bugs.gentoo.org/941600
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/chromium/Manifest                      |    4 +
 www-client/chromium/chromium-130.0.6723.58.ebuild | 1562 +++++++++++++++++++++
 2 files changed, 1566 insertions(+)
Comment 3 Matt Jolly gentoo-dev 2024-10-25 23:54:42 UTC
CI still failing, no tarballs have been published since the 21st I have reached out to the release manager for 130. It seems unlikely that we'll see anything for several days.