The Stable channel has been updated to 137.0.7151.68 for Linux. Security Fixes and Rewards This update includes 3 security fixes. [N/A][420636529] High CVE-2025-5419: Out of bounds read and write in V8. Reported by Clement Lecigne and Benoît Sevens of Google Threat Analysis Group on 2025-05-27. This issue was mitigated on 2025-05-28 by a configuration change pushed out to Stable across all Chrome platforms. [$1000][409059706] Medium CVE-2025-5068: Use after free in Blink. Reported by Walkman on 2025-04-07 Google is aware that an exploit for CVE-2025-5419 exists in the wil
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44aa68b34e37f64a47cf4e79dafe515a2e289b40 commit 44aa68b34e37f64a47cf4e79dafe515a2e289b40 Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2025-06-03 07:48:39 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2025-06-03 07:55:21 +0000 www-client/google-chrome: automated update (137.0.7151.68) Bug: https://bugs.gentoo.org/957076 Signed-off-by: Matt Jolly <kangie@gentoo.org> www-client/google-chrome/Manifest | 2 +- ...e-chrome-137.0.7151.55.ebuild => google-chrome-137.0.7151.68.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90b539d92ab95819283b79b21ecc334c981a67b9 commit 90b539d92ab95819283b79b21ecc334c981a67b9 Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2025-06-03 07:43:17 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2025-06-03 07:55:21 +0000 www-client/chromium: add 137.0.7151.68 Bug: https://bugs.gentoo.org/957076 Signed-off-by: Matt Jolly <kangie@gentoo.org> www-client/chromium/Manifest | 3 + www-client/chromium/chromium-137.0.7151.68.ebuild | 1551 +++++++++++++++++++++ www-client/chromium/chromium-138.0.7191.0.ebuild | 2 +- 3 files changed, 1555 insertions(+), 1 deletion(-)
Isn't qtwebengine also vulnerable to this?
(In reply to Sergey 'L29Ah' Alirzaev from comment #2) > Isn't qtwebengine also vulnerable to this? Probably. Ionen is very much across the qtwebengine side of things, though we haven't ever discussed including it in the security bugs we log for Chromium et al. I'm not quite sure where we draw the line though - these are included because I'm maintaining them for the Chromium project. Vivaldi should _probably_ be included here, too; it's a direct Chromium derivative. If we start including qtwebengine we should also be including falkon, at the very least. This is a bit of a slippery slope - what about electron-based apps? I'd be willing to bet that most of the Chromium vulnerabilities apply to these apps too, especially if they deal with remote content. I'm not sure how to make a determination about whether a given upstream security bug is applicable to forks and derivatives that I'm not maintaining. CC Ionen, James: Do you want these bugs to also include your packages (and CCs), or should we just maintain the status quo? @Security: What do _you_ want?
(In reply to Matt Jolly from comment #3) > CC Ionen, James: Do you want these bugs to also include your packages (and > CCs), or should we just maintain the status quo? Maybe only for the really bad "exploited in the wild" ones like CVE-2025-5419 here. But we've largely been ignoring security issues with qtwebengine and instead give a permanent warning in the ebuild that it's not secure. Qt just does not do releases often enough to keep up and there'd be no end to downstream work + rebuild for users (in many cases users don't even use it to access remote web pages too but rather display local stuff, it's mostly qutebrowser and falkon users that are at risk). At a glance Qt hasn't done their own backport yet.
(In reply to Ionen Wolkens from comment #4) > At a glance Qt hasn't done their own backport yet. And on that note, I'll wait for that to do anything. Issue being that qtwebengine uses a much older "base" chromium with security backports -- they also change up a lot of things and omit using large chunk of code (not all CVEs may apply, albeit V8 ones likely all do). May be simple at times but still means that we need to properly test & adapt everything as chromium's own fixes are meant for the newer version. Doesn't help that we won't get backports for 6.8.x which is based on a yet older chromium (after Qt x.y.3 it goes private for commercial users). So, if want to stay simple, that likely means fixing 6.9.1 and stable users will get the fixes in 20-30+ days (can't really do earlier due to 6.9 causing some breakage).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94676230c246ba7f32acd763397dd702f3a369d0 commit 94676230c246ba7f32acd763397dd702f3a369d0 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2025-06-05 07:50:47 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2025-06-05 08:26:13 +0000 dev-qt/qtwebengine: backport CVE-2025-5419 fix Not the only issue, but this one is known exploited in the wild giving it higher priority (rest will likely wait until Qt 6.9.2 like usual). Bug: https://bugs.gentoo.org/957076 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> .../files/qtwebengine-6.9.1-CVE-2025-5419.patch | 36 ++++++++++++++++++++++ ...ne-6.9.1.ebuild => qtwebengine-6.9.1-r1.ebuild} | 1 + 2 files changed, 37 insertions(+)
(In reply to Matt Jolly from comment #3) > CC Ionen, James: Do you want these bugs to also include your packages (and > CCs), or should we just maintain the status quo? Although I try to avoid concerning you with Vivaldi, I would appreciate it if you could handle this side of it. I don't follow these issues that closely and basically just bump Vivaldi as and when new versions appear. I'm away to do a fresh bump now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19c9c8d48118d1e71207b8d33c9ab130725d61ec commit 19c9c8d48118d1e71207b8d33c9ab130725d61ec Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2025-06-05 21:38:10 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2025-06-05 21:40:02 +0000 www-client/vivaldi: Stabilise 7.4.3684.46 on amd64 I only just added this, but it fixes the nasty CVE-2025-5419 vulnerability. Bug: https://bugs.gentoo.org/957076 Signed-off-by: James Le Cuirot <chewi@gentoo.org> www-client/vivaldi/vivaldi-7.4.3684.46.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Microsoft Edge CVE fix versions: 137.0.3296.62: CVE-2025-5068, CVE-2025-5419
(In reply to James Le Cuirot from comment #7) > (In reply to Matt Jolly from comment #3) > > CC Ionen, James: Do you want these bugs to also include your packages (and > > CCs), or should we just maintain the status quo? > > Although I try to avoid concerning you with Vivaldi, I would appreciate it > if you could handle this side of it. I don't follow these issues that > closely and basically just bump Vivaldi as and when new versions appear. I'm > away to do a fresh bump now. I've got scripts handling automatically Syncing the Edge and Opera versions to the Chromium bugs here - is there a nice datasource for CVEs (or Chromium -> Vivaldi versions) to start on? I'll get that in order and we can at least get the GLSAs out in a timely manner. :)
