Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 957076 (CVE-2025-5068, CVE-2025-5419) - www-client/chromium, www-client/google-chrome, www-client/microsoft-edge, www-client/opera: multiple vulnerabilities
Summary: www-client/chromium, www-client/google-chrome, www-client/microsoft-edge, www...
Status: CONFIRMED
Alias: CVE-2025-5068, CVE-2025-5419
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on: 956775
Blocks:
  Show dependency tree
 
Reported: 2025-06-03 05:20 UTC by Matt Jolly
Modified: 2025-06-05 21:40 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Jolly gentoo-dev 2025-06-03 05:20:07 UTC
The Stable channel has been updated to 137.0.7151.68 for Linux.

Security Fixes and Rewards

This update includes 3 security fixes.

[N/A][420636529] High CVE-2025-5419: Out of bounds read and write in V8. Reported by Clement Lecigne and Benoît Sevens of Google Threat Analysis Group on 2025-05-27. This issue was mitigated on 2025-05-28 by a configuration change pushed out to Stable across all Chrome platforms.

[$1000][409059706] Medium CVE-2025-5068: Use after free in Blink. Reported by Walkman on 2025-04-07

Google is aware that an exploit for CVE-2025-5419 exists in the wil
Comment 1 Larry the Git Cow gentoo-dev 2025-06-03 07:56:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44aa68b34e37f64a47cf4e79dafe515a2e289b40

commit 44aa68b34e37f64a47cf4e79dafe515a2e289b40
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2025-06-03 07:48:39 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2025-06-03 07:55:21 +0000

    www-client/google-chrome: automated update (137.0.7151.68)
    
    Bug: https://bugs.gentoo.org/957076
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/google-chrome/Manifest                                       | 2 +-
 ...e-chrome-137.0.7151.55.ebuild => google-chrome-137.0.7151.68.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90b539d92ab95819283b79b21ecc334c981a67b9

commit 90b539d92ab95819283b79b21ecc334c981a67b9
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2025-06-03 07:43:17 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2025-06-03 07:55:21 +0000

    www-client/chromium: add 137.0.7151.68
    
    Bug: https://bugs.gentoo.org/957076
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 www-client/chromium/Manifest                      |    3 +
 www-client/chromium/chromium-137.0.7151.68.ebuild | 1551 +++++++++++++++++++++
 www-client/chromium/chromium-138.0.7191.0.ebuild  |    2 +-
 3 files changed, 1555 insertions(+), 1 deletion(-)
Comment 2 Sergey 'L29Ah' Alirzaev 2025-06-03 11:56:44 UTC
Isn't qtwebengine also vulnerable to this?
Comment 3 Matt Jolly gentoo-dev 2025-06-03 22:39:51 UTC
(In reply to Sergey 'L29Ah' Alirzaev from comment #2)
> Isn't qtwebengine also vulnerable to this?

Probably. Ionen is very much across the qtwebengine side of things, though we haven't ever discussed including it in the security bugs we log for Chromium et al.

I'm not quite sure where we draw the line though - these are included because I'm maintaining them for the Chromium project. Vivaldi should _probably_ be included here, too; it's a direct Chromium derivative.

If we start including qtwebengine we should also be including falkon, at the very least. This is a bit of a slippery slope - what about electron-based apps? I'd be willing to bet that most of the Chromium vulnerabilities apply to these apps too, especially if they deal with remote content. I'm not sure how to make a determination about whether a given upstream security bug is applicable to forks and derivatives that I'm not maintaining.

CC Ionen, James: Do you want these bugs to also include your packages (and CCs), or should we just maintain the status quo?

@Security: What do _you_ want?
Comment 4 Ionen Wolkens gentoo-dev 2025-06-04 01:11:47 UTC
(In reply to Matt Jolly from comment #3)
> CC Ionen, James: Do you want these bugs to also include your packages (and
> CCs), or should we just maintain the status quo?
Maybe only for the really bad "exploited in the wild" ones like CVE-2025-5419 here.

But we've largely been ignoring security issues with qtwebengine and instead give a permanent warning in the ebuild that it's not secure. Qt just does not do releases often enough to keep up and there'd be no end to downstream work + rebuild for users (in many cases users don't even use it to access remote web pages too but rather display local stuff, it's mostly qutebrowser and falkon users that are at risk).

At a glance Qt hasn't done their own backport yet.
Comment 5 Ionen Wolkens gentoo-dev 2025-06-04 01:37:36 UTC
(In reply to Ionen Wolkens from comment #4)
> At a glance Qt hasn't done their own backport yet.
And on that note, I'll wait for that to do anything. Issue being that qtwebengine uses a much older "base" chromium with security backports -- they also change up a lot of things and omit using large chunk of code (not all CVEs may apply, albeit V8 ones likely all do).

May be simple at times but still means that we need to properly test & adapt everything as chromium's own fixes are meant for the newer version.

Doesn't help that we won't get backports for 6.8.x which is based on a yet older chromium (after Qt x.y.3 it goes private for commercial users). So, if want to stay simple, that likely means fixing 6.9.1 and stable users will get the fixes in 20-30+ days (can't really do earlier due to 6.9 causing some breakage).
Comment 6 Larry the Git Cow gentoo-dev 2025-06-05 08:46:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94676230c246ba7f32acd763397dd702f3a369d0

commit 94676230c246ba7f32acd763397dd702f3a369d0
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2025-06-05 07:50:47 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2025-06-05 08:26:13 +0000

    dev-qt/qtwebengine: backport CVE-2025-5419 fix
    
    Not the only issue, but this one is known exploited in the wild
    giving it higher priority (rest will likely wait until Qt 6.9.2
    like usual).
    
    Bug: https://bugs.gentoo.org/957076
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 .../files/qtwebengine-6.9.1-CVE-2025-5419.patch    | 36 ++++++++++++++++++++++
 ...ne-6.9.1.ebuild => qtwebengine-6.9.1-r1.ebuild} |  1 +
 2 files changed, 37 insertions(+)
Comment 7 James Le Cuirot gentoo-dev 2025-06-05 20:50:49 UTC
(In reply to Matt Jolly from comment #3)
> CC Ionen, James: Do you want these bugs to also include your packages (and
> CCs), or should we just maintain the status quo?

Although I try to avoid concerning you with Vivaldi, I would appreciate it if you could handle this side of it. I don't follow these issues that closely and basically just bump Vivaldi as and when new versions appear. I'm away to do a fresh bump now.
Comment 8 Larry the Git Cow gentoo-dev 2025-06-05 21:40:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19c9c8d48118d1e71207b8d33c9ab130725d61ec

commit 19c9c8d48118d1e71207b8d33c9ab130725d61ec
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2025-06-05 21:38:10 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2025-06-05 21:40:02 +0000

    www-client/vivaldi: Stabilise 7.4.3684.46 on amd64
    
    I only just added this, but it fixes the nasty CVE-2025-5419 vulnerability.
    
    Bug: https://bugs.gentoo.org/957076
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 www-client/vivaldi/vivaldi-7.4.3684.46.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)