Bug 19582

Summary: chromium-browser-stable new security issues fixed in 54.0.2840.100
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: cjw, jim, lewyssmith, sysadmin-bugs, tmb, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703767/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: chromium-browser-stable-53.0.2785.143-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-10-13 15:05:57 CEST 
Upstream has released version 54.0.2840.59 on October 12:
https://googlechromereleases.blogspot.com/2016/10/stable-channel-update-for-desktop.html

This fixes several new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
David Walser 2016-10-17 18:29:58 CEST

URL: (none) => http://lwn.net/Vulnerabilities/703767/

Comment 1 David Walser 2016-10-31 20:20:08 CET 
Upstream has released 54.0.2840.71 on October 20:
https://googlechromereleases.blogspot.com/2016/10/stable-channel-update-for-desktop_20.html

It is a bugfix release.
Comment 2 Christiaan Welvaart 2016-11-01 20:22:15 CET 
chromium 54 does not compile with ffmpeg 2.8.x. It builds with ffmpeg 3.1.x.

../../media/ffmpeg/ffmpeg_common.cc:772:58: error: âAVCOL_PRI_SMPTEST428_1â was not declared in this scope
../../media/ffmpeg/ffmpeg_common.cc:777:59: error: âAVCOL_TRC_SMPTEST2084â was not declared in this scope
../../media/ffmpeg/ffmpeg_common.cc:777:59: error: âAVCOL_TRC_SMPTEST428_1â was not declared in this scope
Comment 3 David Walser 2016-11-01 22:13:46 CET 
We still need to upgrade Cauldron to at least 3.1 (3.2 is out now and should be compatible).  I don't know what to do about Mageia 5.
Comment 4 Christiaan Welvaart 2016-11-01 23:36:22 CET 
So far AAC decoding does not work (90% distortion) with ffmpeg 3.1.x and 3.2 . I guess I'll have to check with ffmpeg 2.8.x (the errors I listed may not be hard to fix) and/or a 3.0.x build.
Comment 5 David Walser 2016-11-07 18:43:03 CET 
Upstream has released version 54.0.2840.90 on November 1:
https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-desktop.html

This fixes one new security issue.

LWN reference:
http://lwn.net/Vulnerabilities/705823/

Summary: chromium-browser-stable new security issues fixed in 54.0.2840.59 => chromium-browser-stable new security issues fixed in 54.0.2840.90

Comment 6 David Walser 2016-11-11 01:02:26 CET 
Upstream has released version 54.0.2840.100 on November 9:
https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-desktop_9.html

This fixes several new security issues.

Summary: chromium-browser-stable new security issues fixed in 54.0.2840.90 => chromium-browser-stable new security issues fixed in 54.0.2840.100

Comment 7 David Walser 2016-11-15 20:46:04 CET 
(In reply to David Walser from comment #6)
> Upstream has released version 54.0.2840.100 on November 9:
> https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-
> desktop_9.html
> 
> This fixes several new security issues.

LWN reference:
http://lwn.net/Vulnerabilities/706473/
Christiaan Welvaart 2016-11-19 20:38:07 CET

Status: NEW => ASSIGNED

Comment 8 Christiaan Welvaart 2016-11-20 13:41:42 CET 
Updated packages are available for testing:

MGA5
SRPM:
chromium-browser-stable-54.0.2840.100-1.1.mga5.src.rpm
RPMS:
chromium-browser-stable-54.0.2840.100-1.1.mga5.i586.rpm
chromium-browser-54.0.2840.100-1.1.mga5.i586.rpm
chromium-browser-stable-54.0.2840.100-1.1.mga5.x86_64.rpm
chromium-browser-54.0.2840.100-1.1.mga5.x86_64.rpm




Proposed advisory:




Chromium-browser-stable 54.0.2840.100 fixes security issues:

Multiple flaws were found in Chromium's processing of web content where loading a web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information. (CVE-2016-5181, CVE-2016-5182, CVE-2016-5183, CVE-2016-5184, CVE-2016-5185, CVE-2016-5186, CVE-2016-5187, CVE-2016-5188, CVE-2016-5189, CVE-2016-5190, CVE-2016-5191, CVE-2016-5192, CVE-2016-5193, CVE-2016-5194, CVE-2016-5198, CVE-2016-5199, CVE-2016-5200, CVE-2016-5201, CVE-2016-5202)


References:
https://googlechromereleases.blogspot.com/2016/10/stable-channel-update-for-desktop.html
https://googlechromereleases.blogspot.com/2016/10/stable-channel-update-for-desktop_20.html
https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-desktop.html
https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-desktop_9.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5200
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5202

CC: (none) => cjw
Assignee: cjw => qa-bugs

Comment 9 David Walser 2016-11-20 20:50:15 CET 
FYI it adds a new dependency libsnappy1.

Working fine on Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

Comment 10 Bill Wilkinson 2016-11-20 21:27:07 CET 
I had already started testing mga5-64 before I noticed David had tested it, so, I'll chip in that the usual battery, general browsing, jetstream and acid3 are all OK.

CC: (none) => wrw105

Comment 11 Thomas Backlund 2016-11-20 21:56:20 CET 
this one broke on cauldron 32bit due to sse2...
that needs to be checked in this update too

CC: (none) => tmb

Christiaan Welvaart 2016-11-20 23:02:33 CET

Assignee: qa-bugs => cjw

Comment 12 Christiaan Welvaart 2016-11-26 12:03:29 CET 
A CPU with SSE2 support being required to run chromium is apparently a known problem so not something to hold up this update for.

Assignee: cjw => qa-bugs

Comment 13 James Kerr 2016-11-26 12:51:40 CET 
On mga5-32

$ uname -r
4.4.32-desktop-1.mga5

$ rpm -q chromium-browser-stable libsnappy1
chromium-browser-stable-54.0.2840.100-1.1.mga5
libsnappy1-1.1.2-3.mga5

Works fine - no regressions noted

Although it is almost 10 years old this box is 64 bit capable and supports sse2

I believe that there are more than a few Mageia users who run 32 bit Mageia on 64 bit capable systems.

Ok for mga5-32

CC: (none) => jim
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 14 James Kerr 2016-11-26 13:04:36 CET 
Should a comment be added to the advisory that sse2 support is required?
Comment 15 Lewis Smith 2016-11-26 21:07:05 CET 
Validated, and advisory from Comment 8 uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 16 Mageia Robot 2016-11-27 13:34:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0403.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED