Bug 25467

Summary: chromium-browser-stable security issues fixed in 77.0.3865.90
Product: Mageia Reporter: Christiaan Welvaart <cjw>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw, herman.viaene, jim, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK MGA7-32-OK
Source RPM: chromium-browser-stable-77.0.3865.75-1.mga7.src.rpm CVE:
Status comment:

Description Christiaan Welvaart 2019-09-23 22:15:11 CEST 
Upstream released chromium 77.0.3865.90 September 18, 2019 with 4 security fixes (some 8 days after 77.0.3865.75):
https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop_18.html

This bug is for mga7. Cauldron and mga6 are also affected, but:
  - cauldron needs a newer icu package (version 64)
  - mga6 does not have a C++ compiler that can build chromium - maybe chromium 78 can be built with a gcc8 package I prepared earlier; I use clang to build M77 in mga7 and cauldron.
Comment 1 Christiaan Welvaart 2019-09-23 22:37:04 CEST 
Updated packages are available for testing:

MGA7
SRPM:
chromium-browser-stable-77.0.3865.90-1.mga7.src.rpm
RPMS:
chromium-browser-77.0.3865.90-1.mga7.i586.rpm
chromium-browser-stable-77.0.3865.90-1.mga7.i586.rpm
chromium-browser-77.0.3865.90-1.mga7.x86_64.rpm
chromium-browser-stable-77.0.3865.90-1.mga7.x86_64.rpm


Advisory:


Chromium-browser 77.0.3865.90 fixes security issues:

Four use-after-free bugs were found in Chromium 77.0.3865.75: one in the UI component (CVE-2019-13685), two in the media component (CVE-2019-13688, CVE-2019-13687), and one in the offline pages component (CVE-2019-13686).



References:

https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop_18.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13688

CC: (none) => cjw
Status: NEW => ASSIGNED
Assignee: cjw => qa-bugs

Comment 2 Herman Viaene 2019-09-24 14:45:33 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Browsed around, cann't find anything wrong wth it.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 James Kerr 2019-09-24 16:26:04 CEST 
on mga7-32  in a vbox VM

packages installed cleanly:
- chromium-browser-77.0.3865.90-1.mga7.i586
- chromium-browser-stable-77.0.3865.90-1.mga7.i586

no regressions seen

OK for mga7-32

CC: (none) => jim
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK

Comment 4 James Kerr 2019-09-24 16:29:15 CEST 
Update is now validated

Advisory in comment 1

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-09-27 20:44:58 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-09-27 21:39:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0289.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED