Bug 30350

Summary: chromium-browser-stable new security issues fixed in 101.0.4951.41
Product: Mageia Reporter: christian barranco <chb0>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fri, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK MGA8-32-OK
Source RPM: chromium-browser-stable-100.0.4896.127-1.mga8.src.rpm CVE:
Status comment:

Description christian barranco 2022-04-28 17:33:20 CEST 
Upstream has released version 101.0.4951.41 on April 26th:

https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html

It includes 30 security fixes. 

The build has been successful locally. It just landed on Cauldron (no issue on Écosse). I will submit the build for MGA8 on Sunday evening.
Comment 1 Morgan Leijström 2022-05-02 16:49:22 CEST 
mga8-64 OK
Plasma, nvidia-current, Swedish.
Tested different bank logins, video sites, printing.

CC: (none) => fri

Comment 2 Dave Hodgins 2022-05-02 17:27:58 CEST 
Is this ready to assign to the qa team?

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2022-05-02 17:57:10 CEST 
Advisory committed to svn as $ cat 30350.adv 
type: security
subject: Updated chromium-browser-stable packages fix security vulnerability
CVE:
 - CVE-2022-1477
 - CVE-2022-1478
 - CVE-2022-1479
 - CVE-2022-1481
 - CVE-2022-1482
 - CVE-2022-1483
 - CVE-2022-1484
 - CVE-2022-1485
 - CVE-2022-1486
 - CVE-2022-1487
 - CVE-2022-1488
 - CVE-2022-1489
 - CVE-2022-1490
 - CVE-2022-1491
 - CVE-2022-1492
 - CVE-2022-1493
 - CVE-2022-1494
 - CVE-2022-1495
 - CVE-2022-1496
 - CVE-2022-1497
 - CVE-2022-1498
 - CVE-2022-1499
 - CVE-2022-1500
 - CVE-2022-1501
src:
  8:
   core:
     - chromium-browser-stable-101.0.4951.41-1.mga8
description: |
  Use after free in Vulkan. (CVE-2022-1477)
  Use after free in SwiftShader. (CVE-2022-1478)
  Use after free in ANGLE. (CVE-2022-1479)
  Use after free in Sharing. (CVE-2022-1481)
  Inappropriate implementation in WebGL. (CVE-2022-1482)
  Heap buffer overflow in WebGPU. (CVE-2022-1483)
  Heap buffer overflow in Web UI Settings. (CVE-2022-1484)
  Use after free in File System API. (CVE-2022-1485)
  Type Confusion in V8. (CVE-2022-1486)
  Use after free in Ozone. (CVE-2022-1487)
  Inappropriate implementation in Extensions API. (CVE-2022-1488)
  Out of bounds memory access in UI Shelf. (CVE-2022-1489)
  Use after free in Browser Switcher. (CVE-2022-1490)
  Use after free in Bookmarks. (CVE-2022-1491)
  Insufficient data validation in Blink Editing. (CVE-2022-1492)
  Use after free in Dev Tools. (CVE-2022-1493)
  Insufficient data validation in Trusted Types. (CVE-2022-1494)
  Incorrect security UI in Downloads. (CVE-2022-1495)
  Use after free in File Manager. (CVE-2022-1496)
  Inappropriate implementation in Input. (CVE-2022-1497)
  Inappropriate implementation in HTML Parser. (CVE-2022-1498)
  Inappropriate implementation in WebAuthentication. (CVE-2022-1499)
  Insufficient data validation in Dev Tools. (CVE-2022-1500)
  Inappropriate implementation in iframe. (CVE-2022-1501)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30350
 - https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html

Keywords: (none) => advisory

Comment 4 Dave Hodgins 2022-05-02 18:02:26 CEST 
Tested x86_64 with my bank and several other sites. Tested i586 under vb with
various sites. Adding the ok tags.

Whiteboard: (none) => MGA8-64-OK MGA8-32-OK

Comment 5 christian barranco 2022-05-02 18:37:26 CEST 
Thanks guys for supporting while I am traveling.
Assigned to QA.

CC: (none) => sysadmin-bugs
Assignee: chb0 => qa-bugs

Comment 6 Dave Hodgins 2022-05-02 18:40:37 CEST 
Validating the update. One thing I did notice is that
https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
includes the statement "This update includes 29 security fixes." but then
goes on to list only 24 fixes with CVE numbers assigned. Presumably the other
5 are included and will be detailed later.

Keywords: (none) => validated_update

Comment 7 Mageia Robot 2022-05-02 21:45:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0158.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 christian barranco 2022-05-02 21:59:43 CEST 
(In reply to Dave Hodgins from comment #6)
> Validating the update. One thing I did notice is that
> https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-
> desktop_26.html
> includes the statement "This update includes 29 security fixes." but then
> goes on to list only 24 fixes with CVE numbers assigned. Presumably the other
> 5 are included and will be detailed later.

It is not the first time there is a disconnect between the total number information and the list of cve. But where does the 30 I mentioned come from??

Anyway, there is already a new update 101.0.4951.54…
Usually, the subsequent builds within the same branch are straightforward. I’ll give it a try on Wednesday night, when I’ll be back.