| Summary: | Chromium updated to 102.0.5005.115, fixes bugs and security vulnerabilities | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | christian barranco <chb0> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, fri, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | chromium-browser-stable-102.0.5005.61-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
christian barranco
2022-06-14 12:59:39 CEST
I see it is building in cauldron. __Thought: I know we use to build for Cauldron first. But our users are on mga8, and build time is long, and it should be tested too before release - during which time our users are not covered by the security update. So maybe we should in future consider building for mga8 before mga9 ? CC:
(none) =>
fri Building first in stable breaks upgrades to Cauldron. It can be submitted to the build system for Mageia 8 first, but qa can not approve the release of the update until it's also available in cauldron. CC:
(none) =>
davidwhodgins Hi -> Ready for QA in core/Testing ADVISORY NOTICE PROPOSAL ======================== Updated chromium-browser-stable packages fix bugs and security vulnerabilities Description The chromium-browser-stable package has been updated to the 102.0.5005.115 version, fixing many bugs and 7 CVE. Some of them are listed below: [1326210] High CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17 [1317673] High CVE-2022-2008: Out of bounds memory access in WebGL. Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19 [1325298] High CVE-2022-2010: Out of bounds read in compositing. Reported by Mark Brand of Google Project Zero on 2022-05-13 [1330379] High CVE-2022-2011: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-05-31 [1333948] Various fixes from internal audits, fuzzing and other initiatives References https://bugs.mageia.org/show_bug.cgi?id=30547 https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop.html SRPMS 8/core chromium-browser-stable-102.0.5005.115-1.mga8 PROVIDED PACKAGES ================= x86_64 chromium-browser-102.0.5005.115-1.mga8.x86_64.rpm chromium-browser-stable-102.0.5005.115-1.mga8.x86_64.rpm i586 chromium-browser-102.0.5005.115-1.mga8.i586.rpm chromium-browser-stable-102.0.5005.115-1.mga8.i586.rpm Assignee:
chb0 =>
qa-bugs No regressions on my system including online banking, and a few other sites. Will wait for a non English tester before validating. Keywords:
(none) =>
advisory mga8-64, Plasma, nvidia-current, Swedish § Localisation OK § opened saved tabs § a bunch of warnings output in konsole - normal of modern software :( § watched some video sites § logged in to a couple banks As my test was OK and non-English, per comment 5 I validate Keywords:
(none) =>
validated_update (In reply to Morgan Leijström from comment #6) > § a bunch of warnings output in konsole - normal of modern software :( Hi Could you post a list? Is the test done in a VM? Chromium always does that. It has nothing to do with a VM. You can see it for yourself if you launch it from a terminal. It is ugly, but it's not alone in this. Firefox does it too. I mentioned the VM because I have seen some warnings related to EGL and GPU acceleration, that I don't see on a hardcore machine. I am not worried, I am just wondering whether there is something to improve (performance wise, maybe); continuous improvement mode. If you're interested, the messages are ... [46284:46284:0615/192605.832144:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.kwalletd was not provided by any .service files [46284:46284:0615/192605.832214:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd (isEnabled) [46284:46284:0615/192605.832965:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files [46284:46284:0615/192605.832984:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd [46284:46284:0615/192605.833993:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.kwalletd was not provided by any .service files [46284:46284:0615/192605.834013:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd (close) ATTENTION: default value of option vblank_mode overridden by environment. ATTENTION: default value of option vblank_mode overridden by environment. [46322:46322:0615/192606.062263:ERROR:gbm_wrapper.cc(292)] Failed to export buffer to dma_buf: No such file or directory (2) the above/below message repeated about 30 times. [46322:46322:0615/192606.065142:ERROR:gbm_wrapper.cc(292)] Failed to export buffer to dma_buf: No such file or directory (2) libpng warning: iCCP: known incorrect sRGB profile I don't use kwallet. Yes and Thunderbird pukes on my terminal too. If not told to, I would never pass a product that spew a lot of errors that looks like they are serious (especially on precious mail), but is normal. And hard to track seriousness unless you know the code... I presiume errors are just fron trying to do something and then it fall backs on alternate ways or it did not matter - but the output should really say so then!! This is sloppy and very arrogant to testers and users! I may be a bit sensitive from working on machinery where defunct control system actually may kill people. A browser just emptying my bank account would not kill me. And I would not kill the programmer either. ;) $ chromium-browser [1485305:1485305:0615/192954.207265:ERROR:vaapi_wrapper.cc(1131)] vaQuerySurfaceAttributes failed, VA error: invalid parameter [1485305:1485305:0615/192954.207310:ERROR:vaapi_wrapper.cc(1078)] FillProfileInfo_Locked failed for va_profile VAProfileH264High and entryptrypointVLD [1485305:1485305:0615/192954.447074:ERROR:gpu_memory_buffer_support_x11.cc(44)] dri3 extension not supported. libpng warning: iCCP: known incorrect sRGB profile [1485272:1485272:0615/195247.839346:ERROR:interface_endpoint_client.cc(665)] Message 1 rejected by interface blink.mojom.WidgetHost [1485272:1485272:0615/195705.676393:ERROR:interface_endpoint_client.cc(665)] Message 0 rejected by interface blink.mojom.WidgetHost Above is after a few sites, and manually removed duplicate lines. Thanks Morgan and Dave for the additional information. What is reported by Morgan is more what I used to see, here and there, related to graphic acceleration. I have activated our system vaapi. Overall, I think it is beneficial (even if I don't have robust benchmarks), even if leads to some errors/warnings, sometimes to time. I have never seen the kwallet related errors from Dave. I will have a deeper look. I am not concerned by any of these messages. It seems not to impact the customer experience, beside polluting the logs, at a first glance. I guess I don't see kwallet errors because I am not fond of tying to a DE, so if chromium ever asked to use kwallet I have declined. The messages for kwallet are due to chromium looking to see if it's available. In systemsettings5/Personalisation/KDE Wallet I have unchecked the box for "Enable KDE wallet subsystem". I wouldn't worry about those messages from chromium about it. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0232.html Resolution:
(none) =>
FIXED |