Bug 32612

Summary: Updated chromium 120.0.6099.129 packages fix vulnerabilities
Product: Mageia Reporter: christian barranco <chb0>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, geex+mageia, guillaume.royer, j.alberto.vc, mageia, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK, MGA9-32-OK
Source RPM: chromium-browser-stable-119.0.6045.159-1.mga9.tainted.src.rpm CVE: CVE-2023-6508, CVE-2023-6509, CVE-2023-6510, CVE-2023-6511, CVE-2023-6512, CVE-2023-6702, CVE-2023-6703, CVE-2023-6704, CVE-2023-6705, CVE-2023-6706, CVE-2023-6707, CVE-2023-7024
Status comment:

Comment 1 christian barranco 2023-12-10 17:36:09 CET Comment hidden (obsolete)
Comment 2 Morgan Leijström 2023-12-14 11:25:08 CET 
Nothing yet in tainted updates testing.

CC: (none) => fri

Comment 3 katnatek 2023-12-18 03:27:51 CET 
Still nothing
Comment 4 Guillaume Bedot 2023-12-18 09:11:22 CET 
A new version is already out.

https://chromereleases.googleblog.com/search/label/Stable%20updates
"The Stable channel has been updated to 120.0.6099.109 for Mac,Linux .
This update includes 9 security fixes."

CC: (none) => geex+mageia

Comment 5 christian barranco 2023-12-21 00:19:49 CET 
Update and I should be able to submit it as soon as the source tarball is available:
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html

Summary: Updated chromium 120.0.6099.71 packages fix vulnerabilities => Updated chromium 120.0.6099.129 packages fix vulnerabilities

Comment 6 christian barranco 2023-12-21 22:35:57 CET Comment hidden (obsolete)
Comment 7 christian barranco 2023-12-23 13:22:53 CET 
Finally, ready for QA !

Assignee: chb0 => qa-bugs

christian barranco 2023-12-23 13:24:09 CET

CC: (none) => j.alberto.vc

christian barranco 2023-12-23 13:37:24 CET

CC: (none) => guillaume.royer

Comment 8 Thomas Andrews 2023-12-23 16:59:40 CET 
MGA9-64 Plasma, i5-2500, Intel graphics, wired Internet.

Updated the "stable" version without issues. Mostly, I use Chromium to access my bank's site, as the bank seems to trust it more than Firefox. I did access my bank accounts, looked around, checked my credit score, logged out. Looks good. Then I checked a couple of weather sites for a local forecast, also good.

Looks OK here.

CC: (none) => andrewsfarm

Comment 9 Morgan Leijström 2023-12-23 18:13:10 CET 
mga9-64, Plasma X11, nvidia470

My banking sites and favourite video sites works.

Fail:  Youtube: videos do not play. No error output in konsole from which it was started.  Tried several. Firefox on same system play those videos.
Comment 10 Morgan Leijström 2023-12-23 18:31:37 CET 
BTW, earlier in the run, when i sucsessfully used my bank Syd, in terminal output i note:

Warning: remove_all_non_valid_override_layers: Failed to get executable path and name
Warning: loader_scanned_icd_add: Could not get 'vkCreateInstance' via 'vk_icdGetInstanceProcAddr' for ICD libGLX_nvidia.so.0
Warning: /usr/lib64/libvulkan_intel.so: cannot open shared object file: Permission denied
Warning: loader_icd_scan: Failed loading library associated with ICD JSON /usr/lib64/libvulkan_intel.so. Ignoring this JSON
Warning: loader_get_json: Failed to open JSON file intel_hasvk_icd.x86_64.json
Warning: /usr/lib64/libvulkan_radeon.so: cannot open shared object file: Permission denied
Warning: loader_icd_scan: Failed loading library associated with ICD JSON /usr/lib64/libvulkan_radeon.so. Ignoring this JSON
Warning: loader_get_json: Failed to open JSON file lvp_icd.x86_64.json
Error: Loader Message: setup_loader_term_phys_devs:  Failed to detect any valid GPUs in the current config
Warning: vkEnumeratePhysicalDevices
    at GatherPhysicalDevices (../../third_party/dawn/src/dawn/native/vulkan/VulkanInfo.cpp:144)
    at Initialize (../../third_party/dawn/src/dawn/native/vulkan/BackendVk.cpp:388)
    at Create (../../third_party/dawn/src/dawn/native/vulkan/BackendVk.cpp:301)
    at operator() (../../third_party/dawn/src/dawn/native/vulkan/BackendVk.cpp:556)

The two "permission denined" are for files that exist and are owned root:root
It does not tell what it mean is "valid GPUs", mine is nvidia GTX750Ti, using nvidia470

The warnings above do not appear with Youtube, which is the only place of the few i tried where Chromium fail.

Keywords: (none) => feedback

Comment 11 christian barranco 2023-12-23 18:48:19 CET 
Hi Morgan. It looks like Chromium does not like our system ffmpeg anymore.
I am building it with its bundled ffmpeg to check.
I will work later on restoring the use of system ffmpeg.
Let us see whether the usual garbage messages are related after.
PC LX 2023-12-24 02:47:09 CET

CC: (none) => mageia

Comment 12 christian barranco 2023-12-24 15:39:57 CET 
I found a patch to keep using our system FFMEG and solving the youtube playback issue reported by Morgan.
However, our BS is out of order and I have no clue when it will be usable again; in short, no package update is at all possible right now and it is not in my hands.

CC: (none) => sysadmin-bugs

Comment 13 christian barranco 2023-12-25 11:04:19 CET 
Nice Christmas gift: BS is back and there is now a new version of chromium to test. Thanks!


ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 120.0.6099.129 fixes bugs and vulnerabilities


Description
The chromium-browser-stable package has been updated to the 120.0.6099.129 release, fixing bugs and 20 vulnerabilities, together with 120.0.6099.109, 120.0.6099.71 and 120.0.6099.62; some of them are listed below:

 High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy Kim(@cassidy6564) on 2023-10-31

 High CVE-2023-6509: Use after free in Side Panel Search. Reported by Khalil Zhani on 2023-10-21

 Medium CVE-2023-6510: Use after free in Media Capture. Reported by [pwn2car] on 2023-09-08

 Low CVE-2023-6511: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-09-04

 Low CVE-2023-6512: Inappropriate implementation in Web Browser UI. Reported by Om Apip on 2023-06-24

 High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10

 High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14

 High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23

 High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28

 High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09

 Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21

 High CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19


 Google is aware that an exploit for CVE-2023-7024 exists in the wild.


References
https://bugs.mageia.org/show_bug.cgi?id=32612
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_6.html
https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop.html
https://www.aboutchromebooks.com/news/heres-whats-in-the-now-available-google-chrome-120-release/


SRPMS
9/tainted
chromium-browser-stable-120.0.6099.129-2.mga9.tainted.src.rpm


PROVIDED PACKAGES
=================
x86_64
chromium-browser-120.0.6099.129-2.mga9.tainted.x86_64.rpm
chromium-browser-stable-120.0.6099.129-2.mga9.tainted.x86_64.rpm

i586
chromium-browser-120.0.6099.129-2.mga9.tainted.i586.rpm
chromium-browser-stable-120.0.6099.129-2.mga9.tainted.i586.rpm

Keywords: feedback => (none)

Comment 14 katnatek 2023-12-25 19:24:55 CET 
Tested in Real Hardware Mageia 9 x86_64 

Youtube works again
clarovideo works (netflix like site)

This message is there at less since the current version

[87648:87648:1225/111523.089460:ERROR:policy_logger.cc(156)] :components/enterprise/browser/controller/chrome_browser_cloud_management_controller.cc(161) Cloud management controller initialization aborted as CBCM is not enabled. Please use the `--enable-chrome-browser-cloud-management` command line flag to enable it if you are not using the official Google Chrome build.
Comment 15 katnatek 2023-12-25 20:26:13 CET 
Tested in Real Hardware Mageia 9 i586

youtube works
facebook works
magea sites works
Comment 16 christian barranco 2023-12-25 20:30:37 CET 
(In reply to katnatek from comment #14)
> Tested in Real Hardware Mageia 9 x86_64 
> 
> Youtube works again
> clarovideo works (netflix like site)
> 
> This message is there at less since the current version
> 
> [87648:87648:1225/111523.089460:ERROR:policy_logger.cc(156)]
> :components/enterprise/browser/controller/
> chrome_browser_cloud_management_controller.cc(161) Cloud management
> controller initialization aborted as CBCM is not enabled. Please use the
> `--enable-chrome-browser-cloud-management` command line flag to enable it if
> you are not using the official Google Chrome build.

Thanks katnatek. 
The error message regarding cloud management is more a warning related to specific Chrome features. Or, have you seen anything not working?

Let us wait Morgan's test and, in my opinion, this update can be validated.
There is quite a severe exploit fixed by this release.
Marja Van Waes 2023-12-25 21:54:15 CET

CVE: (none) => CVE-2023-6508, CVE-2023-6509, CVE-2023-6510, CVE-2023-6511, CVE-2023-6512, High CVE-2023-6702, High CVE-2023-6703, High CVE-2023-6704, High CVE-2023-6705, CVE-2023-6706, CVE-2023-6707, CVE-2023-7024
CC: (none) => marja11

Comment 17 Thomas Andrews 2023-12-25 22:04:08 CET 
I checked youtube with the original Chromium and got the error. Then I updated to the latest (from comment 13) and Youtube works. Banking site still works, too.

Looks OK here. Giving Morgan some time to test it out, but I will push it in a day or two even if he doesn't. Unless, of course, someone finds some other problem that needs to be fixed.
Comment 18 Marja Van Waes 2023-12-25 22:08:00 CET 
Advisory from comment 13 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CVE: CVE-2023-6508, CVE-2023-6509, CVE-2023-6510, CVE-2023-6511, CVE-2023-6512, High CVE-2023-6702, High CVE-2023-6703, High CVE-2023-6704, High CVE-2023-6705, CVE-2023-6706, CVE-2023-6707, CVE-2023-7024 => CVE-2023-6508, CVE-2023-6509, CVE-2023-6510, CVE-2023-6511, CVE-2023-6512, CVE-2023-6702, CVE-2023-6703, CVE-2023-6704, CVE-2023-6705, CVE-2023-6706, CVE-2023-6707, CVE-2023-7024
Keywords: (none) => advisory

Comment 19 Morgan Leijström 2023-12-26 01:10:14 CET 
Working good now thank you

(same warnings as in Comment 10)

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK, MGA9-32-OK

Comment 20 katnatek 2023-12-26 02:33:51 CET 
(In reply to christian squidf from comment #16)
> Thanks katnatek. 
> The error message regarding cloud management is more a warning related to
> specific Chrome features. Or, have you seen anything not working?
> 
Nothing that I use is broken, this is the information I find about Chrome Browser Cloud Management
https://support.google.com/chrome/a/answer/9116814?hl=en
Comment 21 christian barranco 2023-12-26 07:38:21 CET 
Thanks katnatek for the link.
As requirement, I read: "Chrome installations that are not using the default configuration will not be supported, as this could lead to unexpected behavior."
Chromium cannot ensure that, as Chromium is not Chrome and is patched to use system libs, for instance.
People wanting to us Chrome Browser Cloud Management will have to use Chrome and the full Google ecosystem. 
I propose to validate this update. Meanwhile, python will be finally updated and Cauldron update will be able to happen...
Comment 22 Dave Hodgins 2023-12-26 09:35:45 CET 
The option --enable-chrome-browser-cloud-management is a run time option, not
a build option, so user's who want it can use it.

It's intended for use an an an environment where there is central control over
things like what extensions are allowed rather then the person running the
browser.

CC: (none) => davidwhodgins

Comment 23 Guillaume Royer 2023-12-26 09:55:09 CET 
Updated Chromium with QA repo:

Tested with:

Bank site Ok
Element web client Matrix Ok
Netflix Ok
Facebook Ok
Youtube Ok
Comment 24 Mageia Robot 2023-12-26 12:30:24 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0355.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED