30695 – Chromium updated to 104.0.5112.79, fixes bugs and CVE

Bug 30695 - Chromium updated to 104.0.5112.79, fixes bugs and CVE

Summary: Chromium updated to 104.0.5112.79, fixes bugs and CVE

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-08-02 23:28 CEST by christian barranco
Modified:	2022-08-05 23:02 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	chromium-browser-stable-103.0.5060.134-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description christian barranco 2022-08-02 23:28:08 CEST

Upstream just released the 104.0.5112.79 version, fixing bugs and 27 CVE.

https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html

Comment 1 christian barranco 2022-08-02 23:51:36 CEST

ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable branch fixes bugs and CVE


Description
The chromium-browser-stable package has been updated to the new 104.0.5112.79
branch, fixing many bugs and 27 CVE. Some of them are listed below:

[1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
[1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
[1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
[1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
[1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
[1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
[1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
[1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
[1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
[1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
[1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
[1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
[1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
[1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
[1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
[1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
[1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
[1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
[1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
[1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
[1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
[1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27

[1251653] Various fixes from internal audits, fuzzing and other initiatives


References
https://bugs.mageia.org/show_bug.cgi?id=30655
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html
https://blog.chromium.org/2022/06/chrome-104-beta-new-media-query-syntax.html



SRPMS
8/core
chromium-browser-stable-104.0.5112.79-1.mga8


PROVIDED PACKAGES
=================
x86_64
chromium-browser-104.0.5112.79-1.mga8.x86_64.rpm
chromium-browser-stable-104.0.5112.79-1.mga8.x86_64.rpm

i586
chromium-browser-104.0.5112.79-1.mga8.i586.rpm
chromium-browser-stable-104.0.5112.79-1.mga8.i586.rpm

Dave Hodgins 2022-08-03 00:56:03 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 2 christian barranco 2022-08-03 22:26:09 CEST

Ready for QA in core/updates_testing

CC: (none) => sysadmin-bugs
Assignee: chb0 => qa-bugs

christian barranco 2022-08-04 09:55:17 CEST

CC: (none) => fri

Comment 3 Morgan Leijström 2022-08-04 15:00:16 CEST

mga8-64, Plasma, Swedish, Intel i7, Nvidia-current
OK: Localisation, settings, restores tabs
Tested a couple banking sites and video sites
Printing.

Comment 4 Herman Viaene 2022-08-04 15:34:57 CEST

MGA8-64 Plasma on Acer Aspire
No installation issues.
Checked newspaper site with sound and picturees and video, all OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Dave Hodgins 2022-08-05 06:29:46 CEST

No regressions for me, or anyone reporting on their testing. Validating.

Keywords: (none) => validated_update

Comment 6 Mageia Robot 2022-08-05 23:02:03 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0277.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.