ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 108 branch fixes bugs and vulnerabilities


Description
The chromium-browser-stable package has been updated to the new 108 branch with the 108.0.5359.71 release, fixing many bugs and 29 vulnerabilities, together with 107.0.5304.121.

Some of the security fixes are:

*CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
*CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-11-04
*CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
* CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
* CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
* CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
* CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
* CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
* CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
* CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
* CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
* CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
* CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
* CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
* CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
* CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
* CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
* CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
* CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
* CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
* CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
* CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06

* CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22

Google is aware that an exploit for CVE-2022-4135 exists in the wild.


References
https://bugs.mageia.org/show_bug.cgi?id=31033
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html


SRPMS
8/core
chromium-browser-stable-108.0.5359.71-1.mga8


PROVIDED PACKAGES
=================
x86_64
chromium-browser-108.0.5359.71-1.mga8.x86_64.rpm
chromium-browser-stable-108.0.5359.71-1.mga8.x86_64.rpm

i586
chromium-browser-108.0.5359.71-1.mga8.i586.rpm
chromium-browser-stable-108.0.5359.71-1.mga8.i586.rpm

Oops, sorry, the bug report reference should be:
https://bugs.mageia.org/show_bug.cgi?id=31205

Ready for QA

Assignee: chb0 => qa-bugs

mga8-64 OK for me
Plasma, nvidia-current
clean update
Swedish localisation
Tried banking and video sites

Minor niggle in printing:
I let it download and open a pdf document, selected to print only pages 1 and 28 double sided and it worked except printer also output two error pages about page range.  Workaround working on my system: exact same print to Boomaga, then to printer: no problem, one sheet of paper double sided.

Probably not a packaging problem, and i also do not remember when i last did such print from chromium.

CC: (none) => fri

MGA8 64 XFCE Core I5, 6Go RAM and driver Nvidia nonfree 390

Updated with QA repo and RPMs:

chromium-browser               108.0.5359.> 1.mga8        x86_64  
chromium-browser-stable        108.0.5359.> 1.mga8        x86_64  

No issues after installation, browsing OK:

Play sound with Spotify Ok
Play vidéo with Netflix Ok
French Bank Sites Ok

CC: (none) => guillaume.royer

MGA8-64, Gnome

Chromium working as properly.  Youtube and other utilities are working properly.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Hi. It looks like hackers might have been active already to crack the beta versions....
Upstream just released an update, addressing an exploit:
https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html

Summary: chromium browser 108.0.5359.71 fixes vulnerabilities => chromium browser 108.0.5359.94 fixes vulnerabilities
Assignee: qa-bugs => chb0

UPDATE

ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 108 branch fixes bugs and vulnerabilities


Description
The chromium-browser-stable package has been updated to the new 108 branch with the 108.0.5359.94 release, fixing many bugs and 29 vulnerabilities, together with 107.0.5304.121 and 108.0.5359.71.

Some of the security fixes are:

*CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
*CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-11-04
*CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
* CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
* CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
* CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
* CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
* CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
* CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
* CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
* CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
* CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
* CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
* CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
* CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
* CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
* CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
* CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
* CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
* CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
* CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
* CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06

* CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22
* CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29

Google is aware that exploits for CVE-2022-4135 and CVE-2022-4262 exist in the wild.


References
https://bugs.mageia.org/show_bug.cgi?id=31205
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html


SRPMS
8/core
chromium-browser-stable-108.0.5359.94-1.mga8


PROVIDED PACKAGES
=================
x86_64
chromium-browser-108.0.5359.94-1.mga8.x86_64.rpm
chromium-browser-stable-108.0.5359.94-1.mga8.x86_64.rpm

i586
chromium-browser-108.0.5359.94-1.mga8.i586.rpm
chromium-browser-stable-108.0.5359.94-1.mga8.i586.rpm

thank you for catching that.  I'll test this morning.

I noticed it isn't in the QA list nor in test repos. 

Let me know when it is ready.  I'll grab it then.

Advisory committed to svn. https://pkgsubmit.mageia.org/ shows it's still
building.

CC: (none) => davidwhodgins
Keywords: (none) => advisory

I see it still building mga9 i586 and mga8 x86_64.
 
Looks strange that for mga9 the i586 take much longer to build than x86_64, but on mga8 it is the other way around...  Are they randomly executed on very different speed build environments?

Maybe it would be faster if they are queued for the fast execution, instead of built in parallel and we have to wait another day?

(In reply to Morgan Leijström from comment #12)
> I see it still building mga9 i586 and mga8 x86_64.
>  
> Looks strange that for mga9 the i586 take much longer to build than x86_64,
> but on mga8 it is the other way around...  Are they randomly executed on
> very different speed build environments?
> 
> Maybe it would be faster if they are queued for the fast execution, instead
> of built in parallel and we have to wait another day?

Actually, the first parameter is whether Ecosse server is used instead of Rabbit.

Ecosse can build Chromium within half a day. It takes about 1.5 days on Rabbit.

Then, building for MGA9 is a bit quicker than for MGA8. Lastly, x86_64 is a bit quicker than i586.

That being said, everything should be ready for QA by the end of day.

Got it from mirrors.kernel.org

$ rpm -q chromium-browser-stable 
chromium-browser-stable-108.0.5359.94-1.mga8

Everything is working with no regressions. As the exploits are in the wild,
validating based on one test.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Assigning to qa myself as this is very high priority.

Assignee: chb0 => qa-bugs

Hi Dave. I was in fact doing it right when you wrote your comment you validate it. Then I stopped but it looks like you move it now to QA. 
Is it validated or is it still pending to QA?

mga8-64 OK for me
Plasma, nvidia-current, old intel i7
clean update
Swedish localisation
pages restored
OK banking, authority, and video sites

(In reply to Dave Hodgins from comment #15)
> Assigning to qa myself as this is very high priority.

Maybe it should be set as security?

Priority: Normal => High

It already is.

(In reply to christian barranco from comment #16)
> Hi Dave. I was in fact doing it right when you wrote your comment you
> validate it. Then I stopped but it looks like you move it now to QA. 
> Is it validated or is it still pending to QA?

For it to be selected by the script that moves things from updates testing
to updates, it has to be assigned to qa and validated.

Changing the assignment doesn't alter the keywords, so it stays validated.

Also the advisory has to have been committed to svn, which I have done in this
case. https://svnweb.mageia.org/advisories/31205.adv?revision=14193&view=markup

The script uses the srpm(s) listed in the svn advisory to select what to move.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0451.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED