Bug 31389 - Chromium 109.0.5414.74 fixes CVE
Summary: Chromium 109.0.5414.74 fixes CVE
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-01-10 22:48 CET by christian barranco
Modified: 2023-01-24 09:00 CET (History)
6 users (show)

See Also:
Source RPM: chromium-browser-stable-108.0.5359.124-1.mga8.src.rpm
Status comment:


Description christian barranco 2023-01-10 22:48:01 CET
Upstream just releases 109.0.5414.74, bringing 17 security fixes.
Comment 1 christian barranco 2023-01-11 13:05:49 CET
Hi. The MGA8 build is ready in core/Updates_testing, but I will not flag it ready to QA before the Cauldron build is complete.
For once (I need to buy a lottery ticket :) ), both MGA8 jobs have been assigned to Ecosse and MGA8 wan the race against MGA9 (despite MGA9 started earlier)!
Comment 2 christian barranco 2023-01-11 17:38:21 CET

New chromium-browser-stable 109.0.5414.74 fixes bugs and vulnerabilities

The chromium-browser-stable package has been updated to the 109.0.5414.74 release, fixing 17 vulnerabilities.

Some of the security fixes are:

High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au  on 2022-05-18
Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12




Comment 3 Morgan Leijström 2023-01-11 17:44:13 CET
Lets hope that kind of luck or more will spread throughout the world this year.

Anyway I tested it because I saw it.

mga8-64 OK for me.

CPU: i7-3770, Kernel 5.15.82-desktop-1.mga8
GPU: GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display.

Used four sites with video, four banks with three different logins, Nextcloud server login, ...

CC: (none) => fri

Comment 4 christian barranco 2023-01-11 21:34:17 CET
Ready for QA!

Assignee: chb0 => qa-bugs

Comment 5 Herman Viaene 2023-01-18 17:22:15 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Tested with same newspapersite as I do for Firefox updates. Everything I throw at it works OK, but the video rendering was noticeably more sluggish (more and longer interruptions) than Firefox. But that's not a reason to withhold this update.

CC: (none) => herman.viaene

Comment 6 christian barranco 2023-01-18 18:54:29 CET
(In reply to Herman Viaene from comment #5)
> throw at it works OK, but the video rendering was noticeably more sluggish
> (more and longer interruptions) than Firefox. But that's not a reason to
> withhold this update.

Hi. Is it the same video performance than with Chromium 108 or is it better with the previous Chromium version?
Comment 7 Herman Viaene 2023-01-19 08:47:29 CET
IMHO Chromium was never excellent at this. It is just now that I paid more attention to it, because I had a test of Chromium and a new version of Firefox within the hour. I don't feel it's necessary to raise an alarm.
Comment 8 Brian Rockwell 2023-01-21 04:57:18 CET
MGA8-64, on Xfce, Toshiba Laptop

AMD A6-3420M APU 
Radeon HD 6520G
RTL8188CE 802.11b/g/n WiFi Adapter
- chromium-browser-109.0.5414.74-1.mga8.x86_64
- chromium-browser-stable-109.0.5414.74-1.mga8.x86_64
- lib64jsoncpp24-1.9.4-1.mga8.x86_64

Tested video and some web sites.  

Working as expected for me

CC: (none) => brtians1

Comment 9 Thomas Andrews 2023-01-21 19:01:01 CET
I normally use Firefox, but I have Chromium around to use as an alternative. Updated with qarepo, with no installation issues.

Went to the U.S. Weather Service Climate Prediction Center https://www.cpc.ncep.noaa.gov/ and looked at long-range forecast, used Google to research how the expected transition from La Nina to an ESLO-neutral condition should affect the weather for the northeastern USA in the Spring, watched this week's edition of U.S. Farm Report https://farmjournaltv.gallery.video/ott/category/videos/u.s.-farm-report

All things that I, as a farmer, might do on any given day, especially during the growing season. Everything worked perfectly. Looks OK for me.

I'm going to give this an OK and Validate, before we bump up against the next version. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-01-24 01:09:28 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2023-01-24 09:00:29 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.