32705 – Updated chromium 120.0.6099.216 packages fix vulnerabilities

Bug 32705 - Updated chromium 120.0.6099.216 packages fix vulnerabilities

Summary: Updated chromium 120.0.6099.216 packages fix vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-01-08 21:46 CET by christian barranco
Modified:	2024-01-14 23:26 CET (History)
CC List:	10 users (show)

See Also:
Source RPM:	chromium-browser-stable-120.0.6099.129-2.mga9.tainted.src.rpm
CVE:	CVE-2024-0333, CVE-2024-0222, CVE-2024-0223, CVE-2024-0224, CVE-2024-0225
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description christian barranco 2024-01-08 21:46:25 CET

Upstream security fix release:
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html

Comment 1 christian barranco 2024-01-09 09:53:14 CET

Hi. Please, do note Chromium does not build anymore on Cauldron because of python 3.12
I can’t state yet how long it will take to be able to do so again.

Comment 2 Morgan Leijström 2024-01-10 17:42:11 CET Comment hidden (obsolete)

mga9-64, Plasma X11, nvidia470, backport kernel 6.5.13-2

$ chromium-browser --version
Chromium 120.0.6099.199 Mageia.Org 9

Localisation Swedish OK.
Tabs opened in previous version automatically restored at launch.
My banking sites, tax office, and favourite video sites and youtube  works.
Open and print pdf OK.

---

Advisory proposal and file list is needed.

---

Like what have been done for Firefox and Thunderbird,
maybe create a separate bug for Chromium on Cauldron.

CC: (none) => chb0, fri
Assignee: chb0 => qa-bugs

PC LX 2024-01-10 17:55:34 CET

CC: (none) => mageia

christian barranco 2024-01-10 20:37:45 CET

Summary: Updated chromium 120.0.6099.199 packages fix vulnerabilities => Updated chromium 120.0.6099.216 packages fix vulnerabilities

Comment 3 christian barranco 2024-01-10 20:38:44 CET

Well, already a new security release:
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_9.html

Comment 4 christian barranco 2024-01-10 20:41:00 CET

ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 120.0.6099.216 fixes bugs and vulnerabilities


Description
The chromium-browser-stable package has been updated to the 120.0.6099.216release. Together with 120.0.6099.199, 7 vulnerabilities are fixed; some of them are listed below:

    High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20

    High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13

    High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24

    High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25

    High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01


References
https://bugs.mageia.org/show_bug.cgi?id=32705
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_9.htmll
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html


SRPMS
9/tainted
chromium-browser-stable-120.0.6099.216-1.mga9.tainted.src.rpm


PROVIDED PACKAGES
=================
x86_64
chromium-browser-120.0.6099.216-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-120.0.6099.216-1.mga9.tainted.x86_64.rpm

i586
chromium-browser-120.0.6099.216-1.mga9.tainted.i586.rpm
chromium-browser-stable-120.0.6099.216-1.mga9.tainted.i586.rpm

CVE: (none) => CVE-2024-0333, CVE-2024-0222, CVE-2024-0223, CVE-2024-0224, CVE-2024-0225

christian barranco 2024-01-10 20:41:24 CET

Assignee: qa-bugs => chb0

Comment 5 christian barranco 2024-01-12 10:52:34 CET

Ready for QA!

Assignee: chb0 => qa-bugs

Comment 6 Morgan Leijström 2024-01-12 15:37:02 CET

mga9-64, Plasma X11, nvidia470, backport kernel 6.5.13-2

$ chromium-browser --version
Chromium 120.0.6099.216 Mageia.Org 9

Localisation Swedish OK.
Tabs opened in previous version automatically restored at launch.
My banking sites, tax office, and favourite video sites and youtube works.
Open and print pdf OK both using built in and system print dialogue.

Comment 7 Marja Van Waes 2024-01-12 18:39:47 CET

Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

christian barranco 2024-01-12 18:48:52 CET

CC: (none) => j.alberto.vc

christian barranco 2024-01-12 18:50:28 CET

CC: (none) => andrewsfarm, davidwhodgins, guillaume.royer

Comment 8 Dave Hodgins 2024-01-12 19:32:28 CET

No regressions for me. I primarily use it for my bank site.

CC: (none) => davidwhodgins

Comment 9 Guillaume Royer 2024-01-12 20:21:08 CET

MGA9 64 GNOME

Updated with QA repo.

Tested with:

Bank site
Netflix
Element Matrix web client

It's Ok for me

Guillaume Royer 2024-01-12 20:22:02 CET

Whiteboard: (none) => MGA9-64-OK

Comment 10 katnatek 2024-01-12 21:11:04 CET

Tested on real hardware mageia 9 i586 lxqt

Facebook works
Youtube works
Mageia sites works

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

Morgan Leijström 2024-01-13 11:20:15 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2024-01-14 23:26:01 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0011.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.