Bug 33151 - Updated chromium 124.0.6367.118 packages fix vulnerabilities
Summary: Updated chromium 124.0.6367.118 packages fix vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-04-27 21:21 CEST by christian barranco
Modified: 2024-05-09 04:41 CEST (History)
6 users (show)

See Also:
Source RPM: chromium-browser-stable-124.0.6367.60-1.mga9.tainted.src.rpm
CVE: CVE-2024-4331,CVE-2024-4368
Status comment:


Attachments

Description christian barranco 2024-04-27 21:21:40 CEST
Upstream just released 124.0.6367.91
https://chromiumdash.appspot.com/releases?platform=Linux
Comment 1 Morgan Leijström 2024-04-28 22:39:18 CEST
OK here mga9-64

$ chromium-browser --version
Chromium 124.0.6367.91 Mageia.Org 99

Swedish localisation
Remembered settings and opened tabs
Various shops, banking, video sites
Saving files, showing pdf, printing

[morgan@svarten ~]$ inxi -SCG
System:
  Host: svarten.tribun Kernel: 6.6.28-desktop-1.mga9 arch: x86_64 bits: 64
    Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
CPU:
  Info: dual core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 512 KiB
  Speed (MHz): avg: 3481 min/max: 1200/2934 cores: 1: 3481 2: 3481 3: 3481
    4: 3481
Graphics:
  Device-1: NVIDIA GM107 [GeForce GTX 750] driver: nvidia v: 470.239.06
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: nvidia,v4l gpu: nvidia resolution: 3840x2160~60Hz
  API: OpenGL v: 4.6.0 NVIDIA 470.239.06 renderer: NVIDIA GeForce GTX
    750/PCIe/SSE2

CC: (none) => fri
Assignee: chb0 => qa-bugs

Comment 2 Davy Defaud 2024-04-29 19:14:02 CEST
This version doesn’t work as a Wayland client like the previous one. I had to change the settings back to X11. Chromium is starting but not displaying its window. :-/
See: https://wiki.mageia.org/en/Mageia_9_Release_Notes#Chromium.2C_Chrome_and_Teams

CC: (none) => davy.defaud

katnatek 2024-04-29 19:22:47 CEST

Keywords: (none) => feedback

Comment 3 christian barranco 2024-04-30 07:27:24 CEST
(In reply to Davy Defaud from comment #2)
> This version doesn’t work as a Wayland client like the previous one. I had
> to change the settings back to X11. Chromium is starting but not displaying
> its window. :-/
> See:
> https://wiki.mageia.org/en/Mageia_9_Release_Notes#Chromium.
> 2C_Chrome_and_Teams

Please, provide the version number of the latest working one.
Comment 4 Davy Defaud 2024-04-30 11:45:33 CEST
It was the previous package, so: 123.0.6312.105-1.mga9
Comment 5 christian barranco 2024-05-01 19:36:49 CEST
(In reply to Davy Defaud from comment #4)
> It was the previous package, so: 123.0.6312.105-1.mga9

Hi. 
Our current version is 124.0.6367.60
I assume you are testing that one and not the one related to this report, which is an update to 124.0.6367.91

Anyway, it looks like upstream has broken Wayland on Linux, with Chromium 124...
https://www.debugpoint.com/google-chrome-no-window/

Until it is corrected upstream, I am afraid we have to live with that.
I will add a note on the advisory.

Keywords: feedback => (none)

Comment 6 christian barranco 2024-05-01 19:44:25 CEST
Just noticed upstream might have solved the Wayland detection issue.
https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_30.html

Let us give it a try.

Assignee: qa-bugs => chb0
Summary: Updated chromium 124.0.6367.91 packages fix vulnerabilities => Updated chromium 124.0.6367.118 packages fix vulnerabilities
CVE: (none) => CVE-2024-4331,CVE-2024-4368

Comment 7 Davy Defaud 2024-05-02 10:51:05 CEST
Hi Christian,

I’m running version 124.0.6367.60, indeed. My experience is a little bit different than the one described in your given link: I can start Chromium as a Wayland client with --ozone-platform=wayland, but if I force the ozone-platform setting with chrome://flags to wayland (instead of auto), it doesn’t work neither.

I will tell you whether the next MGA package fixes that behaviour.
Comment 8 christian barranco 2024-05-02 12:34:20 CEST
(In reply to Davy Defaud from comment #7)
> Hi Christian,
> 
> I’m running version 124.0.6367.60, indeed. My experience is a little bit
> different than the one described in your given link: I can start Chromium as
> a Wayland client with --ozone-platform=wayland, but if I force the
> ozone-platform setting with chrome://flags to wayland (instead of auto), it
> doesn’t work neither.
> 
> I will tell you whether the next MGA package fixes that behaviour.

Hi. Yes it is what is explained on the article: you need to set this flag to X11

Let us hope it is solved in the latest release.
Comment 9 christian barranco 2024-05-02 19:58:28 CEST
Ready for testing!

ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 124.0.6367.128 security update


Description
The chromium-browser-stable package has been updated to the 124.0.6367.128 release. It includes 2 security fixes.


Please, do note, only x86_64 is supported from now on.
i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code.

Some of the security fixes are:
* High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16
* High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09

References
https://bugs.mageia.org/show_bug.cgi?id=33151
https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_30.html


SRPMS
9/tainted
chromium-browser-stable-124.0.6367.128-1.mga9.tainted.src.rpm


PROVIDED PACKAGES
=================
x86_64
chromium-browser-124.0.6367.128-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-124.0.6367.128-1.mga9.tainted.x86_64.rpm

Assignee: chb0 => qa-bugs

katnatek 2024-05-02 20:20:14 CEST

Keywords: (none) => advisory

Comment 10 Morgan Leijström 2024-05-03 11:09:41 CEST
OK here same tests as previous version in Comment 1
Comment 11 katnatek 2024-05-04 03:59:49 CEST
RH mageia 9 x86_64

LC_ALL=C urpme --auto-orphans --auto
writing /var/lib/rpm/installed-through-deps.list
No orphans to remove
[root@phoenix ~]# LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing chromium-browser-stable-124.0.6367.118-1.mga9.tainted.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: chromium-browser-stable
                                 ##################################################################################################
      1/1: removing chromium-browser-stable-124.0.6367.60-1.mga9.tainted.x86_64
                                 ##################################################################################################

Session Lxqt

Youtube OK
Facebook OK
Mageia sites OK
Comment 12 katnatek 2024-05-04 04:14:09 CEST
RH mageia 9 x86_64

Plasma Wayland

Set “Preferred Ozone platform” to Wayland following

https://wiki.mageia.org/en/Mageia_9_Release_Notes#Chromium.2C_Chrome_and_Teams

That restart chromium and the browser starts well
Youtube OK
Facebook OK
Mageia sites OK
Comment 13 Thomas Andrews 2024-05-04 15:23:56 CEST
Odd. Using the math.princeton mirror, qarepo couldn't find

chromium-browser-124.0.6367.128-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-124.0.6367.128-1.mga9.tainted.x86_64.rpm

But when using "chromium*" it did find

chromium-browser-124.0.6367.118-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-124.0.6367.118-1.mga9.tainted.x86_64.rpm

Note the "118" it the one it found, as opposed to "128" in comment 9.

What's going on? A simple typo, or something else?

Currently, https://mirrors.mageia.org/status shows the Princeton mirror as "less than 12 hours old," but comment 9 is two days old, so the correct one should be there.

CC: (none) => andrewsfarm

Comment 14 christian barranco 2024-05-04 16:22:19 CEST
(In reply to Thomas Andrews from comment #13)
> Odd. Using the math.princeton mirror, qarepo couldn't find
> 
> chromium-browser-124.0.6367.128-1.mga9.tainted.x86_64.rpm
> chromium-browser-stable-124.0.6367.128-1.mga9.tainted.x86_64.rpm
> 
> But when using "chromium*" it did find
> 
> chromium-browser-124.0.6367.118-1.mga9.tainted.x86_64.rpm
> chromium-browser-stable-124.0.6367.118-1.mga9.tainted.x86_64.rpm
> 
> Note the "118" it the one it found, as opposed to "128" in comment 9.
> 
> What's going on? A simple typo, or something else?
> 
> Currently, https://mirrors.mageia.org/status shows the Princeton mirror as
> "less than 12 hours old," but comment 9 is two days old, so the correct one
> should be there.

Apologies, typo...


ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 124.0.6367.118 security update


Description
The chromium-browser-stable package has been updated to the 124.0.6367.118 release. It includes 2 security fixes.


Please, do note, only x86_64 is supported from now on.
i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code.

Some of the security fixes are:
* High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16
* High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09

References
https://bugs.mageia.org/show_bug.cgi?id=33151
https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_30.html


SRPMS
9/tainted
chromium-browser-stable-124.0.6367.118-1.mga9.tainted.src.rpm


PROVIDED PACKAGES
=================
x86_64
chromium-browser-124.0.6367.118-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-124.0.6367.118-1.mga9.tainted.x86_64.rpm
Comment 15 Thomas Andrews 2024-05-04 16:54:00 CEST
That's what I thought, but it's always best to check - and the bug report and advisory need to be correct, anyway.

No installation issues, on two different machines, one Intel-based, the other AMD. Tried a few sites, no issues. The main thing I use Chromium for is banking, as the bank seems to like it better than Firefox. No issues there, either.
Comment 16 katnatek 2024-05-04 19:06:08 CEST
(In reply to Davy Defaud from comment #7)
> Hi Christian,
> 
> I’m running version 124.0.6367.60, indeed. My experience is a little bit
> different than the one described in your given link: I can start Chromium as
> a Wayland client with --ozone-platform=wayland, but if I force the
> ozone-platform setting with chrome://flags to wayland (instead of auto), it
> doesn’t work neither.
> 
> I will tell you whether the next MGA package fixes that behaviour.

Please try with the new packages I set ozone platform to wayland and looks that works but Is better to be sure
Comment 17 Brian Rockwell 2024-05-05 02:07:53 CEST
Intel, Xfce, wimpy laptop

Installed Chromium, used or a few hours, working as expected.

CC: (none) => brtians1
Whiteboard: (none) => MGA9-64-OK

Comment 18 Davy Defaud 2024-05-06 11:26:14 CEST
(In reply to katnatek from comment #16)
> (In reply to Davy Defaud from comment #7)
> > Hi Christian,
> > 
> > I’m running version 124.0.6367.60, indeed. My experience is a little bit
> > different than the one described in your given link: I can start Chromium as
> > a Wayland client with --ozone-platform=wayland, but if I force the
> > ozone-platform setting with chrome://flags to wayland (instead of auto), it
> > doesn’t work neither.
> > 
> > I will tell you whether the next MGA package fixes that behaviour.
> 
> Please try with the new packages I set ozone platform to wayland and looks
> that works but Is better to be sure

I’ve just installed the new package, reset the ozone-platform to “Auto” and Chromium is working again as a Wayland client as expected. So I can confirm that the bug is fixed.

Cheers,

Davy
Comment 19 Morgan Leijström 2024-05-06 11:35:46 CEST
Thank you Davy

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 20 Morgan Leijström 2024-05-08 09:12:53 CEST
This update seems to solve an issue launching it for one user
https://forums.mageia.org/en/viewtopic.php?t=15357

Needs to get shipped.
Franz Holzinger 2024-05-08 09:56:18 CEST

CC: (none) => flink

Comment 21 Mageia Robot 2024-05-09 04:41:34 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0161.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.