Bug 33231 - Updated chromium 125.0.6422.76 packages fix vulnerabilities CVE-2024-49[57/58/59/60]
Summary: Updated chromium 125.0.6422.76 packages fix vulnerabilities CVE-2024-49[57/58...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 33240
  Show dependency treegraph
 
Reported: 2024-05-21 21:52 CEST by christian barranco
Modified: 2024-05-26 01:39 CEST (History)
5 users (show)

See Also:
Source RPM: chromium-browser-stable-125.0.6422.60-1.1.mga9.tainted.src.rpm
CVE: CVE-2024-5157,CVE-2024-5158,CVE-2024-5159,CVE-2024-5160
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description christian barranco 2024-05-21 21:52:29 CEST 
Upstream just released an update fixing 6 vulnerabilities
https://chromereleases.googleblog.com/search/label/Stable%20updates

I will wait for the robot to push 125.0.6422.60 before submitting this new update
christian barranco 2024-05-21 21:54:29 CEST

CC: (none) => andrewsfarm, brtians1, fri

Comment 1 Brian Rockwell 2024-05-23 14:32:17 CEST 
ETA on arriving in tainted updates testing?
Comment 2 Morgan Leijström 2024-05-23 18:17:23 CEST 
Chromium usually take almost 24h...

You know you can check on http://pkgsubmit.mageia.org/ ?

Right now it is green=finished, submitted 22 h ago, build time 20 h.

So about now it should be on mirrors.

It is in my favourite mirror https://ftp.acc.umu.se/mirror/mageia/distrib/9/x86_64/media/tainted/updates_testing/
Comment 3 christian barranco 2024-05-23 20:22:11 CEST 
Ready for QA!

Assignee: chb0 => qa-bugs

Comment 4 Brian Rockwell 2024-05-23 21:18:32 CEST 
MGA9-64, Cinnamon, i7 M620, nvidia GT218M (Nouveau), laptop 

The following 3 packages are going to be installed:

- chromium-browser-125.0.6422.76-1.mga9.tainted.x86_64
- chromium-browser-stable-125.0.6422.76-1.mga9.tainted.x86_64
- google-roboto-fonts-1.2-4.mga9.noarch

748KB of disk space will be freed.


---

used for awhile no issues
Comment 5 katnatek 2024-05-23 22:57:09 CEST 
RH mageia 9 x86_64 Plasma Wayland

Update without issues

Set Ozone plataform to wayland:
Youtube OK
Facebook OK
Mageia sites OK

Use to post this comment

Keywords: (none) => advisory

katnatek 2024-05-23 23:18:40 CEST

CVE: (none) => CVE-2024-5157,CVE-2024-5158,CVE-2024-5159,CVE-2024-5160

Comment 6 Brian Rockwell 2024-05-24 03:15:56 CEST 
MGA9-64, Xfce, Intel celeron

The following 3 packages are going to be installed:

- chromium-browser-125.0.6422.76-1.mga9.tainted.x86_64
- chromium-browser-stable-125.0.6422.76-1.mga9.tainted.x86_64
- google-roboto-fonts-1.2-4.mga9.noarch

48MB of additional disk space will be used.

email
sites work
Comment 7 Herman Viaene 2024-05-24 14:17:19 CEST 
google-roboto-fonts-1.2-4.mga9.noarch not found in the remote repository
And it is not listed in Morgan's favorite mirror either.

CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2024-05-24 15:18:50 CEST 
(In reply to Herman Viaene from comment #7)
> google-roboto-fonts-1.2-4.mga9.noarch not found in the remote repository
> And it is not listed in Morgan's favorite mirror either.

Must be a new dependency. It's in the main repos, to be drawn in when you update the other two packages.
Comment 9 Herman Viaene 2024-05-24 15:43:13 CEST 
Right, but it is confusing that is listed in Comments 4 and 6 seemingly as update packages
Comment 10 christian barranco 2024-05-24 18:47:00 CEST 
My bad. I have forgotten to post the advisory and you will not find the roboto package in it. I’ll do it tonight.
Comment 11 christian barranco 2024-05-24 19:56:34 CEST 
ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 125.0.6422.76 security update


Description
The chromium-browser-stable package has been updated to the 125.0.6422.76 release. It includes 6 security fixes.


Please, do note, only x86_64 is supported from now on.
i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code.

Some of the security fixes are:
* High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang on 2024-04-21
* High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-06
* High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop) on 2024-04-18
* High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz on 2024-05-01


References
https://bugs.mageia.org/show_bug.cgi?id=33231
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_21.html

SRPMS
9/tainted
chromium-browser-stable-125.0.6422.76-1.mga9.tainted.src.rpm


PROVIDED PACKAGES
=================
x86_64
chromium-browser-125.0.6422.76-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-125.0.6422.76-1.mga9.tainted.x86_64.rpm
christian barranco 2024-05-24 21:17:40 CEST

Blocks: (none) => 33240

Comment 12 Brian Rockwell 2024-05-24 22:05:35 CEST 
MGA9-64, Plasma, Nvidia 1050 (550)

usual install of 3

-- 

Chromium working as expected in video and audio as well as some pages.

Whiteboard: (none) => MGA9-64-OK

Comment 13 Morgan Leijström 2024-05-24 23:20:33 CEST 
OK mga9-64 Plasma X11, nvidia470

Clean update, open tabs and settings preserved, Swedish localisation
Used a few banking and shop sites
and a few video sites
file saving, pdf printing

Also OK on Thinkpad T510 using nouveau graphic driver, same terminal warnings as https://bugs.mageia.org/show_bug.cgi?id=33227#c10

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2024-05-26 01:39:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0194.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.