Bug 33240 - Updated chromium 125.0.6422.112 packages fix CVE-2024-5274
Summary: Updated chromium 125.0.6422.112 packages fix CVE-2024-5274
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: x86_64 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 33231
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-24 21:17 CEST by christian barranco
Modified: 2024-05-28 10:59 CEST (History)
5 users (show)

See Also:
Source RPM: chromium-browser-stable-125.0.6422.76-1.mga9.tainted.src.rpm
CVE: CVE-2024-5274
Status comment:


Attachments
Message in a banner (29.56 KB, image/jpeg)
2024-05-27 16:03 CEST, papoteur
Details

Description christian barranco 2024-05-24 21:17:13 CEST
Google is aware that an exploit for CVE-2024-5274 exists in the wild.

New upstream release:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html


I will push it as soon as robot will have pushed 125.0.6422.76
christian barranco 2024-05-24 21:17:40 CEST

Depends on: (none) => 33231

christian barranco 2024-05-24 21:19:13 CEST

CVE: (none) => CVE-2024-5274
CC: (none) => andrewsfarm, brtians1, fri

christian barranco 2024-05-24 21:19:56 CEST

Hardware: All => x86_64

Comment 1 christian barranco 2024-05-26 10:00:12 CEST
ADVISORY NOTICE PROPOSAL
========================

New chromium-browser-stable 125.0.6422.112 security update


Description
The chromium-browser-stable package has been updated to the 125.0.6422.112 release. It includes 1 security fix.

* High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.


Please, do note, only x86_64 is supported from now on.
i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code.


References
https://bugs.mageia.org/show_bug.cgi?id=33240
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html

SRPMS
9/tainted
chromium-browser-stable-125.0.6422.112-1.mga9.tainted.src.rpm


PROVIDED PACKAGES
=================
x86_64
chromium-browser-125.0.6422.112-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-125.0.6422.112-1.mga9.tainted.x86_64.rpm
Comment 2 christian barranco 2024-05-26 20:31:00 CEST
Ready for QA!

Assignee: chb0 => qa-bugs

Comment 3 Thomas Andrews 2024-05-27 14:11:29 CEST
MGA9-64 Plasma on an HP Pavilion. No installation issues. A quick check of several sites shows no issues with any of them. I don't do banking on this laptop, so I don't know (yet) if that is OK, but I don't anticipate any problems there, either.
Comment 4 papoteur 2024-05-27 14:38:11 CEST
MGA9-64 LXQt on an Asus Zenbook. No installation issues.
Opened site using connection with a smartcard. No problem.
OK for me.
At second launch, got a message: "Google API keys are lacking. Some features will be disabled". I didn't pay attention at first launch to remember if the message was present. Explanations are linked to https://www.chromium.org/developers/how-tos/api-keys/

CC: (none) => yvesbrungard

Comment 5 Thomas Andrews 2024-05-27 14:49:54 CEST
I got that message on my first launch, too. I simply closed it, the way I close messages from Firefox asking if I want to "renew" it.
Comment 6 christian barranco 2024-05-27 15:42:27 CEST
(In reply to papoteur from comment #4)
> At second launch, got a message: "Google API keys are lacking. Some features
> will be disabled". I didn't pay attention at first launch to remember if the
> message was present. Explanations are linked to
> https://www.chromium.org/developers/how-tos/api-keys/

First time I see this. I have been using the same google_api_key we have been having before I took over the maintenance of Chromium.
However, I am not setting 
google_default_client_id = "your_client_id"
google_default_client_secret = "your_client_secret"
as explained by the papoteur's link, as it has never been in the spec file and I don't know who has requested this key for MGA.

Could you elaborate in which circumstance you get this message, to try to replicate it?
Comment 7 papoteur 2024-05-27 16:03:00 CEST
Created attachment 14550 [details]
Message in a banner

I just opened chromium, then the message appears in a banner.
Comment 8 Brian Rockwell 2024-05-27 17:16:02 CEST
I've installed this update on two machines.

I get the same API message, but Chromium seems to be working fine in the Google domain of tools.

video fine
mail fine
my typical websites all working as expected.
Comment 9 katnatek 2024-05-27 19:20:46 CEST
RH mageia Plasma Wayland

Set Ozone plataform to wayland

Facebook OK
Youtube OK
Mageia Sites OK

I confirm the api warning as I not see this before perhaps we need to renew our api key?
Comment 10 Thomas Andrews 2024-05-27 19:29:40 CEST
Updated on my production install. Banner is there when it first starts up with Google as the home page, but when I use a bookmark to go to another page it goes away. No issues elsewhere - banking is OK. Using it now.

Since Google says this CVE is being exploited in the wild, and the banner doesn't seem to do any harm, I'm thinking we should send this update on and let Christian investigate and address the banner issue in the next update.

Any objections?
Comment 11 katnatek 2024-05-27 19:54:57 CEST
(In reply to Thomas Andrews from comment #10)
> Updated on my production install. Banner is there when it first starts up
> with Google as the home page, but when I use a bookmark to go to another
> page it goes away. No issues elsewhere - banking is OK. Using it now.
> 
> Since Google says this CVE is being exploited in the wild, and the banner
> doesn't seem to do any harm, I'm thinking we should send this update on and
> let Christian investigate and address the banner issue in the next update.
> 
> Any objections?

Not for me we can fix the api key in other release

Keywords: (none) => advisory

Comment 12 christian barranco 2024-05-27 20:38:52 CEST
(In reply to katnatek from comment #11)
> (In reply to Thomas Andrews from comment #10)
> > Updated on my production install. Banner is there when it first starts up
> > with Google as the home page, but when I use a bookmark to go to another
> > page it goes away. No issues elsewhere - banking is OK. Using it now.
> > 
> > Since Google says this CVE is being exploited in the wild, and the banner
> > doesn't seem to do any harm, I'm thinking we should send this update on and
> > let Christian investigate and address the banner issue in the next update.
> > 
> > Any objections?
> 
> Not for me we can fix the api key in other release

Agree. I have an idea for the warning but I need to test it first.
Comment 13 Thomas Andrews 2024-05-27 21:16:55 CEST
Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2024-05-27 23:11:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0196.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 Morgan Leijström 2024-05-28 10:59:56 CEST
Good here too, same tests and results as earlier versions on two systems.
Getting tired of the release frequency, but what can we do...

Note You need to log in before you can comment on or make changes to this bug.