Assigning to squidf who normally does version updates (although I note that ns80 did the most recent).

Assignee: bugsquad => chb0

Unfortunately Christian have left for other adventures.
https://ml.mageia.org/l/arc/dev/2024-06/msg00123.html

CC: (none) => fri
Assignee: chb0 => pkg-bugs

Upstream has issued other advisories:
https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_30.html
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_13.html
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Status comment: Fixed upstream in 127.0.6533.72 => Fixed upstream in 128.0.6613.84
Summary: chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[1456789], CVE-2024-700[01345] => chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-8], CVE-2024-797[1-9], CVE-2024-798[0-5]

Re-assigning to the registered maintainer, who still pushed packages in May this year.

Assignee: pkg-bugs => cjw
CC: (none) => marja11

As the new chromium could require llvm18, I update llvm17-suite to llvm18-suite
Check my work in the report linked

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33322

Upstream has issued another advisory:
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html

Summary: chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-8], CVE-2024-797[1-9], CVE-2024-798[0-5] => chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-9], CVE-2024-797[1-9], CVE-2024-798[0-5], CVE-2024-819[348]
Severity: major => critical

Upstream has issued another advisory:
https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop.html

Summary: chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-9], CVE-2024-797[1-9], CVE-2024-798[0-5], CVE-2024-819[348] => chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-9], CVE-2024-797[0-9], CVE-2024-798[0-5], CVE-2024-819[348], CVE-2024-8362

Upstream has issued other advisories:
https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_10.html (CVE-2024-863[6-9])
https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html (CVE-2024-890[4-9])

I pinged the bug for llvm18: bug 33322 comment 8

I committed 128.0.6613.137 in svn, and locally I have fixes applied to this M128 package for all security issues listed in the M129 update except one of the 3 that do not have a CVE - chromium bug 296138376, which from what I can tell is not about the browser.

I did not see any issues with llvm17, the biggest problem was that (after updating to the new chromium version) the build used a rust 'bindgen' binary from the chromium source bundle, while the chromium build scripts use an option that is not available in the mga9 bindgen.

Status: NEW => ASSIGNED

Upstream has issued another advisory:
https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_24.html

Summary: chromium-browser-stable new security issues CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-9], CVE-2024-797[0-9], CVE-2024-798[0-5], CVE-2024-819[348], CVE-2024-8362 => chromium-browser-stable CVE-2024-698[89], CVE-2024-699[01456789], CVE-2024-700[01345], CVE-2024-725[56], CVE-2024-753[2-6], CVE-2024-7550, CVE-2024-796[4-9], CVE-2024-797[0-9], CVE-2024-798[0-5], CVE-2024-819[348], CVE-2024-8362, CVE-2024-912[0-3]

Updated packages are available for testing.

Note that this version "128" package contains patches for security issues fixed in upstream releases 129.0.6668.58 and 129.0.6668.70. A fix for CVE-2024-9120 is not included as it seems to be MS windows specific.


Source RPM: chromium-browser-stable-128.0.6613.137-1.mga9.tainted.src.rpm

Binary RPMs:

x86_64:
chromium-browser-128.0.6613.137-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-128.0.6613.137-1.mga9.tainted.x86_64.rpm


proposed advisory:


Updated chromium-browser-stable packages fix security vulnerabilities


Use after free in Downloads. (CVE-2024-6988)
Use after free in Loader. (CVE-2024-6989)
Use after free in Dawn. (CVE-2024-6991)
Heap buffer overflow in Layout. (CVE-2024-6994)
Inappropriate implementation in Fullscreen. (CVE-2024-6995)
Race in Frames. (CVE-2024-6996)
Use after free in Tabs. (CVE-2024-6997)
Use after free in User Education. (CVE-2024-6998)
Inappropriate implementation in FedCM. (CVE-2024-6999)
Use after free in CSS. (CVE-2024-7000)
Inappropriate implementation in HTML. (CVE-2024-7001)
Inappropriate implementation in FedCM. (CVE-2024-7003)
Insufficient validation of untrusted input in Safe Browsing. (CVE-2024-7004)
Insufficient validation of untrusted input in Safe Browsing. (CVE-2024-7005)
Uninitialized Use in Dawn. (CVE-2024-6990)
Out of bounds read in WebTransport. (CVE-2024-7255)
Insufficient data validation in Dawn. (CVE-2024-7256)
Out of bounds memory access in ANGLE. (CVE-2024-7532)
Use after free in Sharing. (CVE-2024-7533)
Type Confusion in V8. (CVE-2024-7550)
Heap buffer overflow in Layout. (CVE-2024-7534)
Inappropriate implementation in V8. (CVE-2024-7535)
Use after free in WebAudio. (CVE-2024-7536)
Use after free in Passwords. (CVE-2024-7964)
Inappropriate implementation in V8. (CVE-2024-7965)
Out of bounds memory access in Skia. (CVE-2024-7966)
Heap buffer overflow in Fonts. (CVE-2024-7967)
Use after free in Autofill. (CVE-2024-7968)
Type confusion in V8. (CVE-2024-7971)
Inappropriate implementation in V8. (CVE-2024-7972)
Heap buffer overflow in PDFium. (CVE-2024-7973)
Insufficient data validation in V8 API. (CVE-2024-7974)
Inappropriate implementation in Permissions. (CVE-2024-7975)
Inappropriate implementation in FedCM. (CVE-2024-7976)
Insufficient data validation in Installer. (CVE-2024-7977)
Insufficient policy enforcement in Data Transfer. (CVE-2024-7978)
Insufficient data validation in Installer. (CVE-2024-7979)
Insufficient data validation in Installer. (CVE-2024-7980)
Inappropriate implementation in Views. (CVE-2024-7981)
Inappropriate implementation in WebApp Installs. (CVE-2024-8033)
Inappropriate implementation in Custom Tabs. (CVE-2024-8034)
Inappropriate implementation in Extensions. (CVE-2024-8035)
Type Confusion in V8. (CVE-2024-7969)
Heap buffer overflow in Skia. (CVE-2024-8193)
Type Confusion in V8. (CVE-2024-8194)
Heap buffer overflow in Skia. (CVE-2024-8198)
Use after free in WebAudio. (CVE-2024-8362)
Out of bounds write in V8. (CVE-2024-7970)
Heap buffer overflow in Skia. (CVE-2024-8636)
Use after free in Media Router. (CVE-2024-8637)
Type Confusion in V8. (CVE-2024-8638)
Use after free in Autofill. (CVE-2024-8639)
Type Confusion in V8. (CVE-2024-8904)
Inappropriate implementation in V8. (CVE-2024-8905)
Incorrect security UI in Downloads. (CVE-2024-8906)
Insufficient data validation in Omnibox. (CVE-2024-8907)
Inappropriate implementation in Autofill. (CVE-2024-8908)
Inappropriate implementation in UI. (CVE-2024-8909)
Inappropriate implementation in V8. (CVE-2024-9121)
Type Confusion in V8. (CVE-2024-9122)
Integer overflow in Skia. (CVE-2024-9123)

mga9-64 OK here
Plasma, intel CPU, 4K screen, AMD GPU

Tested some banking sites, tax office, shops, video sites, saving file, opening pdf, printing to network printer and boomaga.



In terminal from where I lauched chromium it transmits some error messages, see below, duplicates removed:

Gtk-Message: 09:24:15.820: Failed to load module "appmenu-gtk-module": 'gtk_module_display_init': /usr/lib64/gtk-3.0/modules/libwindow-decorations-gtk-module.so: undefined symbol: gtk_module_display_init

[220115:220139:1001/093720.631635:ERROR:registration_request.cc(291)] Registration response error message: DEPRECATED_ENDPOINT

[220115:220115:1001/093910.395940:ERROR:atom_cache.cc(230)] Add chromium/from-privileged to kAtomsToCache

libpng warning: iCCP: known incorrect sRGB profile

Warning: disabling flag --expose_wasm due to conflicting flags

[220166:220166:1001/103002.799178:ERROR:shared_image_manager.cc(224)] SharedImageManager::ProduceSkia: Trying to Produce a Skia representation from a non-existent mailbox.

Warning: disabling flag --expose_wasm due to conflicting flags

[220115:220139:1001/103927.597523:ERROR:mcs_client.cc(749)] Received close command, resetting connection.

[220168:220174:1001/111805.676871:ERROR:socket_manager.cc(147)] Failed to resolve address for aa.online-metrix.net., errorcode: -105

[231696:14:1001/111805.714312:ERROR:stun_port.cc(81)] Binding error response: class=4 number=1 reason=Unauthorized

[220168:220174:1001/111809.581957:ERROR:socket_manager.cc(147)] Failed to resolve address for eu-aa.online-metrix.net., errorcode: -105

RH x86_64

LC_ALL=C urpmi --auto --auto-update 
adding 2 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing chromium-browser-stable-128.0.6613.137-1.mga9.tainted.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################

chromium-browser 
WARNING: radv is not a conformant Vulkan implementation, testing use only.
[OpenH264] this = 0x0x29d0026b7b10, Warning:bEnableFrameSkip = 0,bitrate can't be controlled for RC_QUALITY_MODE,RC_BITRATE_MODE and RC_TIMESTAMP_MODE without enabling skip frame.
[51288:20:1001/124404.503171:ERROR:sdp_offer_answer.cc(424)] A BUNDLE group contains a codec collision for payload_type='111. All codecs must share the same type, encoding name, clock rate and parameters. (INVALID_PARAMETER)
[51288:20:1001/124404.622783:ERROR:sdp_offer_answer.cc(424)] A BUNDLE group contains a codec collision for payload_type='111. All codecs must share the same type, encoding name, clock rate and parameters. (INVALID_PARAMETER)
[51288:21:1001/124414.578157:ERROR:dcsctp_transport.cc(510)] DcSctpTransport2->OnError(error=WRONG_SEQUENCE, message=Can't reset streams as the socket is not connected).
[51288:21:1001/124417.812335:ERROR:dtls_transport.cc(136)] DtlsTransport in connected state has incomplete TLS information
[51288:21:1001/124417.812544:ERROR:dtls_srtp_transport.cc(217)] No DTLS-SRTP selected crypto suite
libpng warning: iCCP: known incorrect sRGB profile (x 4)
Fontconfig error: Cannot load default config file: No such file: (null)
      1/1: chromium-browser-stable
                                 ##################################################################################################
      1/1: removing chromium-browser-stable-126.0.6478.182-1.mga9.tainted.x86_64
                                 ##################################################################################################

youtube OK
zoom test OK
mail.com OK


Look like some warnings are hardware dependent

MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics(nvidia-current).

No installation issues. All I ever do with Chromium is my banking, as my bank's web site seems to trust it more than Firefox. I logged into my online banking, looked at a few things, all went well.

CC: (none) => andrewsfarm

MGA9-64, Xfce, Celeron N2840, Chromebook


$ chromium-browser -version
Chromium 128.0.6613.137 Mageia.Org 9


I've used this on several major and a couple of minor sites.  It is working as I would expect it.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => brtians1

MGA9-64 Plasma, HP Pavilion, A8-4555, HD 7600G graphics.

No installation issues. Tried a few sites:

National Hurricane Center predicts that Hurricane Kirk will stay out to sea.
Climate Prediction Center predicts the next 8-14 days will have near normal temperatures.
WSYR TV radar says it's raining here, confirmed by looking out the window.
This bug report is functioning normally.

Several good tests, no bad ones. With the long list of CVEs, this needs to go out.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0321.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED