Bug 34012 - chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451, CVE-2025-099[5-9], CVE-2025-1426, CVE-2025-1006, CVE-2025-191[4-9], CVE-2025-192[1-3]
Summary: chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451, ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-02-12 09:36 CET by Nicolas Salguero
Modified: 2025-03-08 04:30 CET (History)
6 users (show)

See Also:
Source RPM: chromium-browser-stable-132.0.6834.159-1.mga9.tainted.src.rpm
CVE: CVE-2025-0444, CVE-2025-0445, CVE-2025-0451, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0998, CVE-2025-0999, CVE-2025-1426, CVE-2025-1006, CVE-2025-1914, CVE-2025-1915, CVE-2025-1916, CVE-2025-1917, CVE-2025-1918, CVE-2025-1919, CVE-2025-1921, CVE-2025-1922
Status comment: Need to be built for Cauldron too


Attachments

Description Nicolas Salguero 2025-02-12 09:36:44 CET
Upstream has issued an advisory on February 4:
https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop.html
Nicolas Salguero 2025-02-12 09:38:22 CET

CVE: (none) => CVE-2025-0444, CVE-2025-0445, CVE-2025-0451
Status comment: (none) => Fixed upstream in 133.0.6943.53
Source RPM: (none) => chromium-browser-stable-132.0.6834.159-1.mga9.tainted.src.rpm
Whiteboard: (none) => MGA9TOO

Morgan Leijström 2025-02-12 10:09:20 CET

CC: (none) => fri

Comment 1 Lewis Smith 2025-02-12 21:01:48 CET
Assigning to you, Nicolas, as you maintain this package. It is only a few days since you put up the current version!

Assignee: bugsquad => nicolas.salguero

Comment 2 Morgan Leijström 2025-02-13 01:16:57 CET
Yes the very frequent security advisories is a reason we ponder dropping Chromium...
Comment 3 Nicolas Salguero 2025-02-13 09:31:18 CET
(In reply to Lewis Smith from comment #1)
> Assigning to you, Nicolas, as you maintain this package. It is only a few
> days since you put up the current version!

As, I said in bug 33498, I can only push new versions, when the major number does not change, to fix security issues, but Christiaan knows far far better than me about chromium.

Assignee: nicolas.salguero => cjw

Comment 4 Nicolas Salguero 2025-02-13 09:32:46 CET
Upstream has issued an advisory on February 12:
https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_12.html

Status comment: Fixed upstream in 133.0.6943.53 => Fixed upstream in 133.0.6943.98
CVE: CVE-2025-0444, CVE-2025-0445, CVE-2025-0451 => CVE-2025-0444, CVE-2025-0445, CVE-2025-0451, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0998
Summary: chromium-browser-stable new security issues CVE-2025-044[45] and CVE-2025-0451 => chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451 and CVE-2025-099[5-8]

Comment 5 Nicolas Salguero 2025-02-24 10:32:12 CET
Upstream has issued an advisory on February 18:
https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html

Status comment: Fixed upstream in 133.0.6943.98 => Fixed upstream in 133.0.6943.126
Summary: chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451 and CVE-2025-099[5-8] => chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451, CVE-2025-099[5-9], CVE-2025-1426 and CVE-2025-1006
CVE: CVE-2025-0444, CVE-2025-0445, CVE-2025-0451, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0998 => CVE-2025-0444, CVE-2025-0445, CVE-2025-0451, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0998, CVE-2025-0999, CVE-2025-1426, CVE-2025-1006

Comment 6 Nicolas Salguero 2025-02-26 16:44:17 CET
Upstream has issued an advisory on February 25:
https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_25.html
Nicolas Salguero 2025-02-26 16:44:28 CET

Status comment: Fixed upstream in 133.0.6943.126 => Fixed upstream in 133.0.6943.141

Comment 7 Nicolas Salguero 2025-03-05 09:50:59 CET
Upstream has issued an advisory on March 4:
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html

Status comment: Fixed upstream in 133.0.6943.141 => Fixed upstream in 134.0.6998.35
Summary: chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451, CVE-2025-099[5-9], CVE-2025-1426 and CVE-2025-1006 => chromium-browser-stable new security issues CVE-2025-044[45], CVE-2025-0451, CVE-2025-099[5-9], CVE-2025-1426, CVE-2025-1006, CVE-2025-191[4-9], CVE-2025-192[1-3]
CVE: CVE-2025-0444, CVE-2025-0445, CVE-2025-0451, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0998, CVE-2025-0999, CVE-2025-1426, CVE-2025-1006 => CVE-2025-0444, CVE-2025-0445, CVE-2025-0451, CVE-2025-0995, CVE-2025-0996, CVE-2025-0997, CVE-2025-0998, CVE-2025-0999, CVE-2025-1426, CVE-2025-1006, CVE-2025-1914, CVE-2025-1915, CVE-2025-1916, CVE-2025-1917, CVE-2025-1918, CVE-2025-1919, CVE-2025-1921, CVE-2025-1922

Comment 8 Morgan Leijström 2025-03-06 12:17:13 CET
Thank you Christiaan

mga9-64 OK for me

Updated to
- chromium-browser-134.0.6998.35-1.mga9.tainted.x86_64
- chromium-browser-stable-134.0.6998.35-1.mga9.tainted.x86_64

Tried some banking sites, shops, video sites

No regression noted.

Like reported for previous versions, also this emits messages in terminal from where it was launched, like:

[morgan@svarten ~]$ chromium-browser 
Gtk-Message: 11:28:46.102: Failed to load module "appmenu-gtk-module": 'gtk_module_display_init': /usr/lib64/gtk-3.0/modules/libwindow-decorations-gtk-module.so: undefined symbol: gtk_module_display_init
[24797:24797:0306/112850.899703:ERROR:request.cc(169)] Request ended (non-user cancelled).
Fontconfig error: Cannot load default config file: No such file: (null)
[24797:26363:0306/112855.262061:ERROR:registration_request.cc(291)] Registration response error message: DEPRECATED_ENDPOINT
libpng warning: iCCP: known incorrect sRGB profile
[24797:26363:0306/112919.813233:ERROR:registration_request.cc(291)] Registration response error message: DEPRECATED_ENDPOINT
*** stack smashing detected ***: terminated
*** stack smashing detected ***: terminated
...
libpng warning: iCCP: known incorrect sRGB profile

...
[34255:34255:0306/114158.835329:ERROR:shared_image_manager.cc(401)] SharedImageManager::ProduceSkia: Trying to Produce a Skia representation from a non-existent mailbox.
...
[34255:34318:0306/115324.393820:ERROR:x11_software_bitmap_presenter.cc(150)] XGetWindowAttributes failed for window 50331739


---

[morgan@svarten ~]$ inxi -SMCG
System:
  Host: svarten.tribun Kernel: 6.6.79-desktop-1.mga9 arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 5.27.10 Distro: Mageia 9
Machine:
  Type: Desktop Mobo: ASRock model: P55 Pro serial: <superuser required>
    BIOS: American Megatrends v: P2.60 date: 08/20/2010
CPU:
  Info: quad core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 3213 min/max: 1200/2934 cores: 1: 3213 2: 3213 3: 3213
    4: 3213 5: 3213 6: 3213 7: 3213 8: 3213
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 24 [Radeon RX 6400/6500
    XT/6500M] driver: amdgpu v: kernel
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: amdgpu,v4l dri: radeonsi gpu: amdgpu resolution: 3840x2160~60Hz
  API: EGL v: 1.5 drivers: kms_swrast,radeonsi,swrast
    platforms: gbm,x11,surfaceless,device
  API: OpenGL v: 4.6 vendor: amd mesa v: 24.3.4 renderer: AMD Radeon RX
    6400 (radeonsi navi24 LLVM 15.0.6 DRM 3.54 6.6.79-desktop-1.mga9)

Assignee: cjw => qa-bugs
CC: (none) => cjw
Status comment: Fixed upstream in 134.0.6998.35 => Need to be built for Cauldron too

Comment 9 katnatek 2025-03-06 17:29:25 CET
Packages

x86_64:
chromium-browser-134.0.6998.35-1.mga9.tainted.x86_64.rpm
chromium-browser-stable-134.0.6998.35-1.mga9.tainted.x86_64.rpm

SRPM:
chromium-browser-stable-134.0.6998.35-1.mga9.tainted.src.rpm
katnatek 2025-03-06 17:44:33 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33498

katnatek 2025-03-06 17:46:03 CET

Keywords: (none) => advisory

Comment 10 Thomas Andrews 2025-03-06 18:20:21 CET
MGA9-64 Plasma. No installation issues.

Tried a variety of sites, including my bank, Youtube, a vegetable seed company that requires Chrome/Chromium, US National Weather Service local weather forecast, Climate prediction Center long range forecasts. No issues to report.

CC: (none) => andrewsfarm

Comment 11 katnatek 2025-03-06 18:40:29 CET
RH x86_64


Test with bug#34063 but this chromium-browser-stable version not requires that lib :P

installing chromium-browser-stable-134.0.6998.35-1.mga9.tainted.x86_64.rpm lib64event7-2.1.12-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64event7           ##################################################################################################
      2/2: chromium-browser-stable
                                 ##################################################################################################
      1/2: removing lib64event7-2.1.12-4.mga9.x86_64
                                 ##################################################################################################
      2/2: removing chromium-browser-stable-132.0.6834.159-1.mga9.tainted.x86_64
                                 ##################################################################################################

Webcam on zoom test page (https://zoom.us/test) OK
Youtube OK
Facebook OK
mail.com OK
Comment 12 Herman Viaene 2025-03-07 10:30:30 CET
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
No problems found.

CC: (none) => herman.viaene

Comment 13 Brian Rockwell 2025-03-07 16:29:20 CET
MGA9-64, ‎AMD Ryzen 5 2600, Nvidia 1650 super, GNOME, virtualbox host

The following 2 packages are going to be installed:

- chromium-browser-134.0.6998.35-1.mga9.tainted.x86_64
- chromium-browser-stable-134.0.6998.35-1.mga9.tainted.x86_64

12MB of additional disk space will be used.


---

mail, youtube, etc.

works for me


----

Also installed this on my converted Chromebook last night and it worked fine.

I'm giving this the go.

Whiteboard: MGA9TOO => MGA9TOO MGA9-64-OK
CC: (none) => brtians1

Comment 14 Thomas Andrews 2025-03-08 03:35:36 CET
Worked OK on my HP Pavilion, as well.

Validating for MGA9.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2025-03-08 04:30:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0091.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.