Bug 34156 - chromium-browser-stable new security issues CVE-2025-306[6-9], CVE-2025-307[0-4]
Summary: chromium-browser-stable new security issues CVE-2025-306[6-9], CVE-2025-307[0-4]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-04-02 09:20 CEST by Nicolas Salguero
Modified: 2025-04-18 09:05 CEST (History)
5 users (show)

See Also:
Source RPM: chromium-browser-stable-134.0.6998.117-1.mga9.tainted.src.rpm
CVE: CVE-2025-3066, CVE-2025-3067, CVE-2025-3068, CVE-2025-3069, CVE-2025-3070, CVE-2025-3071, CVE-2025-3072, CVE-2025-3073, CVE-2025-3074
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-04-02 09:20:19 CEST 
Upstream has issued an advisory on April 1:
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop.html
Nicolas Salguero 2025-04-02 09:22:06 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => chromium-browser-stable-134.0.6998.117-1.mga10.tainted.src.rpm, chromium-browser-stable-134.0.6998.117-1.mga9.tainted.src.rpm
Status comment: (none) => Fixed upstream in 135.0.7049.52
CVE: (none) => CVE-2025-3066, CVE-2025-3067, CVE-2025-3068, CVE-2025-3069, CVE-2025-3070, CVE-2025-3071, CVE-2025-3072, CVE-2025-3073, CVE-2025-3074

Comment 1 Lewis Smith 2025-04-04 09:35:51 CEST 
Assigning to you, Nicolas, as you maintain this package, and indeed updated it just 2w ago!

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2025-04-04 10:20:57 CEST

Assignee: nicolas.salguero => cjw

Comment 2 Nicolas Salguero 2025-04-09 15:41:41 CEST 
Upstream has issued an advisory on April 8:
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_8.html

Status comment: Fixed upstream in 135.0.7049.52 => Fixed upstream in 135.0.7049.84

Comment 3 Nicolas Salguero 2025-04-13 09:11:25 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use after free in Site Isolation. (CVE-2025-3066)

Inappropriate implementation in Custom Tabs. (CVE-2025-3067)

Inappropriate implementation in Intents. (CVE-2025-3068)

Inappropriate implementation in Extensions. (CVE-2025-3069)

Insufficient validation of untrusted input in Extensions. (CVE-2025-3070)

Inappropriate implementation in Navigations. (CVE-2025-3071)

Inappropriate implementation in Custom Tabs. (CVE-2025-3072)

Inappropriate implementation in Autofill. (CVE-2025-3073)

Inappropriate implementation in Downloads. (CVE-2025-3074)

References:
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_8.html
========================

Updated packages in tainted/updates_testing:
========================
chromium-browser-134.0.6998.165-1.mga9.tainted
chromium-browser-stable-134.0.6998.165-1.mga9.tainted

from SRPM:
chromium-browser-stable-134.0.6998.165-1.mga9.tainted.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 135.0.7049.84 => (none)
Source RPM: chromium-browser-stable-134.0.6998.117-1.mga10.tainted.src.rpm, chromium-browser-stable-134.0.6998.117-1.mga9.tainted.src.rpm => chromium-browser-stable-134.0.6998.117-1.mga9.tainted.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: cjw => qa-bugs

Comment 4 katnatek 2025-04-13 21:30:48 CEST 
RH x86_64
installing chromium-browser-stable-134.0.6998.165-1.mga9.tainted.x86_64.rpm from //home/katnatek/qa-testing/x86_64                   
Preparing...                     ##################################################################################################
      1/1: chromium-browser-stable
                                 ##################################################################################################
      1/1: removing chromium-browser-stable-134.0.6998.117-1.mga9.tainted.x86_64
                                 ##################################################################################################

Webcam on zoom test page OK
mail.com OK
Youtube OK
Regular sites OK

The usual messages in terminal
katnatek 2025-04-13 22:41:01 CEST

Keywords: (none) => advisory

Comment 5 Herman Viaene 2025-04-14 17:37:55 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Youtube and usual sites OK.

CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2025-04-15 19:48:25 CEST 
MGA9-64 Plasma. No installation issues.

I don't use Chromium much, but my bank seems to like it, and I have one seed company that wants it for online ordering. Both sites seem to be good with this version.

CC: (none) => andrewsfarm

Comment 7 Brian Rockwell 2025-04-17 03:52:58 CEST 
MGA9-64, Xfce, retired Chromebook

Installed no issues


used for a little while.  Only issue was with Mageia madb.  I guess the website is getting attacked.

CC: (none) => brtians1

Comment 8 Thomas Andrews 2025-04-17 22:39:50 CEST 
Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2025-04-18 01:35:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0137.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 10 Morgan Leijström 2025-04-18 09:05:44 CEST 
Working in my tests too.

CC: (none) => fri
Note You need to log in before you can comment on or make changes to this bug.