MGASA-2023-0283 - Updated chromium-browser-stable package fixes bugs and vulnerabilities

Publication date: 03 Oct 2023
URL: https://advisories.mageia.org/MGASA-2023-0283.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2023-4863,
     CVE-2023-4900,
     CVE-2023-4901,
     CVE-2023-4902,
     CVE-2023-4903,
     CVE-2023-4904,
     CVE-2023-4905,
     CVE-2023-4906,
     CVE-2023-4907,
     CVE-2023-4908,
     CVE-2023-4909,
     CVE-2023-4863,
     CVE-2023-4761,
     CVE-2023-4762,
     CVE-2023-4763,
     CVE-2023-4764,
     CVE-2023-5186,
     CVE-2023-5187,
     CVE-2023-5217

The chromium-browser-stable package has been updated to the 117.0.5938.92
release, fixing bugs and 31 vulnerabilities, together with 117.0.5938.92,
117.0.5938.88, 117.0.5938.62, 116.0.5845.187 and 116.0.5845.179.

Google is aware that an exploit for CVE-2023-5217 exists in the wild.

High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx.
Reported by Clément Lecigne of Google's Threat Analysis Group on
2023-09-25

High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car]
on 2023-09-05

High CVE-2023-5187: Use after free in Extensions. Reported by
Thomas Orlita on 2023-08-25

Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple
Security Engineering and Architecture (SEAR) and The Citizen Lab at The
University of Torontoʼs Munk School on 2023-09-06

Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs.
Reported by Levit Nudi from Kenya on 2023-04-06

Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported
by Kang Ali on 2023-06-29

Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by
Axel Chong on 2023-06-14

Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs.
Reported by Ahmed ElMasry on 2023-05-18

Medium CVE-2023-4904: Insufficient policy enforcement in Downloads.
Reported by Tudor Enache @tudorhacks on 2023-06-09

Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported
by Hafiizh on 2023-04-29

Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported
by Ahmed ElMasry on 2023-05-30

Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by
Mohit Raj (shadow2639)  on 2023-07-04

Low CVE-2023-4908: Inappropriate implementation in Picture in Picture.
Reported by Axel Chong on 2023-06-06

Low CVE-2023-4909: Inappropriate implementation in Interstitials.
Reported by Axel Chong on 2023-07-09

Critical CVE-2023-4863: Heap buffer overflow in WebP

High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by
DarkNavy on 2023-08-28

High CVE-2023-4762: Type Confusion in V8. Reported by anonymous on
2023-08-16

High CVE-2023-4763: Use after free in Networks. Reported by anonymous
on 2023-08-03

High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan
Kurniawan (sourc7) on 2023-05-20

References:
- https://bugs.mageia.org/show_bug.cgi?id=32317
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_21.html
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_15.html
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4900
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4901
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4902
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4903
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4904
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4905
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4906
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4907
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4908
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4909
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4761
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4762
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4763
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4764
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5186
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5187
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217

SRPMS:
- 9/tainted/chromium-browser-stable-117.0.5938.132-1.mga9.tainted

Mageia 2023-0283: chromium-browser-stable security update

The chromium-browser-stable package has been updated to the 117.0.5938.92 release, fixing bugs and 31 vulnerabilities, together with 117.0.5938.92, 117.0.5938.88, 117.0.5938.62, 11...

Summary

The chromium-browser-stable package has been updated to the 117.0.5938.92 release, fixing bugs and 31 vulnerabilities, together with 117.0.5938.92, 117.0.5938.88, 117.0.5938.62, 116.0.5845.187 and 116.0.5845.179.
Google is aware that an exploit for CVE-2023-5217 exists in the wild.
High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25
High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06
Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang ...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=32317

- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_21.html

- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_15.html

- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4900

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4901

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4902

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4903

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4904

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4905

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4906

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4907

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4908

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4909

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4761

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4762

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4763

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4764

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5186

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5187

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217

Resolution

MGASA-2023-0283 - Updated chromium-browser-stable package fixes bugs and vulnerabilities

SRPMS

- 9/tainted/chromium-browser-stable-117.0.5938.132-1.mga9.tainted

Severity
Publication date: 03 Oct 2023
URL: https://advisories.mageia.org/MGASA-2023-0283.html
Type: security
CVE: CVE-2023-4863, CVE-2023-4900, CVE-2023-4901, CVE-2023-4902, CVE-2023-4903, CVE-2023-4904, CVE-2023-4905, CVE-2023-4906, CVE-2023-4907, CVE-2023-4908, CVE-2023-4909, CVE-2023-4863, CVE-2023-4761, CVE-2023-4762, CVE-2023-4763, CVE-2023-4764, CVE-2023-5186, CVE-2023-5187, CVE-2023-5217

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved