Advisories » MGASA-2023-0283

Updated chromium-browser-stable package fixes bugs and vulnerabilities

Publication date: 03 Oct 2023
Modification date: 03 Oct 2023
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-4863 , CVE-2023-4900 , CVE-2023-4901 , CVE-2023-4902 , CVE-2023-4903 , CVE-2023-4904 , CVE-2023-4905 , CVE-2023-4906 , CVE-2023-4907 , CVE-2023-4908 , CVE-2023-4909 , CVE-2023-4863 , CVE-2023-4761 , CVE-2023-4762 , CVE-2023-4763 , CVE-2023-4764 , CVE-2023-5186 , CVE-2023-5187 , CVE-2023-5217

Description

The chromium-browser-stable package has been updated to the 117.0.5938.92
release, fixing bugs and 31 vulnerabilities, together with 117.0.5938.92,
117.0.5938.88, 117.0.5938.62, 116.0.5845.187 and 116.0.5845.179.

Google is aware that an exploit for CVE-2023-5217 exists in the wild.

High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx.
Reported by Clément Lecigne of Google's Threat Analysis Group on
2023-09-25

High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car]
on 2023-09-05

High CVE-2023-5187: Use after free in Extensions. Reported by
Thomas Orlita on 2023-08-25

Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple
Security Engineering and Architecture (SEAR) and The Citizen Lab at The
University of Torontoʼs Munk School on 2023-09-06

Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs.
Reported by Levit Nudi from Kenya on 2023-04-06

Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported
by Kang Ali on 2023-06-29

Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by
Axel Chong on 2023-06-14

Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs.
Reported by Ahmed ElMasry on 2023-05-18

Medium CVE-2023-4904: Insufficient policy enforcement in Downloads.
Reported by Tudor Enache @tudorhacks on 2023-06-09

Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported
by Hafiizh on 2023-04-29

Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported
by Ahmed ElMasry on 2023-05-30

Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by
Mohit Raj (shadow2639)  on 2023-07-04

Low CVE-2023-4908: Inappropriate implementation in Picture in Picture.
Reported by Axel Chong on 2023-06-06

Low CVE-2023-4909: Inappropriate implementation in Interstitials.
Reported by Axel Chong on 2023-07-09

Critical CVE-2023-4863: Heap buffer overflow in WebP

High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by
DarkNavy on 2023-08-28

High CVE-2023-4762: Type Confusion in V8. Reported by anonymous on
2023-08-16

High CVE-2023-4763: Use after free in Networks. Reported by anonymous
on 2023-08-03

High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan
Kurniawan (sourc7) on 2023-05-20
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32317
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_21.html
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_15.html
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4900
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4901
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4902
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4903
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4904
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4905
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4906
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4907
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4908
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4909
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4761
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4763
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4764
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5186
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5187
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217

SRPMS

9/tainted

• chromium-browser-stable-117.0.5938.132-1.mga9.tainted