Bug 1220131

Summary: VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 122.0.6261.57
Product: [openSUSE] openSUSE Tumbleweed Reporter: Thomas Leroy <thomas.leroy>
Component: SecurityAssignee: Callum Farmer <gmbr3>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: Andreas.Stieger, m.szczepaniak.000
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2024-02-21 08:24:40 UTC 
The Chrome team is delighted to announce the promotion of Chrome 122 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

Chrome 122.0.6261.57 (Linux and Mac), 122.0.6261.57/.58( Windows) contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 122.
The Extended Stable channel has been updated to 122.0.6261.57 for Windows and 122.0.6261.57 for Mac, which will roll out over the coming days/weeks.
Security Fixes and Rewards


High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26

High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06

Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03

Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19

Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11

Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27

Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartłomiej Wacko on 2023-12-21

[Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21


https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html
Comment 1 Andreas Stieger 2024-02-21 11:11:48 UTC 
Calum, we did not get 121 to build. This package is tedious work, takes forever to iterate on, so we don't seem to be able to keep up. What do you think, is this just too big to keep in the distribution - should we drop it and recommend the Chrome binary or flatpaks?
Comment 2 Michał Szczepaniak 2024-02-21 13:28:22 UTC 
If I can chip in my 5 cents, I really would prefer we keep maintaining it even if its a bit behind. Don't need to update every release.
Comment 3 Callum Farmer 2024-02-22 12:31:45 UTC 
It's getting near unmaintainable but IMHO not there yet. With the changed Chromium release cycle (x2 speed) I'm hoping to get it done before 123, may have some time to contribute over the next couple days.
Comment 4 Callum Farmer 2024-03-08 13:24:05 UTC 
Chromium can't be updated in 15.5, rust forces LLVM 17
Comment 5 OBSbugzilla Bot 2024-03-09 19:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1220131) was mentioned in
https://build.opensuse.org/request/show/1156639 Factory / chromium
Comment 6 OBSbugzilla Bot 2024-03-10 21:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1220131) was mentioned in
https://build.opensuse.org/request/show/1156764 Factory / ungoogled-chromium
Comment 7 OBSbugzilla Bot 2024-03-12 09:55:49 UTC 
This is an autogenerated message for OBS integration:
This bug (1220131) was mentioned in
https://build.opensuse.org/request/show/1157120 Backports:SLE-15-SP5 / chromium
Comment 8 OBSbugzilla Bot 2024-03-13 13:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1220131) was mentioned in
https://build.opensuse.org/request/show/1157505 Backports:SLE-15-SP5 / chromium
Comment 9 Marcus Meissner 2024-03-18 10:57:16 UTC 
released
Comment 10 Marcus Meissner 2024-03-18 11:04:53 UTC 
openSUSE-SU-2024:0084-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1220131,1220604,1221105,1221335
CVE References: CVE-2024-1669,CVE-2024-1670,CVE-2024-1671,CVE-2024-1672,CVE-2024-1673,CVE-2024-1674,CVE-2024-1675,CVE-2024-1676,CVE-2024-2173,CVE-2024-2174,CVE-2024-2176,CVE-2024-2400
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    chromium-122.0.6261.128-bp155.2.75.1, llvm17-17.0.6-bp155.2.2