Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202209-23

Gentoo Linux Security Advisory 202209-23 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 105.0.5195.125 are affected.

Packet Storm
#vulnerability#web#mac#google#microsoft#linux#rce#chrome

Gentoo Linux Security Advisory GLSA 202209-23


                                       https://security.gentoo.org/  

Severity: High
Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
Date: September 29, 2022
Bugs: #868156, #868354, #872407, #870142
ID: 202209-23


Synopsis

Multiple vulnerabilities have been found in Chromium and its
derivatives, the worst of which could result in remote code execution.

Background

Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your
devices.

Microsoft Edge is a browser that combines a minimal design with
sophisticated technology to make the web faster, safer, and easier.

Affected packages

-------------------------------------------------------------------  
 Package              /     Vulnerable     /            Unaffected  
-------------------------------------------------------------------  

1 www-client/chromium < 105.0.5195.125 >= 105.0.5195.125
2 www-client/chromium-bin < 105.0.5195.125 >= 105.0.5195.125
3 www-client/google-chrome < 105.0.5195.125 >= 105.0.5195.125
4 www-client/microsoft-edge < 105.0.1343.42 >= 105.0.1343.42

Description

Multiple vulnerabilities have been discovered in Chromium, Google
Chrome, Microsoft Edge. Please review the CVE identifiers referenced
below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All Chromium users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=www-client/chromium-105.0.5195.125”

All Chromium binary users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=www-client/chromium-bin-105.0.5195.125”

All Google Chrome users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=www-client/google-chrome-105.0.5195.125”

All Microsoft Edge users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=www-client/microsoft-edge-105.0.1343.42”

References

[ 1 ] CVE-2022-3038
https://nvd.nist.gov/vuln/detail/CVE-2022-3038
[ 2 ] CVE-2022-3039
https://nvd.nist.gov/vuln/detail/CVE-2022-3039
[ 3 ] CVE-2022-3040
https://nvd.nist.gov/vuln/detail/CVE-2022-3040
[ 4 ] CVE-2022-3041
https://nvd.nist.gov/vuln/detail/CVE-2022-3041
[ 5 ] CVE-2022-3042
https://nvd.nist.gov/vuln/detail/CVE-2022-3042
[ 6 ] CVE-2022-3043
https://nvd.nist.gov/vuln/detail/CVE-2022-3043
[ 7 ] CVE-2022-3044
https://nvd.nist.gov/vuln/detail/CVE-2022-3044
[ 8 ] CVE-2022-3045
https://nvd.nist.gov/vuln/detail/CVE-2022-3045
[ 9 ] CVE-2022-3046
https://nvd.nist.gov/vuln/detail/CVE-2022-3046
[ 10 ] CVE-2022-3047
https://nvd.nist.gov/vuln/detail/CVE-2022-3047
[ 11 ] CVE-2022-3048
https://nvd.nist.gov/vuln/detail/CVE-2022-3048
[ 12 ] CVE-2022-3049
https://nvd.nist.gov/vuln/detail/CVE-2022-3049
[ 13 ] CVE-2022-3050
https://nvd.nist.gov/vuln/detail/CVE-2022-3050
[ 14 ] CVE-2022-3051
https://nvd.nist.gov/vuln/detail/CVE-2022-3051
[ 15 ] CVE-2022-3052
https://nvd.nist.gov/vuln/detail/CVE-2022-3052
[ 16 ] CVE-2022-3053
https://nvd.nist.gov/vuln/detail/CVE-2022-3053
[ 17 ] CVE-2022-3054
https://nvd.nist.gov/vuln/detail/CVE-2022-3054
[ 18 ] CVE-2022-3055
https://nvd.nist.gov/vuln/detail/CVE-2022-3055
[ 19 ] CVE-2022-3056
https://nvd.nist.gov/vuln/detail/CVE-2022-3056
[ 20 ] CVE-2022-3057
https://nvd.nist.gov/vuln/detail/CVE-2022-3057
[ 21 ] CVE-2022-3058
https://nvd.nist.gov/vuln/detail/CVE-2022-3058
[ 22 ] CVE-2022-3071
https://nvd.nist.gov/vuln/detail/CVE-2022-3071
[ 23 ] CVE-2022-3075
https://nvd.nist.gov/vuln/detail/CVE-2022-3075
[ 24 ] CVE-2022-3195
https://nvd.nist.gov/vuln/detail/CVE-2022-3195
[ 25 ] CVE-2022-3196
https://nvd.nist.gov/vuln/detail/CVE-2022-3196
[ 26 ] CVE-2022-3197
https://nvd.nist.gov/vuln/detail/CVE-2022-3197
[ 27 ] CVE-2022-3198
https://nvd.nist.gov/vuln/detail/CVE-2022-3198
[ 28 ] CVE-2022-3199
https://nvd.nist.gov/vuln/detail/CVE-2022-3199
[ 29 ] CVE-2022-3200
https://nvd.nist.gov/vuln/detail/CVE-2022-3200
[ 30 ] CVE-2022-3201
https://nvd.nist.gov/vuln/detail/CVE-2022-3201
[ 31 ] CVE-2022-38012
https://nvd.nist.gov/vuln/detail/CVE-2022-38012

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202209-23

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

Gentoo Linux Security Advisory 202311-11

Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.

Critical libwebp Vulnerability Under Active Exploitation - Gets Maximum CVSS Score

Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially

Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits

Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.

Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These

CVE-2023-0036: en/security-disclosure/2023/2023-01.md · OpenHarmony/security - Gitee.com

platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.

Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability

Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be

CVE-2022-43449: en/security-disclosure/2022/2022-11.md · OpenHarmony/security - Gitee.com

OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000.

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of

Google Quashes 5 High-Severity Bugs With Chrome 106 Update

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

CVE-2022-3046: Stable Channel Update for Desktop

Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3055

Use after free in Passwords in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3071

Use after free in Tab Strip in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interaction.

CVE-2022-3045

Insufficient validation of untrusted input in V8 in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3044

Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2022-3043

Heap buffer overflow in Screen Capture in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3039

Use after free in WebSQL in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3196

Use after free in PDF in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2022-3200

Heap buffer overflow in Internals in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3201: Stable Channel Update for Desktop

Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.

CVE-2022-3038

Use after free in Network Service in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3051

Heap buffer overflow in Exosphere in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions.

CVE-2022-3049

Use after free in SplitScreen in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3201

Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.

CVE-2022-3047

Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.

CVE-2022-3075: Stable Channel Update for Desktop

Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Microsoft Patch Tuesday September 2022: CLFS Driver EoP, IP packet causes RCE, Windows DNS Server DoS, Spectre-BHB

Hello everyone! Let’s take a look at Microsoft’s September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual. Alternative […]

CVE-2022-38012

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

Zero-day puts a dent in Chrome's mojo

Categories: Exploits and vulnerabilities Categories: News The Google Chrome Team recently issued a fix for the CVE-2022-3075 zero-day. (Read more...) The post Zero-day puts a dent in Chrome's mojo appeared first on Malwarebytes Labs.

Google Release Urgent Chrome Update to Patch New Zero-Day Vulnerability

Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild. The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). An

Google Fixes 24 Vulnerabilities With New Chrome Update

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Google Fixes 24 Vulnerabilities With New Chrome Update

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution