Headline
Gentoo Linux Security Advisory 202209-23
Gentoo Linux Security Advisory 202209-23 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 105.0.5195.125 are affected.
Gentoo Linux Security Advisory GLSA 202209-23
https://security.gentoo.org/
Severity: High
Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
Date: September 29, 2022
Bugs: #868156, #868354, #872407, #870142
ID: 202209-23
Synopsis
Multiple vulnerabilities have been found in Chromium and its
derivatives, the worst of which could result in remote code execution.
Background
Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
Google Chrome is one fast, simple, and secure browser for all your
devices.
Microsoft Edge is a browser that combines a minimal design with
sophisticated technology to make the web faster, safer, and easier.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 105.0.5195.125 >= 105.0.5195.125
2 www-client/chromium-bin < 105.0.5195.125 >= 105.0.5195.125
3 www-client/google-chrome < 105.0.5195.125 >= 105.0.5195.125
4 www-client/microsoft-edge < 105.0.1343.42 >= 105.0.1343.42
Description
Multiple vulnerabilities have been discovered in Chromium, Google
Chrome, Microsoft Edge. Please review the CVE identifiers referenced
below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Chromium users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/chromium-105.0.5195.125”
All Chromium binary users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/chromium-bin-105.0.5195.125”
All Google Chrome users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/google-chrome-105.0.5195.125”
All Microsoft Edge users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/microsoft-edge-105.0.1343.42”
References
[ 1 ] CVE-2022-3038
https://nvd.nist.gov/vuln/detail/CVE-2022-3038
[ 2 ] CVE-2022-3039
https://nvd.nist.gov/vuln/detail/CVE-2022-3039
[ 3 ] CVE-2022-3040
https://nvd.nist.gov/vuln/detail/CVE-2022-3040
[ 4 ] CVE-2022-3041
https://nvd.nist.gov/vuln/detail/CVE-2022-3041
[ 5 ] CVE-2022-3042
https://nvd.nist.gov/vuln/detail/CVE-2022-3042
[ 6 ] CVE-2022-3043
https://nvd.nist.gov/vuln/detail/CVE-2022-3043
[ 7 ] CVE-2022-3044
https://nvd.nist.gov/vuln/detail/CVE-2022-3044
[ 8 ] CVE-2022-3045
https://nvd.nist.gov/vuln/detail/CVE-2022-3045
[ 9 ] CVE-2022-3046
https://nvd.nist.gov/vuln/detail/CVE-2022-3046
[ 10 ] CVE-2022-3047
https://nvd.nist.gov/vuln/detail/CVE-2022-3047
[ 11 ] CVE-2022-3048
https://nvd.nist.gov/vuln/detail/CVE-2022-3048
[ 12 ] CVE-2022-3049
https://nvd.nist.gov/vuln/detail/CVE-2022-3049
[ 13 ] CVE-2022-3050
https://nvd.nist.gov/vuln/detail/CVE-2022-3050
[ 14 ] CVE-2022-3051
https://nvd.nist.gov/vuln/detail/CVE-2022-3051
[ 15 ] CVE-2022-3052
https://nvd.nist.gov/vuln/detail/CVE-2022-3052
[ 16 ] CVE-2022-3053
https://nvd.nist.gov/vuln/detail/CVE-2022-3053
[ 17 ] CVE-2022-3054
https://nvd.nist.gov/vuln/detail/CVE-2022-3054
[ 18 ] CVE-2022-3055
https://nvd.nist.gov/vuln/detail/CVE-2022-3055
[ 19 ] CVE-2022-3056
https://nvd.nist.gov/vuln/detail/CVE-2022-3056
[ 20 ] CVE-2022-3057
https://nvd.nist.gov/vuln/detail/CVE-2022-3057
[ 21 ] CVE-2022-3058
https://nvd.nist.gov/vuln/detail/CVE-2022-3058
[ 22 ] CVE-2022-3071
https://nvd.nist.gov/vuln/detail/CVE-2022-3071
[ 23 ] CVE-2022-3075
https://nvd.nist.gov/vuln/detail/CVE-2022-3075
[ 24 ] CVE-2022-3195
https://nvd.nist.gov/vuln/detail/CVE-2022-3195
[ 25 ] CVE-2022-3196
https://nvd.nist.gov/vuln/detail/CVE-2022-3196
[ 26 ] CVE-2022-3197
https://nvd.nist.gov/vuln/detail/CVE-2022-3197
[ 27 ] CVE-2022-3198
https://nvd.nist.gov/vuln/detail/CVE-2022-3198
[ 28 ] CVE-2022-3199
https://nvd.nist.gov/vuln/detail/CVE-2022-3199
[ 29 ] CVE-2022-3200
https://nvd.nist.gov/vuln/detail/CVE-2022-3200
[ 30 ] CVE-2022-3201
https://nvd.nist.gov/vuln/detail/CVE-2022-3201
[ 31 ] CVE-2022-38012
https://nvd.nist.gov/vuln/detail/CVE-2022-38012
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202209-23
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially
Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.
A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These
platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.
Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion
Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be
OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000.
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of
External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.
Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
Use after free in Passwords in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.
Use after free in Tab Strip in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interaction.
Insufficient validation of untrusted input in V8 in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
Heap buffer overflow in Screen Capture in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.
Use after free in WebSQL in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Use after free in PDF in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
Heap buffer overflow in Internals in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.
Use after free in Network Service in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Heap buffer overflow in Exosphere in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions.
Use after free in SplitScreen in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.
Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page.
Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Hello everyone! Let’s take a look at Microsoft’s September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual. Alternative […]
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.
Categories: Exploits and vulnerabilities Categories: News The Google Chrome Team recently issued a fix for the CVE-2022-3075 zero-day. (Read more...) The post Zero-day puts a dent in Chrome's mojo appeared first on Malwarebytes Labs.
Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild. The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). An
But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.
But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.