Headline
Gentoo Linux Security Advisory 202208-35
Gentoo Linux Security Advisory 202208-35 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 104.0.5112.101 are affected.
Gentoo Linux Security Advisory GLSA 202208-35
https://security.gentoo.org/
Severity: High
Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities
Date: August 21, 2022
Bugs: #858104, #859442, #863512, #865501, #864723
ID: 202208-35
Synopsis
Multiple vulnerabilities have been found in Chromium and its
derivatives, the worst of which could result in remote code execution.
Background
Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
Google Chrome is one fast, simple, and secure browser for all your
devices.
Microsoft Edge is a browser that combines a minimal design with
sophisticated technology to make the web faster, safer, and easier.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 104.0.5112.101 >= 104.0.5112.101
2 www-client/chromium-bin < 104.0.5112.101 >= 104.0.5112.101
3 www-client/google-chrome < 104.0.5112.101 >= 104.0.5112.101
4 www-client/microsoft-edge < 104.0.1293.63 >= 104.0.1293.63
Description
Multiple vulnerabilities have been discovered in Chromium and its
derivatives. Please review the CVE identifiers referenced below for
details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Chromium users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/chromium-104.0.5112.101”
All Chromium binary users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/chromium-bin-104.0.5112.101”
All Google Chrome users should upgrade to tha latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/google-chrome-104.0.5112.101”
All Microsoft Edge users should upgrade to tha latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-client/microsoft-edge-104.0.1293.63”
References
[ 1 ] CVE-2022-2163
https://nvd.nist.gov/vuln/detail/CVE-2022-2163
[ 2 ] CVE-2022-2294
https://nvd.nist.gov/vuln/detail/CVE-2022-2294
[ 3 ] CVE-2022-2295
https://nvd.nist.gov/vuln/detail/CVE-2022-2295
[ 4 ] CVE-2022-2296
https://nvd.nist.gov/vuln/detail/CVE-2022-2296
[ 5 ] CVE-2022-2477
https://nvd.nist.gov/vuln/detail/CVE-2022-2477
[ 6 ] CVE-2022-2478
https://nvd.nist.gov/vuln/detail/CVE-2022-2478
[ 7 ] CVE-2022-2479
https://nvd.nist.gov/vuln/detail/CVE-2022-2479
[ 8 ] CVE-2022-2480
https://nvd.nist.gov/vuln/detail/CVE-2022-2480
[ 9 ] CVE-2022-2481
https://nvd.nist.gov/vuln/detail/CVE-2022-2481
[ 10 ] CVE-2022-2603
https://nvd.nist.gov/vuln/detail/CVE-2022-2603
[ 11 ] CVE-2022-2604
https://nvd.nist.gov/vuln/detail/CVE-2022-2604
[ 12 ] CVE-2022-2605
https://nvd.nist.gov/vuln/detail/CVE-2022-2605
[ 13 ] CVE-2022-2606
https://nvd.nist.gov/vuln/detail/CVE-2022-2606
[ 14 ] CVE-2022-2607
https://nvd.nist.gov/vuln/detail/CVE-2022-2607
[ 15 ] CVE-2022-2608
https://nvd.nist.gov/vuln/detail/CVE-2022-2608
[ 16 ] CVE-2022-2609
https://nvd.nist.gov/vuln/detail/CVE-2022-2609
[ 17 ] CVE-2022-2610
https://nvd.nist.gov/vuln/detail/CVE-2022-2610
[ 18 ] CVE-2022-2611
https://nvd.nist.gov/vuln/detail/CVE-2022-2611
[ 19 ] CVE-2022-2612
https://nvd.nist.gov/vuln/detail/CVE-2022-2612
[ 20 ] CVE-2022-2613
https://nvd.nist.gov/vuln/detail/CVE-2022-2613
[ 21 ] CVE-2022-2614
https://nvd.nist.gov/vuln/detail/CVE-2022-2614
[ 22 ] CVE-2022-2615
https://nvd.nist.gov/vuln/detail/CVE-2022-2615
[ 23 ] CVE-2022-2616
https://nvd.nist.gov/vuln/detail/CVE-2022-2616
[ 24 ] CVE-2022-2617
https://nvd.nist.gov/vuln/detail/CVE-2022-2617
[ 25 ] CVE-2022-2618
https://nvd.nist.gov/vuln/detail/CVE-2022-2618
[ 26 ] CVE-2022-2619
https://nvd.nist.gov/vuln/detail/CVE-2022-2619
[ 27 ] CVE-2022-2620
https://nvd.nist.gov/vuln/detail/CVE-2022-2620
[ 28 ] CVE-2022-2621
https://nvd.nist.gov/vuln/detail/CVE-2022-2621
[ 29 ] CVE-2022-2622
https://nvd.nist.gov/vuln/detail/CVE-2022-2622
[ 30 ] CVE-2022-2623
https://nvd.nist.gov/vuln/detail/CVE-2022-2623
[ 31 ] CVE-2022-2624
https://nvd.nist.gov/vuln/detail/CVE-2022-2624
[ 32 ] CVE-2022-2852
https://nvd.nist.gov/vuln/detail/CVE-2022-2852
[ 33 ] CVE-2022-2853
https://nvd.nist.gov/vuln/detail/CVE-2022-2853
[ 34 ] CVE-2022-2854
https://nvd.nist.gov/vuln/detail/CVE-2022-2854
[ 35 ] CVE-2022-2855
https://nvd.nist.gov/vuln/detail/CVE-2022-2855
[ 36 ] CVE-2022-2856
https://nvd.nist.gov/vuln/detail/CVE-2022-2856
[ 37 ] CVE-2022-2857
https://nvd.nist.gov/vuln/detail/CVE-2022-2857
[ 38 ] CVE-2022-2858
https://nvd.nist.gov/vuln/detail/CVE-2022-2858
[ 39 ] CVE-2022-2859
https://nvd.nist.gov/vuln/detail/CVE-2022-2859
[ 40 ] CVE-2022-2860
https://nvd.nist.gov/vuln/detail/CVE-2022-2860
[ 41 ] CVE-2022-2861
https://nvd.nist.gov/vuln/detail/CVE-2022-2861
[ 42 ] CVE-2022-33636
https://nvd.nist.gov/vuln/detail/CVE-2022-33636
[ 43 ] CVE-2022-33649
https://nvd.nist.gov/vuln/detail/CVE-2022-33649
[ 44 ] CVE-2022-35796
https://nvd.nist.gov/vuln/detail/CVE-2022-35796
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-35
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
A logic issue was addressed with improved state management. This issue is fixed in iOS 15.6 and iPadOS 15.6. A user may be able to view restricted content from the lock screen.
Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion
Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be
OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000.
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of
OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have an Out-of-bound memory read and write vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could read out-of-bound memory leading sensitive to information disclosure. The processes with system user UID run on the device would be able to write out-of-bound memory which could lead to unspecified memory corruption.
Hello everyone! Let’s take a look at Microsoft’s September Patch Tuesday. This time it is quite compact. There were 63 CVEs released on Patch Tuesday day. If we add the vulnerabilities released between August and September Patch Tuesdays (as usual, they were in Microsoft Edge), the final number is 90. Much less than usual. Alternative […]
Categories: Exploits and vulnerabilities Categories: News The Google Chrome Team recently issued a fix for the CVE-2022-3075 zero-day. (Read more...) The post Zero-day puts a dent in Chrome's mojo appeared first on Malwarebytes Labs.
Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild. The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). An
Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful
Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August […]
Categories: Exploits and vulnerabilities Categories: News CISA updated its catalog of actively exploited vulnerabilities. Make sure you update your software before the due date! (Read more...) The post CISA wants you to patch these actively exploited vulnerabilities before September 8 appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.
The high-severity security vulnerability (CVE-2022-2856) is due to improper user-input validation.
Google on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild. Tracked as CVE-2022-2856, the issue has been described as a case of insufficient validation of untrusted input in Intents. Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on
Categories: Exploits and vulnerabilities Categories: News Tags: 104.0.5112.101 Tags: Google Tags: Chrome Tags: CVE-2022-2852 Tags: CVE-2022-2856 Tags: CVE-2022-2854 Tags: CVE-2022-2853 Tags: UAF Tags: heap buffer overflow Google issued an update that includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild. (Read more...) The post Update Chrome now! Google issues patch for zero day spotted in the wild appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: 104.0.5112.101 Tags: Google Tags: Chrome Tags: CVE-2022-2852 Tags: CVE-2022-2856 Tags: CVE-2022-2854 Tags: CVE-2022-2853 Tags: UAF Tags: heap buffer overflow Google issued an update that includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild. (Read more...) The post Update Chrome now! Google issues patch for zero day spotted in the wild appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: 104.0.5112.101 Tags: Google Tags: Chrome Tags: CVE-2022-2852 Tags: CVE-2022-2856 Tags: CVE-2022-2854 Tags: CVE-2022-2853 Tags: UAF Tags: heap buffer overflow Google issued an update that includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild. (Read more...) The post Update Chrome now! Google issues patch for zero day spotted in the wild appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: 104.0.5112.101 Tags: Google Tags: Chrome Tags: CVE-2022-2852 Tags: CVE-2022-2856 Tags: CVE-2022-2854 Tags: CVE-2022-2853 Tags: UAF Tags: heap buffer overflow Google issued an update that includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild. (Read more...) The post Update Chrome now! Google issues patch for zero day spotted in the wild appeared first on Malwarebytes Labs.
Ubuntu Security Notice 5568-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Gentoo Linux Security Advisory 202208-25 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 5.15.5_p20220618>= are affected.
Use after free in Tab Strip in Google Chrome on Chrome OS prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.
Use after free in Managed devices API in Google Chrome prior to 104.0.5112.79 allowed a remote attacker who convinced a user to enable a specific Enterprise policy to potentially exploit heap corruption via a crafted HTML page.
Out of bounds read in Dawn in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Use after free in Overview Mode in Google Chrome on Chrome OS prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.
Use after free in Sign-In Flow in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Use after free in Extensions API in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interactions.
Insufficient validation of untrusted input in Internals in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to bypass download restrictions via a malicious file .
Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted HTML page.
Use after free in WebUI in Google Chrome on Chrome OS prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.
Use after free in Extensions in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interactions.
Heap buffer overflow in PDF in Google Chrome prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted PDF file.
Use after free in Safe Browsing in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.
Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.
Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions.
Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Use after free in Views in Google Chrome prior to 103.0.5060.134 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via UI interaction.
Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.
Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.
Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.
Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.
Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.
Candiru attackers breached a news agency employee website to target journalists with DevilsTongue spyware, researchers say.
Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.
By Deeba Ahmed The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims… This is a post from HackRead.com Read the original post: Israeli Spyware Vendor Uses Chrome 0day to Target Journalists
The actively exploited but now-fixed Google Chrome zero-day flaw that came to light earlier this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East. Czech cybersecurity firm Avast linked the exploitation to Candiru (aka Saito Tech), which has a history of leveraging previously unknown flaws to deploy a Windows malware dubbed
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than... [[ This is only the beginning! Please visit the blog for the complete entry ]]
The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.
The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.
The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.
The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.
The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.
Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild. The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native