1205871 – (CVE-2022-4174) VUL-0: chromium: multiple security issues fixed in 108.0.5359.71

Bug 1205871 (CVE-2022-4174) - VUL-0: chromium: multiple security issues fixed in 108.0.5359.71

Summary: VUL-0: chromium: multiple security issues fixed in 108.0.5359.71

Status:	RESOLVED FIXED
Duplicates (1):	CVE-2022-4955 (view as bug list)

Alias:	CVE-2022-4174

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P2 - High Severity: Major (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-11-30 07:09 UTC by Alexander Bergmann
Modified:	2023-12-18 11:49 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-11-30 07:09:22 UTC

https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html

- High CVE-2022-4174: Type Confusion in V8.
- High CVE-2022-4175: Use after free in Camera Capture.
- High CVE-2022-4176: Out of bounds write in Lacros Graphics.
- High CVE-2022-4177: Use after free in Extensions.
- High CVE-2022-4178: Use after free in Mojo.
- High CVE-2022-4179: Use after free in Audio.
- High CVE-2022-4180: Use after free in Mojo.
- High CVE-2022-4181: Use after free in Forms.
- Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames.
- Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker.
- Medium CVE-2022-4184: Insufficient policy enforcement in Autofill.
- Medium CVE-2022-4185: Inappropriate implementation in Navigation.
- Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads.
- Medium CVE-2022-4187: Insufficient policy enforcement in DevTools.
- Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS.
- Medium CVE-2022-4189: Insufficient policy enforcement in DevTools.
- Medium CVE-2022-4190: Insufficient data validation in Directory.
- Medium CVE-2022-4191: Use after free in Sign-In.
- Medium CVE-2022-4192: Use after free in Live Caption.
- Medium CVE-2022-4193: Insufficient policy enforcement in File System API.
- Medium CVE-2022-4194: Use after free in Accessibility.
- Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing.

Comment 1 Andreas Stieger 2022-11-30 22:07:14 UTC

submitted

Comment 2 OBSbugzilla Bot 2022-11-30 22:55:02 UTC

This is an autogenerated message for OBS integration:
This bug (1205871) was mentioned in
https://build.opensuse.org/request/show/1039204 Factory / chromium
https://build.opensuse.org/request/show/1039205 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / chromium

Comment 3 OBSbugzilla Bot 2022-12-01 17:35:11 UTC

This is an autogenerated message for OBS integration:
This bug (1205871) was mentioned in
https://build.opensuse.org/request/show/1039354 Backports:SLE-15-SP5 / chromium

Comment 4 OBSbugzilla Bot 2022-12-03 11:35:03 UTC

This is an autogenerated message for OBS integration:
This bug (1205871) was mentioned in
https://build.opensuse.org/request/show/1039767 Backports:SLE-15-SP3+Backports:SLE-15-SP4 / chromium

Comment 5 Swamp Workflow Management 2022-12-04 14:21:13 UTC

openSUSE-SU-2022:10229-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 1205871
CVE References: CVE-2022-4174,CVE-2022-4175,CVE-2022-4176,CVE-2022-4177,CVE-2022-4178,CVE-2022-4179,CVE-2022-4180,CVE-2022-4181,CVE-2022-4182,CVE-2022-4183,CVE-2022-4184,CVE-2022-4185,CVE-2022-4186,CVE-2022-4187,CVE-2022-4188,CVE-2022-4189,CVE-2022-4190,CVE-2022-4191,CVE-2022-4192,CVE-2022-4193,CVE-2022-4194,CVE-2022-4195
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    chromium-108.0.5359.71-bp154.2.49.1
openSUSE Backports SLE-15-SP3 (src):    chromium-108.0.5359.71-bp153.2.142.1

Comment 6 Andreas Stieger 2022-12-04 15:31:05 UTC

done

Comment 7 Andreas Stieger 2023-12-18 11:48:12 UTC

via bug 1218149:

Also fixes CVE-2022-4955: Inappropriate implementation in DevTools.

Comment 8 Andreas Stieger 2023-12-18 11:49:29 UTC

*** Bug 1218149 has been marked as a duplicate of this bug. ***