New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: cherry-pick 6b4af5d82083 from chromium #36444
chore: cherry-pick 6b4af5d82083 from chromium #36444
Conversation
Release Notes Persisted
|
It looks like this is still an issue for Electron v21.3.1 (using Chromium 106.0.5249.181), but I don't see any other open issue related to this CVE - are there any plans to fix this in that version? |
It's fixed in 106.0.5249.203, latest version is 106.0.5249.207. Should I bump version manually, or will electron-roller do it automatically? UPDATE: It's fixed in 106.0.5249.199 |
I'm not familiar with electron-roller or the Chromium update process in general, but the most recent v21 release didn't quite update Chromium enough (it updated to 106.0.5249.199), so maybe a manual version bump is necessary? |
Given the severity of the CVE, we'd really like to get the Chromium fix into our code as quickly as we can. @ad0p, @nornagon, @ppontes - do any of you know if the next v21 release will bump update Chromium to a version that includes this fix (>= 106.0.5249.203)? Is opening a new issue this the most appropriate way to request that if not? |
i suspect 106.0.5249.203 was never released on win/mac/linux; was that a CrOS-only release? roller is driven from https://chromiumdash.appspot.com/releases, we don't roll unless there's a release on a platform we support. this decision was driven by us accidentally doing a bunch of extra work for things that were Android- or CrOS-only. so this should be manually backported to 21-x-y. |
Ah, that makes sense, thanks for the info! @ad0p Is this manual backport something you'd be willing to do since you did the backports to 19-x-y and 20-x-y (and it looks like you're doing backports to 20-x-y and 21-x-y for the recent CVE-2022-4262 fix)? |
Sorry, I did not realize that version 106.0.5249.199 already contains this fix, no need to backport then. |
[M107] Fix potential OOB problem with validating command decoder
Bug: 1392715
Change-Id: If51b10cc08e5b3ca4b6012b97261347a5e4c134e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4048203
Auto-Submit: Peng Huang <penghuang@chromium.org>
Commit-Queue: Peng Huang <penghuang@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1074966}
Notes: Security: backported fix for CVE-2022-4135.