[RndTbl] Chrome blows up the net?
Trevor Cordes
trevor at tecnopolis.ca
Thu Mar 7 18:39:52 CST 2024
So I hit the computer for the first time today and there's not the usual
2-5 Fedora sec update notices, but 356. That's a first.
So Google Chrome has a really bad zero-day
High CVE-2024-1938: Type Confusion in V8
High CVE-2024-1939: Type Confusion in V8
And these 356 are all this bug. This is very interesting because these
just seem like random packages... how can they all have this bug? So it
looks like the Chrome stuff got into JDK stuff, and the JDK stuff got into
300+ other things (uh, what?).
Strangely, I don't see notices for Chromium or webkit libraries... unless
they are coming next.
Y'all started using firejail to wrap your Chrome/Chromium in after the Feb
MUUG presentation, right?? ?? Add some more height to the histogram I
posted of Chrome CVEs... Google: leading the pack.
Luckily I mostly use Firefox!
The info on these CVEs is currently very limited. If someone has some
juicier info on the hole, let us know.
CVE-2024-1938
Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a
remote attacker to potentially exploit object corruption via a crafted
HTML page. (Chromium security severity: High)
CVE-2024-1939
Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a
remote attacker to potentially exploit heap corruption via a crafted HTML
page. (Chromium security severity: High)
More information about the Roundtable
mailing list