openSUSE Security Update: Security update for chromium

Announcement ID:    openSUSE-SU-2022:0112-1
Rating:             important
References:         #1194511 #1194512 #1194513 #1194514 #1197680 
                    #1198053 #1198361 
Cross-References:   CVE-2021-44531 CVE-2021-44532 CVE-2021-44533
                    CVE-2022-1125 CVE-2022-1127 CVE-2022-1128
                    CVE-2022-1129 CVE-2022-1130 CVE-2022-1131
                    CVE-2022-1132 CVE-2022-1133 CVE-2022-1134
                    CVE-2022-1135 CVE-2022-1136 CVE-2022-1137
                    CVE-2022-1138 CVE-2022-1139 CVE-2022-1141
                    CVE-2022-1142 CVE-2022-1143 CVE-2022-1144
                    CVE-2022-1145 CVE-2022-1146 CVE-2022-1232
                    CVE-2022-1305 CVE-2022-1306 CVE-2022-1307
                    CVE-2022-1308 CVE-2022-1309 CVE-2022-1310
                    CVE-2022-1311 CVE-2022-1312 CVE-2022-1313
                    CVE-2022-1314 CVE-2022-21824
CVSS scores:
                    CVE-2021-44531 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2021-44531 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-44532 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
                    CVE-2021-44532 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-44533 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
                    CVE-2021-44533 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-21824 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
                    CVE-2022-21824 (SUSE): 4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products:
                    openSUSE Backports SLE-15-SP3
                    openSUSE Leap 15.3

   An update that fixes 35 vulnerabilities is now available.


   This update for chromium fixes the following issues:

   Updated to Chromium 100.0.4896.88 (boo#1198361)

   - CVE-2022-1305: Use after free in storage
   - CVE-2022-1306: Inappropriate implementation in compositing
   - CVE-2022-1307: Inappropriate implementation in full screen
   - CVE-2022-1308: Use after free in BFCache
   - CVE-2022-1309: Insufficient policy enforcement in developer tools
   - CVE-2022-1310: Use after free in regular expressions
   - CVE-2022-1311: Use after free in Chrome OS shell
   - CVE-2022-1312: Use after free in storage
   - CVE-2022-1313: Use after free in tab groups
   - CVE-2022-1314: Type Confusion in V8
   - Various fixes from internal audits, fuzzing and other initiatives

   Updated to version 100.0.4896.75:

   - CVE-2022-1232: Type Confusion in V8 (boo#1198053)

   Update to version 100.0.4896.60 (boo#1197680):

   - CVE-2022-1125: Use after free in Portals
   - CVE-2022-1127: Use after free in QR Code Generator
   - CVE-2022-1128: Inappropriate implementation in Web Share API
   - CVE-2022-1129: Inappropriate implementation in Full Screen Mode
   - CVE-2022-1130: Insufficient validation of untrusted input in WebOTP
   - CVE-2022-1131: Use after free in Cast UI
   - CVE-2022-1132: Inappropriate implementation in Virtual Keyboard
   - CVE-2022-1133: Use after free in WebRTC
   - CVE-2022-1134: Type Confusion in V8
   - CVE-2022-1135: Use after free in Shopping Cart
   - CVE-2022-1136: Use after free in Tab Strip
   - CVE-2022-1137: Inappropriate implementation in Extensions
   - CVE-2022-1138: Inappropriate implementation in Web Cursor
   - CVE-2022-1139: Inappropriate implementation in Background Fetch API
   - CVE-2022-1141: Use after free in File Manager
   - CVE-2022-1142: Heap buffer overflow in WebUI
   - CVE-2022-1143: Heap buffer overflow in WebUI
   - CVE-2022-1144: Use after free in WebUI
   - CVE-2022-1145: Use after free in Extensions
   - CVE-2022-1146: Inappropriate implementation in Resource Timing

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-112=1

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-112=1

Package List:

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):


   - openSUSE Leap 15.3 (noarch):


   - openSUSE Backports SLE-15-SP3 (aarch64 x86_64):