Open martrant opened 4 months ago
I identified the commit that patched the exploit. I will rebuild Supermium against it and release it later today.
Please include CVE-2024-4761.
Noted. I have also found the commit in V8 and will apply it there before releasing.
Now that v122-v5 is out, I think we can close this ticket.
Hi Win32. The patch for this vulnerability is missing:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4947
Noted. I have also found the commit in V8 and will apply it there before releasing.
What change was that. See my comment Here where similar to skia and pdfium, I can't see the changes you applied to V8. Can you show me the CL upstream for the fix?
Update: Was it this? > https://chromium.googlesource.com/v8/v8/+/c6b8b43c3042d99f07d5cc0771e58511afaa66a3..1ecf7c4897c3ed68d65ac467cce5da142b495756
Noted. I have also found the commit in V8 and will apply it there before releasing.
What change was that. See my comment Here where similar to skia and pdfium, I can't see the changes you applied to V8. Can you show me the CL upstream for the fix?
Update: Was it this? > https://chromium.googlesource.com/v8/v8/+/c6b8b43c3042d99f07d5cc0771e58511afaa66a3..1ecf7c4897c3ed68d65ac467cce5da142b495756
Yes, this one and then b3c01ac for R6. The issue/bug number in the Chrome release notes (https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html) is written in the relevant commit(s) as well.
@win32ss Is there any more commits between https://github.com/win32ss/supermium/commit/c2d2f04ed8e4cefd00b9ec2c36e9ba9186ed92ee and the R6 release that you haven't pushed yet? For example the release notes say "lazy composition disabled by default", but I don't see any commits related to that. I know some of them are implemented in progwrp, such as the screensaver XP fix.
I.E. if I rebase to include those two V8 commits, plus all of your commits up until c2d2f04ed8e4cefd00b9ec2c36e9ba9186ed92ee, will I have all of your changes up until now?
Also, can you release the .zips of progwrp 1.1.0.5012 to the readme?
I have updated the readme and added the commits up to the 8.1 NVIDIA RTX D3D11 bugfix which I made today.
@win32ss Thanks! Gonna release R5 of Thorium today. Also going to submit a PR here. Tis' a not-so-secret secret lol.
Also, did you get my message about pushing to the repos here > https://github.com/win32ss/supermium/commit/b84830e922855ce459f110febe5a9ceaa7788c71#commitcomment-142088843
Also, do you know when you'll release the installer source? I'm working on a NSIS installer, but I would prefer to have your installer as a base to build on, and use that instead of NSIS.
@win32ss Thanks! Gonna release R5 of Thorium today. Also going to submit a PR here. Tis' a not-so-secret secret lol.
Also, did you get my message about pushing to the repos here > b84830e#commitcomment-142088843
Also, do you know when you'll release the installer source? I'm working on a NSIS installer, but I would prefer to have your installer as a base to build on, and use that instead of NSIS.
I have now released the installer/uninstaller sources: https://github.com/win32ss/supermium-installer
@win32ss Extra Noice. I got my NSIS installer working too. Will probably release Thorium in both installer flavours to the community, and then take a poll using SurveyMonkey to see what they prefer. I like the options that your provides, but also like the sleekness and user familiarity that NSIS provides.
Describe the bug Not really a bug, only potential exposure of Supermium v122-R4 users to recently discovered zero-day vulnarability CVE-2024-4671 (see here: https://thehackernews.com/2024/05/chrome-zero-day-alert-update-your.html?m=1)
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context Should there be an interim update of Supermium v122-R4 to protect against this recent zero-day exploit until Supermium v124+ becomes available?