Security update for chromium, gn SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0115-1 Final 1 1 2025-04-06T23:02:41Z current 2025-04-06T23:02:41Z 2025-04-06T23:02:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium, gn This update for chromium, gn fixes the following issues: Changes in chromium: - Chromium 135.0.7049.52 (stable release 2025-04-01) (boo#1240555) * CVE-2025-3066: Use after free in Navigations * CVE-2025-3067: Inappropriate implementation in Custom Tabs * CVE-2025-3068: Inappropriate implementation in Intents * CVE-2025-3069: Inappropriate implementation in Extensions * CVE-2025-3070: Insufficient validation of untrusted input in Extensions * CVE-2025-3071: Inappropriate implementation in Navigations * CVE-2025-3072: Inappropriate implementation in Custom Tabs * CVE-2025-3073: Inappropriate implementation in Autofill * CVE-2025-3074: Inappropriate implementation in Downloads Changes in gn: - Update to version 0.20250306: * Remove deps from rust executable to module's pcm files * Update test for rust executable deps * Add toolchain for cxx modules in TestWithScope * Apply the latest clang-format * Update reference for {rustdeps} * Always generate a .toolchain file even if it is empty. * Pass --with-lg-page=16 when building jemalloc for arm64. * Remove obsolete debug checks. * Make default vs ide version on Windows as 2022 * Reland 'Adds a path_exists() function' * Revert 'Adds a path_exists() function' * Adds a path_exists() function * Revert 'Speed-up GN with custom OutputStream interface.' * Speed-up GN with custom OutputStream interface. * Add `exec_script_allowlist` to replace `exec_script_whitelist`. * Retry ReplaceFile in case of failure * Fix crash when NinjaBuildWriter::RunAndWriteFile fails * fix include for escape.h * fix exit code for gn gen failure * misc: Use html.escape instead of cgi.escape * Do not copy parent build_dependency_files_ in Scope constructors. * Improve error message for duplicated items * [rust-project] Always use forward slashes in sysroot paths * Update all_dependent_configs docs. * set 'no_stamp_files' by default * fix a typo * Stop using transitional LFS64 APIs * do not use tool prefix for phony rule * [rust] Add sysroot_src to rust-project.json * Implement and enable 'no_stamp_files' * Add Target::dependency_output_alias() * Add 'outputs' to generated_file documentation. * Update bug database link. * remove a trailing space after variable bindings * fix tool name in error * remove unused includes * Markdown optimization (follow-up) * Support link_output, depend_output in Rust linked tools. * Properly verify runtime_outputs in rust tool definitions. * BugFix: Syntax error in gen.py file * generated_file: add output to input deps of stamp * Markdown optimization: * Revert 'Rust: link_output, depend_output and runtime_outputs for dylibs' * hint using nogncheck on disallowed includes The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-115 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ E-Mail link for openSUSE-SU-2025:0115-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240555 SUSE Bug 1240555 https://www.suse.com/security/cve/CVE-2025-3066/ SUSE CVE CVE-2025-3066 page https://www.suse.com/security/cve/CVE-2025-3067/ SUSE CVE CVE-2025-3067 page https://www.suse.com/security/cve/CVE-2025-3068/ SUSE CVE CVE-2025-3068 page https://www.suse.com/security/cve/CVE-2025-3069/ SUSE CVE CVE-2025-3069 page https://www.suse.com/security/cve/CVE-2025-3070/ SUSE CVE CVE-2025-3070 page https://www.suse.com/security/cve/CVE-2025-3071/ SUSE CVE CVE-2025-3071 page https://www.suse.com/security/cve/CVE-2025-3072/ SUSE CVE CVE-2025-3072 page https://www.suse.com/security/cve/CVE-2025-3073/ SUSE CVE CVE-2025-3073 page https://www.suse.com/security/cve/CVE-2025-3074/ SUSE CVE CVE-2025-3074 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 chromedriver-135.0.7049.52-bp156.2.102.2 chromium-135.0.7049.52-bp156.2.102.2 gn-0.20250306-bp156.2.6.1 chromedriver-135.0.7049.52-bp156.2.102.2 as a component of SUSE Package Hub 15 SP6 chromium-135.0.7049.52-bp156.2.102.2 as a component of SUSE Package Hub 15 SP6 gn-0.20250306-bp156.2.6.1 as a component of SUSE Package Hub 15 SP6 chromedriver-135.0.7049.52-bp156.2.102.2 as a component of openSUSE Leap 15.6 chromium-135.0.7049.52-bp156.2.102.2 as a component of openSUSE Leap 15.6 gn-0.20250306-bp156.2.6.1 as a component of openSUSE Leap 15.6 Use after free in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-3066 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3066.html CVE-2025-3066 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted app. (Chromium security severity: Medium) CVE-2025-3067 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3067.html CVE-2025-3067 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Intents in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-3068 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3068.html CVE-2025-3068 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-3069 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3069.html CVE-2025-3069 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Insufficient validation of untrusted input in Extensions in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-3070 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3070.html CVE-2025-3070 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) CVE-2025-3071 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3071.html CVE-2025-3071 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) CVE-2025-3072 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3072.html CVE-2025-3072 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) CVE-2025-3073 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3073.html CVE-2025-3073 https://bugzilla.suse.com/1240555 SUSE Bug 1240555 Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) CVE-2025-3074 SUSE Package Hub 15 SP6:chromedriver-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:chromium-135.0.7049.52-bp156.2.102.2 SUSE Package Hub 15 SP6:gn-0.20250306-bp156.2.6.1 openSUSE Leap 15.6:chromedriver-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:chromium-135.0.7049.52-bp156.2.102.2 openSUSE Leap 15.6:gn-0.20250306-bp156.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q43DSNVGBXKUV4FSO2HJ4XARMZYOEIFU/ https://www.suse.com/security/cve/CVE-2025-3074.html CVE-2025-3074 https://bugzilla.suse.com/1240555 SUSE Bug 1240555