Bug 10922

Summary:	chromium-browser-stable new security issues fixed in 28.0.1500.95
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	sysadmin-bugs, tmb, wrw105
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/562191/
Whiteboard:	MGA2TOO mga3-64-ok Mga3-32-OK mga2-32-ok mga2-64-ok
Source RPM:	chromium-browser-stable-28.0.1500.71-1.mga3.src.rpm	CVE:
Status comment:
Bug Depends on:
Bug Blocks:	9851, 10828

Description David Walser 2013-08-05 01:09:14 CEST

Upstream has released version 28.0.1500.95 on July 30:
http://googlechromereleases.blogspot.com/2013/07/stable-channel-update_30.html

This fixes a handful of new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:

David Walser 2013-08-05 01:09:23 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-08-05 20:18:02 CEST

Debian has issued an advisory for this on July 31:
http://lists.debian.org/debian-security-announce/2013/msg00143.html

URL: (none) => http://lwn.net/Vulnerabilities/562191/

Comment 2 David Walser 2013-08-15 02:04:56 CEST

Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

This should also fix Bug 9851 (no Google Sync because of missing API keys).

This should also fix Bug 10828 (mp3 won't play in tainted, ffmpeg codec problem).

Note: Mageia 3 includes a tainted build.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Karthik Bhargavan discovered a way to bypass the Same Origin Policy in frame
handling (CVE-2013-2881).

Cloudfuzzer discovered a type confusion issue in the V8 javascript library
(CVE-2013-2882).

Cloudfuzzer discovered a use-after-free issue in MutationObserver
(CVE-2013-2883).

Ivan Fratric of the Google Security Team discovered a use-after-free issue in
the DOM implementation (CVE-2013-2884).

Ivan Fratric of the Google Security Team discovered a use-after-free issue in
input handling (CVE-2013-2885).

The chrome 28 development team found various issues from internal fuzzing,
audits, and other studies (CVE-2013-2886).

This update provides version 28.0.1500.95, which fixes these issues.

Additionally, Google Sync should now work (mga#9851), and playing of media
files with certain codecs, such as mp3, should now work with the tainted
build (mga#10828) in Mageia 3.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2886
http://googlechromereleases.blogspot.com/2013/07/stable-channel-update_30.html
https://bugs.mageia.org/show_bug.cgi?id=9851
https://bugs.mageia.org/show_bug.cgi?id=10828
http://www.debian.org/security/2013/dsa-2732
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-28.0.1500.95-1.mga2
chromium-browser-28.0.1500.95-1.mga2
chromium-browser-stable-28.0.1500.95-1.mga3
chromium-browser-28.0.1500.95-1.mga3

Updated packages in tainted/updates_testing:
========================
chromium-browser-stable-28.0.1500.95-1.mga3
chromium-browser-28.0.1500.95-1.mga3

from SRPMS:
chromium-browser-stable-28.0.1500.95-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.95-1.mga3.src.rpm

Version: Cauldron => 3
Blocks: (none) => 9851, 10828
Assignee: dmorganec => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 3 Bill Wilkinson 2013-08-15 02:28:02 CEST

No PoC on securityfocus. Testing mga3-64 core.

CC: (none) => wrw105

Comment 4 Bill Wilkinson 2013-08-15 03:31:07 CEST

Tested mga3-64 core OK

General browsing, Sunspider javascript, javatester, youtube testing flash.

Logged in to google sync and synced bookmarks.

Comment 5 Bill Wilkinson 2013-08-15 03:59:13 CEST

Tested mga3-64 tainted.  Same tests as above, plus paying embedded file at http://archive.org/details/testmp3testfile to test mp3.  Main menu showed logged in as the proper gmail account.

MGA3-64 OK.

Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok

Comment 6 Bill Wilkinson 2013-08-15 04:56:50 CEST

Tested mga3-32, core as above. All OK.

Comment 7 Bill Wilkinson 2013-08-15 05:14:15 CEST

Tested mga3-32 tainted as above, all OK.

Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok Mga3-32-OK

Comment 8 claire robinson 2013-08-15 07:54:35 CEST

Advisory uploaded.

There is actually a tainted srpm so 3 srpms rather than just the two listed.

chromium-browser-stable-28.0.1500.95-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.95-1.mga3.src.rpm
chromium-browser-stable-28.0.1500.95-1.mga3.tainted.src.rpm

http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/3/SRPMS/tainted/updates_testing/chromium-browser-stable-28.0.1500.95-1.mga3.tainted.src.rpm

Comment 9 claire robinson 2013-08-15 08:34:21 CEST

Testing complete mga2 32 & 64

Validating

Could sysadmin please push from 2 core and 3 core & tainted to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO mga3-64-ok Mga3-32-OK => MGA2TOO mga3-64-ok Mga3-32-OK mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 10 David Walser 2013-08-15 17:15:08 CEST

Note that the CVE-2013-2882 issue is actually in the bundled v8 library.

Fedora has issued an advisory for this on August 3:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113963.html

As Fedora noted, the impact on Node.js is "lessened," but we may have to update nodejs at some point in the future due to this.

Comment 11 Thomas Backlund 2013-08-17 10:40:50 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0249.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED