Bug 11935

Summary: chromium-browser-stable new security issues fixed in 31.0.1650.63
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/576256/
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: chromium-browser-stable-31.0.1650.48-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-12-10 00:10:20 CET 
Debian has issued an advisory on December 7:
http://www.debian.org/security/2013/dsa-2811

These issues are fixed in 31.0.1650.63 upstream:
http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

We also missed a previous update that fixed one security issue:
http://googlechromereleases.blogspot.com/2013/11/stable-channel-update_14.html

Debian fixed that one as part of their previous update:
http://www.debian.org/security/2013/dsa-2799

CVE-2013-6632 is the one we still need to fix, as I referenced here:
https://bugs.mageia.org/show_bug.cgi?id=11657#c12

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-10 00:10:34 CET

Whiteboard: (none) => MGA3TOO

Dave Hodgins 2013-12-12 22:36:35 CET

Blocks: (none) => 11726

Comment 1 David Walser 2013-12-22 04:13:30 CET 
chromium-browser-stable-31.0.1650.63-1.mga4 uploaded for Cauldron.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Comment 2 David Walser 2013-12-22 06:39:29 CET 
Updated packages uploaded for Mageia 3.

Note to QA: there are both core and tainted builds for this package.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Pinkie Pie discovered multiple memory corruption issues (CVE-2013-6632).

Andrey Labunets discovered that the wrong URL was used during validation in
the one-click sign on helper (CVE-2013-6634).

cloudfuzzer discovered use-after-free issues in the InsertHTML and Indent DOM
editing commands (CVE-2013-6635).

Bas Venis discovered an address bar spoofing issue (CVE-2013-6636).

The chrome 31 development team discovered and fixed multiple issues with
potential security impact (CVE-2013-6637).

Jakob Kummerow of the Chromium project discovered a buffer overflow in the v8
javascript library (CVE-2013-6638).

Jakob Kummerow of the Chromium project discovered an out-of-bounds write in
the v8 javascript library (CVE-2013-6639).

Jakob Kummerow of the Chromium project discovered an out-of-bounds read in
the v8 javascript library (CVE-2013-6640).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6637
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6638
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6639
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640
http://googlechromereleases.blogspot.com/2013/11/stable-channel-update_14.html
http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html
http://www.debian.org/security/2013/dsa-2799
http://www.debian.org/security/2013/dsa-2811
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-31.0.1650.63-1.mga3
chromium-browser-31.0.1650.63-1.mga3

Updated packages in tainted/updates_testing:
========================
chromium-browser-stable-31.0.1650.63-1.mga3
chromium-browser-31.0.1650.63-1.mga3

from chromium-browser-stable-31.0.1650.63-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2013-12-23 08:27:17 CET 
2 srpms for this again.

chromium-browser-stable-31.0.1650.63-1.mga3.src.rpm
chromium-browser-stable-31.0.1650.63-1.mga3.tainted.src.rpm

If just the core srpm is pushed then the tainted is left in testing.
Comment 4 claire robinson 2013-12-23 09:15:36 CET 
Testing complete mga3 32

Tested java, flash, https, addons, javascript
Core version plays mp3 through vlc plugin & tainted version plays it natively.

mp3: http://robtowns.com/music/blind_willie.mp3
Java: http://www.javatester.org/version.html
Javascript: http://www.webkit.org/perf/sunspider/sunspider.html
Flash: http://www.youtube.com/watch?v=5qr1YLO9fko
https: https://bugs.mageia.org/show_bug.cgi?id=11935

Whiteboard: (none) => has_procedure mga3-32-ok

Comment 5 claire robinson 2013-12-23 10:41:10 CET 
Testing complete mga3 64

Whiteboard: has_procedure mga3-32-ok => has_procedure mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2013-12-23 10:49:44 CET 
Advisory uploaded. Validating.

Could sysadmin please push from 3 core & tainted/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-12-23 18:27:06 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0383.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED