Bug 17125

Summary: chromium-browser-stable new security issues fixed in 46.0.2490.86
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/664368/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: chromium-browser-stable-46.0.2490.80-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-11 14:50:23 CET
Upstream has released version 46.0.2490.86 on November 10:
http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html

This fixes one new security issue.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-13 00:40:37 CET
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict
scripting messages and API exposure, which allows remote attackers to bypass
the Same Origin Policy via an unintended embedder or unintended plugin loading,
related to pdf.js and out_of_process_instance.cc (CVE-2015-1302).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1302
http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html
========================

Updated packages in core/updates_testing:
========================
chromium-browser-46.0.2490.86-1.mga5
chromium-browser-stable-46.0.2490.86-1.mga5

from chromium-browser-stable-46.0.2490.86-1.mga5.src.rpm

Assignee: cjw => qa-bugs

Comment 2 Herman Viaene 2015-11-13 14:24:29 CET
MGA-32 on Acer D620 Xfce
No installation issues.
Typed in www.standaard.be (belgian newspaper) and just got a black window, even chromium's own settings page drew a blank.
Closed Chromium and started it over again, and then all is normal. I wonder if anyone else got this behavior as well?

CC: (none) => herman.viaene

Comment 3 William Kenney 2015-11-13 15:36:31 CET
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
chromium-browser

default install of chromium-browser

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-46.0.2490.80-1.mga5.i586 is already installed

http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
https://www.youtube.com/
http://www.cnn.com/videos
http://www.amazon.com/
http://picasaweb.google.com/lh/explore#
http://www.standaard.be
all display properly

install chromium-browser from updates_testing

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-46.0.2490.86-1.mga5.i586 is already installed

http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
https://www.youtube.com/
http://www.cnn.com/videos
http://www.amazon.com/
http://picasaweb.google.com/lh/explore#
http://www.standaard.be
all display properly

CC: (none) => wilcal.int

Comment 4 William Kenney 2015-11-13 15:54:18 CET
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
chromium-browser

default install of chromium-browser

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-46.0.2490.80-1.mga5.x86_64 is already installed

http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
https://www.youtube.com/
http://www.cnn.com/videos
http://www.amazon.com/
http://picasaweb.google.com/lh/explore#
http://www.standaard.be
all display properly

install chromium-browser from updates_testing

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-46.0.2490.86-1.mga5.x86_64 is already installed

http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
https://www.youtube.com/
http://www.cnn.com/videos
http://www.amazon.com/
http://picasaweb.google.com/lh/explore#
http://www.standaard.be
all display properly
David Walser 2015-11-13 16:17:54 CET

URL: (none) => http://lwn.net/Vulnerabilities/664368/

Comment 5 David Walser 2015-11-13 18:43:28 CET
Adding OK from William's tests, tested OK for me on Mageia 5 i586 also.

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Comment 6 William Kenney 2015-11-14 06:11:56 CET
This is good to go.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-11-16 17:32:38 CET
Advisory uploaded.

Whiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 8 Mageia Robot 2015-11-16 22:37:45 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0448.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED