Bug 17272

Summary: chromium-browser-stable new security issues fixed in 47.0.2526.73
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: cjw, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/666542/
Whiteboard: has_procedure advisory mga5-32-ok mga5-64-ok
Source RPM: chromium-browser-stable-46.0.2490.86-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-02 15:25:53 CET 
Upstream has released version 47.0.2526.73 on December 1:
http://googlechromereleases.blogspot.com/2015/12/stable-channel-update.html

This fixes several new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-02 17:41:11 CET 
Update checked into SVN.  Build problem on Cauldron:
gyp: Dependency '/home/iurt/rpmbuild/BUILD/chromium-47.0.2526.73/third_party/libvpx_new/libvpx.gyp:libvpx_new#target' not found while trying to load target /home/iurt/rpmbuild/BUILD/chromium-47.0.2526.73/media/cast/cast.gyp:cast_sender#target
David Walser 2015-12-02 20:16:35 CET

URL: (none) => http://lwn.net/Vulnerabilities/666542/

Comment 2 Christiaan Welvaart 2015-12-02 21:03:08 CET 
I just need to do a test build&run with this latest 47, already did a test build with the previous 47 release (labeled beta) so it should build at least (the libvpx problem is known, it was still broken in 48).

CC: (none) => cjw

Comment 3 David Walser 2015-12-04 03:06:47 CET 
Thanks.  Now patch9 won't apply in Mageia 5 on the build system even though it worked just fine in Cauldron.  I don't understand it.
Comment 4 Christiaan Welvaart 2015-12-04 12:45:18 CET 
Same here. The context (last line) in the patch is incorrect. The cauldron spec file uses %autopatch while mga5 uses %apply_patches - I guess autopatch is fuzzy...

cauldron: no fuzz options
mga5: --fuzz=0
Comment 5 David Walser 2015-12-04 17:08:41 CET 
I see you fixed the ffmpeg patch, thanks!

I also see that you added a patch for fixing build against system libvpx, but it is still actually building with its bundled libvpx.  That's fine, as that's how it has been, but I wasn't sure if that was what you intended.  The cauldron spec rm's the bundled code and sets the gyp variable differently.
Comment 6 Christiaan Welvaart 2015-12-05 15:57:16 CET 
I guess libvpx in mga5 is too old so syncing of the libvpx patch was not really needed.
Comment 7 Christiaan Welvaart 2015-12-05 16:01:41 CET 
Updated packages are ready for testing:

MGA5
SRPM:
chromium-browser-stable-47.0.2526.73-1.mga5.src.rpm
RPMS:
chromium-browser-stable-47.0.2526.73-1.mga5.i586.rpm
chromium-browser-47.0.2526.73-1.mga5.i586.rpm
chromium-browser-stable-47.0.2526.73-1.mga5.x86_64.rpm
chromium-browser-47.0.2526.73-1.mga5.x86_64.rpm



Advisory:



Chromium-browser 47.0.2526.73 fixes several security issues:

Use-after-free bugs in AppCache (CVE-2015-6765, CVE-2015-6766, CVE-2015-6767).

Cross-origin bypass problems in DOM (CVE-2015-6768, CVE-2015-6770, CVE-2015-6772).

A cross-origin bypass problem in core (CVE-2015-6769).

Out of bounds access bugs in v8 (CVE-2015-6771, CVE-2015-6764).

An out of bounds access in Skia (CVE-2015-6773).

A use-after-free bug in the Extensions component (CVE-2015-6774).

Type confusion in PDFium (CVE-2015-6775).

Out of bounds accesses in PDFium (CVE-2015-6776, CVE-2015-6778).

A use-after-free bug in DOM (CVE-2015-6777).

A scheme bypass in PDFium (CVE-2015-6779).

A use-after-free bug in Infobars (CVE-2015-6780).

An integer overflow in Sfntly (CVE-2015-6781).
 
Content spoofing in Omnibox (CVE-2015-6782).
 
An escaping issue in saved pages (CVE-2015-6784).

A wildcard matching issue in CSP (CVE-2015-6785).

A scheme bypass in CSP (CVE-2015-6786).

Various fixes from internal audits, fuzzing and other initiatives (CVE-2015-6787).

Multiple vulnerabilities in V8 fixed in the 4.7 branch, up to version 4.7.80.23.



References:
http://googlechromereleases.blogspot.com/2015/12/stable-channel-update.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6765
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6770
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6787

Assignee: cjw => qa-bugs

Comment 8 claire robinson 2015-12-07 16:31:29 CET 
Testing complete mga5 32

Ensured chromium-browser was required by chromium-browser stable. Tested general browsing, bookmarks, addons, spellcheck, html5 video (No flash in chromium without google chrome also installed)  sunspider/jetstream javascript & mp3 playback..

http://browserbench.org/JetStream/
http://www.mfiles.co.uk/mp3-downloads/jingle-bells-guitar-glenn-jarrett.mp3

Whiteboard: (none) => mga5-32-ok

claire robinson 2015-12-07 16:33:49 CET

Whiteboard: mga5-32-ok => has_procedure mga5-32-ok

Comment 9 William Kenney 2015-12-07 16:50:10 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
chromium-browser

default install of chromium-browser

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-46.0.2490.86-1.mga5.x86_64 is already installed

http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
https://www.youtube.com/
http://www.cnn.com/videos
http://www.amazon.com/
http://picasaweb.google.com/lh/explore#
http://www.standaard.be
all display properly

install chromium-browser from updates_testing

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-47.0.2526.73-1.mga5.x86_64 is already installed

http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
https://www.youtube.com/
http://www.cnn.com/videos
http://www.amazon.com/
http://picasaweb.google.com/lh/explore#
http://www.standaard.be
all display properly

CC: (none) => wilcal.int

Comment 10 William Kenney 2015-12-07 16:50:59 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok mga5-64-ok
CC: (none) => sysadmin-bugs

claire robinson 2015-12-08 17:12:33 CET

Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure advisory mga5-32-ok mga5-64-ok

Comment 11 Mageia Robot 2015-12-09 11:53:44 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0467.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED