Bug 10353 - chromium-browser-stable new security issues fixed in 27.0.1453.110
: chromium-browser-stable new security issues fixed in 27.0.1453.110
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/552191/
: MGA2TOO has_procedure feedback mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-29 23:20 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
6 users (show)

See Also:
Source RPM: chromium-browser-stable-26.0.1410.65-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-05-29 23:20:46 CEST
Upstream has released 27.0.1453.93 to fix several security issues on May 21:
http://googlechromereleases.blogspot.com/2013/05/stable-channel-release.html

Stable channel is up to 27.0.1453.94:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Debian has issued an advisory for this today (May 29):
http://lwn.net/Alerts/552188/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-03 18:14:23 CEST
debian.org link for advisory is now active:
http://www.debian.org/security/2013/dsa-2695
Comment 2 David Walser 2013-06-11 18:32:53 CEST
Upstream has released 27.0.1453.110 to fix another security issue on June 4:
http://googlechromereleases.blogspot.com/2013/06/stable-channel-update.html

That's the newest version that's been announced.  The newest version in SVN is 27.0.1453.114.
http://src.chromium.org/viewvc/chrome/releases/

We currently have 27.0.1454.1 in Cauldron and mga2/mga3 updates_testing, which is actually *older* than 27.0.1453.93, and presumably doesn't fix any of these issues.
Comment 3 David Walser 2013-06-11 21:07:26 CEST
Debian has issued an advisory for the issues fixed in 27.0.1453.110 on June 10:
http://www.debian.org/security/2013/dsa-2706

from http://lwn.net/Vulnerabilities/553818/
Comment 4 David Walser 2013-06-18 17:45:31 CEST
*** Bug 10556 has been marked as a duplicate of this bug. ***
Comment 5 D Morgan 2013-06-18 18:12:57 CEST
i will update ( chromium versionning is a little a mess :( )
Comment 6 David Walser 2013-06-18 18:41:17 CEST
(In reply to D Morgan from comment #5)
> i will update ( chromium versionning is a little a mess :( )

Indeed.  Actually, it makes no sense whatsoever :o(
Comment 7 David Walser 2013-06-18 18:41:50 CEST
Changing the version assignment since Cauldron has an update already.
Comment 8 David Walser 2013-06-18 20:22:19 CEST
D Morgan has backported the updated version from Cauldron to mga2/mga3.

chromium-browser-stable-28.0.1500.45-1.mga2
chromium-browser-28.0.1500.45-1.mga2
chromium-browser-stable-28.0.1500.45-1.mga3
chromium-browser-28.0.1500.45-1.mga3

from SRPMS:

chromium-browser-stable-28.0.1500.45-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.45-1.mga3.src.rpm

This takes care of the last three stable channel updates for Linux:
http://googlechromereleases.blogspot.com/2013/05/stable-channel-release.html
http://googlechromereleases.blogspot.com/2013/06/stable-channel-update.html
http://googlechromereleases.blogspot.com/2013/06/stable-channel-update_17.html

This can be pushed to QA if it's ready.  We'll just have to flesh out an advisory.
Comment 9 David Walser 2013-06-25 00:00:16 CEST
D Morgan just told me it's ready for QA.

Packages list and references in Comment 8.  Advisory to come.
Comment 10 David Walser 2013-06-25 01:06:15 CEST
Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Use-after-free vulnerability in the SVG implementation allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via unknown vectors (CVE-2013-2837).

Google V8, as used in Chromium before 27.0.1453.93, allows remote attackers
to cause a denial of service (out-of-bounds read) via unspecified vectors
(CVE-2013-2838).

Chromium before 27.0.1453.93 does not properly perform a cast of an
unspecified variable during handling of clipboard data, which allows remote
attackers to cause a denial of service or possibly have other impact via
unknown vectors (CVE-2013-2839).

Use-after-free vulnerability in the media loader in Chromium before
27.0.1453.93 allows remote attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors (CVE-2013-2840).

Use-after-free vulnerability in Chromium before 27.0.1453.93 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors related to the handling of Pepper resources
(CVE-2013-2841).

Use-after-free vulnerability in Chromium before 27.0.1453.93 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors related to the handling of widgets (CVE-2013-2842).

Use-after-free vulnerability in Chromium before 27.0.1453.93 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors related to the handling of speech data (CVE-2013-2843).

Use-after-free vulnerability in the Cascading Style Sheets (CSS)
implementation in Chromium before 27.0.1453.93 allows remote attackers to
cause a denial of service or possibly have unspecified other impact via
vectors related to style resolution (CVE-2013-2844).

The Web Audio implementation in Google Chrome before 27.0.1453.93 allows
remote attackers to cause a denial of service (memory corruption) or possibly
have unspecified other impact via unknown vectors (CVE-2013-2845).

Use-after-free vulnerability in the media loader in Google Chrome before
27.0.1453.93 allows remote attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors (CVE-2013-2846).

Race condition in the workers implementation in Google Chrome before
27.0.1453.93 allows remote attackers to cause a denial of service
(use-after-free and application crash) or possibly have unspecified other
impact via unknown vectors (CVE-2013-2847).

The XSS Auditor in Google Chrome before 27.0.1453.93 might allow remote
attackers to obtain sensitive information via unspecified vectors
(CVE-2013-2848).

Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome before
27.0.1453.93 allow user-assisted remote attackers to inject arbitrary web
script or HTML via vectors involving a (1) drag-and-drop or
(2) copy-and-paste operation (CVE-2013-2849).

The Developer Tools API in Chromium before 27.0.1453.110 allows remote
attackers to cause a denial of service (memory corruption) or possibly have
unspecified other impact via unknown vectors (CVE-2013-2855).

Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors related to the handling of input (CVE-2013-2856).

Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors related to the handling of images (CVE-2013-2857).

Use-after-free vulnerability in the HTML5 Audio implementation in Chromium
before 27.0.1453.110 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors (CVE-2013-2858).

Chromium before 27.0.1453.110 allows remote attackers to bypass the Same
Origin Policy and trigger namespace pollution via unspecified vectors
(CVE-2013-2859).

Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors involving access to a database API by a worker process
(CVE-2013-2860).

Use-after-free vulnerability in the SVG implementation in Chromium before
27.0.1453.110 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors (CVE-2013-2861).

Skia, as used in Chromium before 27.0.1453.110, does not properly handle GPU
acceleration, which allows remote attackers to cause a denial of service
(memory corruption) or possibly have unspecified other impact via unknown
vectors (CVE-2013-2862).

Chromium before 27.0.1453.110 does not properly handle SSL sockets, which
allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption) via unspecified vectors (CVE-2013-2863).

Multiple unspecified vulnerabilities in Chromium before 27.0.1453.110 allow
attackers to cause a denial of service or possibly have other impact via
unknown vectors (CVE-2013-2865).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2859
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2860
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2861
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2865
http://googlechromereleases.blogspot.com/2013/05/stable-channel-release.html
http://googlechromereleases.blogspot.com/2013/06/stable-channel-update.html
http://googlechromereleases.blogspot.com/2013/06/stable-channel-update_17.html
http://www.debian.org/security/2013/dsa-2695
http://www.debian.org/security/2013/dsa-2706
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-28.0.1500.45-1.mga2
chromium-browser-28.0.1500.45-1.mga2
chromium-browser-stable-28.0.1500.45-1.mga3
chromium-browser-28.0.1500.45-1.mga3

from SRPMS:
chromium-browser-stable-28.0.1500.45-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.45-1.mga3.src.rpm
Comment 11 Bill Wilkinson 2013-06-25 13:26:28 CEST
The only entry on securityfocus is for 2013-2849 "Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI."

testing mga3-64
Comment 12 Bill Wilkinson 2013-06-25 14:18:32 CEST
Tested general browsing, a few YouTube videos for the flash plugin, Sunspider for javascript (http://www.webkit.org/perf/sunspider/sunspider.html), javatester.org for java. 

There is no duckduckgo option in default search engines, which has me thinking we may be missing an opportunity there.
Comment 13 claire robinson 2013-06-25 14:38:47 CEST
Is it there if you create a new user and try chromium with that user Bill?
Comment 14 Bill Wilkinson 2013-06-25 15:20:33 CEST
both creating a new user on the system and creating a new chromium user under my usual account show only google, yahoo and bing.
Comment 15 claire robinson 2013-06-25 15:28:55 CEST
Thanks Bill, well spotted too.

D Morgan, could you check please, many thanks.
Comment 16 Rémi Verschelde 2013-06-25 17:06:27 CEST
Testing OK on mga3 i586 (same tests as comment 12).

@D Morgan: Shouldn't we update chromium-browser from tainted too?
Comment 17 Bill Wilkinson 2013-06-26 06:00:27 CEST
Testing OK MGA2-32.  Duckduckgo is in the list for mga2-32.  Now I"m slightly confused....
Comment 18 Samuel Verschelde 2013-06-26 11:40:26 CEST
Testing OK MGA2-64, but Rémi's question remains: what about chromium-browser from tainted repos in MGA3?
Comment 19 claire robinson 2013-06-26 15:32:20 CEST
Confirmed DDG is missing in search options for mga3

Only options available are:

Google
Yahoo
Bing
Ask Jeeves

Also the update removes a require on libminizip1
Comment 20 claire robinson 2013-06-26 15:33:00 CEST
It's also missing in release version.
Comment 21 David Walser 2013-06-28 03:30:17 CEST
The chromium-browser-stable tainted build for Mageia 3 is now available.
Comment 22 Bill Wilkinson 2013-06-29 05:08:13 CEST
Tested tainted build mga3-64 as above.  General functionality, sunspider, flash, java all OK.
Comment 23 Rémi Verschelde 2013-06-29 08:44:14 CEST
Testing complete Mageia 3 i586 for the tainted build.
Comment 24 Bill Wilkinson 2013-06-29 21:00:27 CEST
validating.

Please push from core/updates_testing to core/updates for mga2 and mga3 and tainted/updates_testing to tainted/updates for mga3.

Advisory and srpm list in comment 10

Thanks!
Comment 25 Dave Hodgins 2013-06-30 03:36:16 CEST
http://svnweb.mageia.org/advisories/10353.adv?view=markup&sortby=date
ready to be pushed.
Comment 26 Nicolas Vigier 2013-07-01 21:22:16 CEST
http://advisories.mageia.org/MGASA-2013-0194.html
Comment 27 David Walser 2013-07-09 18:11:39 CEST
The tainted copy for Mageia 3 has not yet been pushed to updates.
Comment 28 Thomas Backlund 2013-07-09 19:27:57 CEST
Tainted build pushed.

Note You need to log in before you can comment on or make changes to this bug.