Debian has issued an advisory on July 17: http://www.debian.org/security/2013/dsa-2724 This corresponds to the following upstream announcement: http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html Strangely, that announcement doesn't indicate an update available for Linux. Stable channel is up to 28.0.1500.72: http://googlechromereleases.blogspot.com/search/label/Stable%20updates Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
I downloaded the Linux Google Chrome from the stable channel, and it is 28.0.1500.71, so either they forgot to list it in the announcement, or it was pushed to the stable channel for Linux later and they didn't announce it. Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron. Note: the Mageia 3 update also includes a tainted build. Advisory: ======================== Updated chromium-browser-stable packages fix security vulnerabilities: The HTTPS implementation does not ensure that headers are terminated by \r\n\r\n (carriage return, newline, carriage return, newline) (CVE-2013-2853). Chrome does not properly prevent pop-under windows (CVE-2013-2867). common/extensions/sync_helper.cc proceeds with sync operations for NPAPI extensions without checking for a certain plugin permission setting (CVE-2013-2868). Denial of service (out-of-bounds read) via a crafted JPEG2000 image (CVE-2013-2869). Use-after-free vulnerability in network sockets (CVE-2013-2870). Use-after-free vulnerability in input handling (CVE-2013-2871). Use-after-free vulnerability in resource loading (CVE-2013-2873). Out-of-bounds read in SVG file handling (CVE-2013-2875). Chrome does not properly enforce restrictions on the capture of screenshots by extensions, which could lead to information disclosure from previous page visits (CVE-2013-2876). Out-of-bounds read in text handling (CVE-2013-2878). The circumstances in which a renderer process can be considered a trusted process for sign-in and subsequent sync operations were not propertly checked (CVE-2013-2879). The chrome 28 development team found various issues from internal fuzzing, audits, and other studies (CVE-2013-2880). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2853 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2880 http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html http://www.debian.org/security/2013/dsa-2724 ======================== Updated packages in core/updates_testing: ======================== chromium-browser-stable-28.0.1500.71-1.mga2 chromium-browser-28.0.1500.71-1.mga2 chromium-browser-stable-28.0.1500.71-1.mga3 chromium-browser-28.0.1500.71-1.mga3 Updated packages in tainted/updates_testing: ======================== chromium-browser-stable-28.0.1500.71-1.mga3 chromium-browser-28.0.1500.71-1.mga3 from SRPMS: chromium-browser-stable-28.0.1500.71-1.mga2.src.rpm chromium-browser-stable-28.0.1500.71-1.mga3.src.rpm
Version: Cauldron => 3Assignee: dmorganec => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
No specific exploits on SecurityFocus, CVE2013-2853 says "with readily available tools". Testing general function mga3-64
CC: (none) => wrw105
Mga3-64 tainted OK tested javascript http://www.webkit.org/perf/sunspider/sunspider.html Java at javatester.org video on youtube general browsing
MGA2-32-OK in VirtualBox install chromium-browser-stable-28.0.1500.45-1.mga2.i586 from core release Test using http://www.cnn.com http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ http://www.webkit.org/perf/sunspider/sunspider.html http://www.youtube.com/ All successful install chromium-browser-stable-28.0.1500.71-1.mga2.i586 from core updates_testing Rerun testing with the same above websites. All successful Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G i915G LGA775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) 4GB (2 x 2GB) DDR400 PC-3200 VirtualBox 4.2.16
CC: (none) => wilcal.intWhiteboard: MGA2TOO => MGA2TOO MGA2-32-OK
MGA2-64-OK in VirtualBox install chromium-browser-28.0.1500.45-1.mga2.x86_64 from core release Test using http://www.cnn.com http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ http://www.webkit.org/perf/sunspider/sunspider.html http://www.youtube.com/ All successful install chromium-browser-28.0.1500.71-1.mga2.x86_64 from core updates_testing Rerun testing with the same above websites. All successful Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G i915G LGA775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) 4GB (2 x 2GB) DDR400 PC-3200 VirtualBox 4.2.16
Whiteboard: MGA2TOO MGA2-32-OK => MGA2TOO MGA2-32-OK MGA2-64-OK
3 SRPM's as this has tainted in mga3 chromium-browser-stable-28.0.1500.71-1.mga2.src.rpm chromium-browser-stable-28.0.1500.71-1.mga3.src.rpm chromium-browser-stable-28.0.1500.71-1.mga3.tainted.src.rpm
Testing mga3 64 Looking into why this has a tainted version now, it appears it allows it to support proprietary codecs, like mp3, natively. It does try and play mp3's with the tainted version but doesn't actually manage it. I think there may be a missing require or wrong path on the tainted version for the actual codec libraries. There is nothing obvious when run under strace. $ chromium-browser any-old.mp3 Using the tainted version it opens with a player but doesn't do anything further. It's the same when opening an mp3 online. eg. http://twit.cachefly.net/audio/twig/twig0207/twig0207.mp3 Is this something that can be fixed now or would should I create a new bug for it?
Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK => MGA2TOO MGA2-32-OK MGA2-64-OK feedback
Apart from the above, it's OK core & tainted.
Tested mga3 32 with similar results all OK apart from comment 7.
(In reply to claire robinson from comment #7) > Testing mga3 64 > > Looking into why this has a tainted version now, it appears it allows it to > support proprietary codecs, like mp3, natively. It does try and play mp3's > with the tainted version but doesn't actually manage it. I think there may > be a missing require or wrong path on the tainted version for the actual > codec libraries. There is nothing obvious when run under strace. > > $ chromium-browser any-old.mp3 > > Using the tainted version it opens with a player but doesn't do anything > further. > > It's the same when opening an mp3 online. eg. > http://twit.cachefly.net/audio/twig/twig0207/twig0207.mp3 > > Is this something that can be fixed now or would should I create a new bug > for it? Yes, please create a new bug for it and assign to dmorgan. It'd be cool to have it fixed, but I wouldn't hold your breath. Last time I talked to him, he wasn't sure the tainted build actually provided anything different, and he's already eliminated the tainted build in Cauldron. Maybe your discovery will help though, so thanks for that. The only difference in the tainted build is enabling a build option called "proprietary codecs." ROSA typically builds tainted-type stuff in their normal repos, but I see this from their chromium-browser-stable changelog in March of this year: "- do not build proprietary codecs, they break webm" I do see this in their BuildRequires and not in ours, not sure if it matters: pkgconfig(gstreamer-plugins-base-1.0)
Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK feedback => MGA2TOO MGA2-32-OK MGA2-64-OK
IIUC the proprietary codecs thing is to allow chromium to try to play certain file types. http://www.chromium.org/audio-video proprietary_codecs Alters the list of codecs Chromium claims to support, which affects <source> and canPlayType() behaviour Default: 0 Values: 0 - <source> and canPlayType() assume the default set of codecs 1 - <source> and canPlayType() assume they support additional proprietary codecs Looking at the spec it seems to use a static ffmpeg. gstreamer plugins installed but I notice gst 1.0 plugins only has one tainted package. Maybe relevant. $ rpm -qa | grep gstreamer1.0-plugins gstreamer1.0-plugins-bad-1.0.5-4.mga3 gstreamer1.0-plugins-ugly-1.0.5-2.mga3.tainted gstreamer1.0-plugins-base-1.0.5-2.mga3 gstreamer1.0-plugins-good-1.0.5-2.mga3 $ rpm -qa | grep gstreamer0.10-plugins gstreamer0.10-plugins-good-0.10.31-4.mga3 gstreamer0.10-plugins-base-0.10.36-3.mga3 gstreamer0.10-plugins-bad-0.10.23-11.mga3.tainted gstreamer0.10-plugins-ugly-0.10.19-5.mga3.tainted Adding whiteboard tags. I'll create a new bug for this issue then and validate this one as soon as I've uploaded the advisory.
Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK => MGA2TOO MGA2-32-OK MGA2-64-OK mga3-32-ok mga3-64-ok
Bug 10828 created for the codec issue. Validating. Advisory from comment 1 uploaded with srpm list from comment 6. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates and 3 tainted/updates_testing to tainted/updates. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
hello, https://bugs.mageia.org/show_bug.cgi?id=9851 about google sync was resolved, maybe you can add the key ?
We can add it for the next update.
Update pushed: http://advisories.mageia.org/MGASA-2013-0234.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED