Bug 10804 - chromium-browser-stable new security issues fixed in 28.0.1500.71
Summary: chromium-browser-stable new security issues fixed in 28.0.1500.71
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/559695/
Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK mga3-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-07-19 19:47 CEST by David Walser
Modified: 2013-07-26 13:52 CEST (History)
4 users (show)

See Also:
Source RPM: chromium-browser-stable-28.0.1500.45-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-19 19:47:13 CEST
Debian has issued an advisory on July 17:
http://www.debian.org/security/2013/dsa-2724

This corresponds to the following upstream announcement:
http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html

Strangely, that announcement doesn't indicate an update available for Linux.

Stable channel is up to 28.0.1500.72:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-19 19:47:30 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-07-23 00:18:49 CEST
I downloaded the Linux Google Chrome from the stable channel, and it is 28.0.1500.71, so either they forgot to list it in the announcement, or it was pushed to the stable channel for Linux later and they didn't announce it.

Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Note: the Mageia 3 update also includes a tainted build.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

The HTTPS implementation does not ensure that headers are terminated by
\r\n\r\n (carriage return, newline, carriage return, newline)
(CVE-2013-2853).

Chrome does not properly prevent pop-under windows (CVE-2013-2867).

common/extensions/sync_helper.cc proceeds with sync operations for NPAPI
extensions without checking for a certain plugin permission setting
(CVE-2013-2868).

Denial of service (out-of-bounds read) via a crafted JPEG2000 image
(CVE-2013-2869).

Use-after-free vulnerability in network sockets (CVE-2013-2870).

Use-after-free vulnerability in input handling (CVE-2013-2871).

Use-after-free vulnerability in resource loading (CVE-2013-2873).

Out-of-bounds read in SVG file handling (CVE-2013-2875).

Chrome does not properly enforce restrictions on the capture of screenshots
by extensions, which could lead to information disclosure from previous page
visits (CVE-2013-2876).

Out-of-bounds read in text handling (CVE-2013-2878).

The circumstances in which a renderer process can be considered a trusted
process for sign-in and subsequent sync operations were not propertly
checked (CVE-2013-2879).

The chrome 28 development team found various issues from internal fuzzing,
audits, and other studies (CVE-2013-2880).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2880
http://googlechromereleases.blogspot.com/2013/07/stable-channel-update.html
http://www.debian.org/security/2013/dsa-2724
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-28.0.1500.71-1.mga2
chromium-browser-28.0.1500.71-1.mga2
chromium-browser-stable-28.0.1500.71-1.mga3
chromium-browser-28.0.1500.71-1.mga3

Updated packages in tainted/updates_testing:
========================
chromium-browser-stable-28.0.1500.71-1.mga3
chromium-browser-28.0.1500.71-1.mga3

from SRPMS:
chromium-browser-stable-28.0.1500.71-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.71-1.mga3.src.rpm

Version: Cauldron => 3
Assignee: dmorganec => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 Bill Wilkinson 2013-07-23 02:17:35 CEST
No specific exploits on SecurityFocus, CVE2013-2853 says "with readily available tools". Testing general function mga3-64

CC: (none) => wrw105

Comment 3 Bill Wilkinson 2013-07-23 03:38:33 CEST
Mga3-64 tainted OK

tested javascript http://www.webkit.org/perf/sunspider/sunspider.html

Java at javatester.org

video on youtube

general browsing
Comment 4 William Kenney 2013-07-23 06:35:01 CEST
MGA2-32-OK

in VirtualBox

install chromium-browser-stable-28.0.1500.45-1.mga2.i586 from core release

Test using

http://www.cnn.com
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
http://www.webkit.org/perf/sunspider/sunspider.html
http://www.youtube.com/
All successful

install chromium-browser-stable-28.0.1500.71-1.mga2.i586 from core updates_testing
Rerun testing with the same above websites. All successful

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200
 VirtualBox 4.2.16

CC: (none) => wilcal.int
Whiteboard: MGA2TOO => MGA2TOO MGA2-32-OK

Comment 5 William Kenney 2013-07-23 07:00:35 CEST
MGA2-64-OK

in VirtualBox

install chromium-browser-28.0.1500.45-1.mga2.x86_64 from core release

Test using

http://www.cnn.com
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
http://www.webkit.org/perf/sunspider/sunspider.html
http://www.youtube.com/
All successful

install chromium-browser-28.0.1500.71-1.mga2.x86_64 from core updates_testing
Rerun testing with the same above websites. All successful

Test platform:
 Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775
 GigaByte GA-81915G i915G LGA775 MoBo
  Marvel Yukon 88E8001 Gigabit LAN
  Intel High Def Audio (snd-hda-intel)
  Intel Graphics Media Accelerator 900 (Intel 82915G)
 4GB (2 x 2GB) DDR400 PC-3200
 VirtualBox 4.2.16

Whiteboard: MGA2TOO MGA2-32-OK => MGA2TOO MGA2-32-OK MGA2-64-OK

Comment 6 claire robinson 2013-07-23 08:14:42 CEST
3 SRPM's as this has tainted in mga3

chromium-browser-stable-28.0.1500.71-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.71-1.mga3.src.rpm
chromium-browser-stable-28.0.1500.71-1.mga3.tainted.src.rpm
Comment 7 claire robinson 2013-07-23 09:14:59 CEST
Testing mga3 64

Looking into why this has a tainted version now, it appears it allows it to support proprietary codecs, like mp3, natively. It does try and play mp3's with the tainted version but doesn't actually manage it. I think there may be a missing require or wrong path on the tainted version for the actual codec libraries. There is nothing obvious when run under strace.

$ chromium-browser any-old.mp3

Using the tainted version it opens with a player but doesn't do anything further.

It's the same when opening an mp3 online. eg.
http://twit.cachefly.net/audio/twig/twig0207/twig0207.mp3

Is this something that can be fixed now or would should I create a new bug for it?

Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK => MGA2TOO MGA2-32-OK MGA2-64-OK feedback

Comment 8 claire robinson 2013-07-23 09:16:46 CEST
Apart from the above, it's OK core & tainted.
Comment 9 claire robinson 2013-07-23 10:05:22 CEST
Tested mga3 32 with similar results all OK apart from comment 7.
Comment 10 David Walser 2013-07-23 14:28:43 CEST
(In reply to claire robinson from comment #7)
> Testing mga3 64
> 
> Looking into why this has a tainted version now, it appears it allows it to
> support proprietary codecs, like mp3, natively. It does try and play mp3's
> with the tainted version but doesn't actually manage it. I think there may
> be a missing require or wrong path on the tainted version for the actual
> codec libraries. There is nothing obvious when run under strace.
> 
> $ chromium-browser any-old.mp3
> 
> Using the tainted version it opens with a player but doesn't do anything
> further.
> 
> It's the same when opening an mp3 online. eg.
> http://twit.cachefly.net/audio/twig/twig0207/twig0207.mp3
> 
> Is this something that can be fixed now or would should I create a new bug
> for it?

Yes, please create a new bug for it and assign to dmorgan.  It'd be cool to have it fixed, but I wouldn't hold your breath.  Last time I talked to him, he wasn't sure the tainted build actually provided anything different, and he's already eliminated the tainted build in Cauldron.  Maybe your discovery will help though, so thanks for that.

The only difference in the tainted build is enabling a build option called "proprietary codecs." ROSA typically builds tainted-type stuff in their normal repos, but I see this from their chromium-browser-stable changelog in March of this year:
"- do not build proprietary codecs, they break webm"

I do see this in their BuildRequires and not in ours, not sure if it matters:
pkgconfig(gstreamer-plugins-base-1.0)

Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK feedback => MGA2TOO MGA2-32-OK MGA2-64-OK

Comment 11 claire robinson 2013-07-23 16:03:49 CEST
IIUC the proprietary codecs thing is to allow chromium to try to play certain file types. 

http://www.chromium.org/audio-video

proprietary_codecs
  Alters the list of codecs Chromium claims to support, which affects <source> and canPlayType() behaviour
  Default: 0
  Values:
    0 - <source> and canPlayType() assume the default set of codecs
    1 - <source> and canPlayType() assume they support additional proprietary codecs

Looking at the spec it seems to use a static ffmpeg. gstreamer plugins installed but I notice gst 1.0 plugins only has one tainted package. Maybe relevant.

$ rpm -qa | grep gstreamer1.0-plugins
gstreamer1.0-plugins-bad-1.0.5-4.mga3
gstreamer1.0-plugins-ugly-1.0.5-2.mga3.tainted
gstreamer1.0-plugins-base-1.0.5-2.mga3
gstreamer1.0-plugins-good-1.0.5-2.mga3

$ rpm -qa | grep gstreamer0.10-plugins
gstreamer0.10-plugins-good-0.10.31-4.mga3
gstreamer0.10-plugins-base-0.10.36-3.mga3
gstreamer0.10-plugins-bad-0.10.23-11.mga3.tainted
gstreamer0.10-plugins-ugly-0.10.19-5.mga3.tainted

Adding whiteboard tags. I'll create a new bug for this issue then and validate this one as soon as I've uploaded the advisory.

Whiteboard: MGA2TOO MGA2-32-OK MGA2-64-OK => MGA2TOO MGA2-32-OK MGA2-64-OK mga3-32-ok mga3-64-ok

Comment 12 claire robinson 2013-07-23 16:24:06 CEST
Bug 10828 created for the codec issue.

Validating. Advisory from comment 1 uploaded with srpm list from comment 6.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates
and 3 tainted/updates_testing to tainted/updates.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Manuel Hiebel 2013-07-24 08:00:16 CEST
hello, https://bugs.mageia.org/show_bug.cgi?id=9851 about google sync was resolved, maybe you can add the key ?
Comment 14 David Walser 2013-07-24 11:56:18 CEST
We can add it for the next update.
Comment 15 Thomas Backlund 2013-07-26 13:52:58 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0234.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.