Bug 10922 - chromium-browser-stable new security issues fixed in 28.0.1500.95
: chromium-browser-stable new security issues fixed in 28.0.1500.95
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/562191/
: MGA2TOO mga3-64-ok Mga3-32-OK mga2-32...
: validated_update
:
: 9851 10828
  Show dependency treegraph
 
Reported: 2013-08-05 01:09 CEST by David Walser
Modified: 2013-08-17 10:40 CEST (History)
3 users (show)

See Also:
Source RPM: chromium-browser-stable-28.0.1500.71-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-08-05 01:09:14 CEST
Upstream has released version 28.0.1500.95 on July 30:
http://googlechromereleases.blogspot.com/2013/07/stable-channel-update_30.html

This fixes a handful of new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-05 20:18:02 CEST
Debian has issued an advisory for this on July 31:
http://lists.debian.org/debian-security-announce/2013/msg00143.html
Comment 2 David Walser 2013-08-15 02:04:56 CEST
Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

This should also fix Bug 9851 (no Google Sync because of missing API keys).

This should also fix Bug 10828 (mp3 won't play in tainted, ffmpeg codec problem).

Note: Mageia 3 includes a tainted build.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Karthik Bhargavan discovered a way to bypass the Same Origin Policy in frame
handling (CVE-2013-2881).

Cloudfuzzer discovered a type confusion issue in the V8 javascript library
(CVE-2013-2882).

Cloudfuzzer discovered a use-after-free issue in MutationObserver
(CVE-2013-2883).

Ivan Fratric of the Google Security Team discovered a use-after-free issue in
the DOM implementation (CVE-2013-2884).

Ivan Fratric of the Google Security Team discovered a use-after-free issue in
input handling (CVE-2013-2885).

The chrome 28 development team found various issues from internal fuzzing,
audits, and other studies (CVE-2013-2886).

This update provides version 28.0.1500.95, which fixes these issues.

Additionally, Google Sync should now work (mga#9851), and playing of media
files with certain codecs, such as mp3, should now work with the tainted
build (mga#10828) in Mageia 3.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2886
http://googlechromereleases.blogspot.com/2013/07/stable-channel-update_30.html
https://bugs.mageia.org/show_bug.cgi?id=9851
https://bugs.mageia.org/show_bug.cgi?id=10828
http://www.debian.org/security/2013/dsa-2732
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-28.0.1500.95-1.mga2
chromium-browser-28.0.1500.95-1.mga2
chromium-browser-stable-28.0.1500.95-1.mga3
chromium-browser-28.0.1500.95-1.mga3

Updated packages in tainted/updates_testing:
========================
chromium-browser-stable-28.0.1500.95-1.mga3
chromium-browser-28.0.1500.95-1.mga3

from SRPMS:
chromium-browser-stable-28.0.1500.95-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.95-1.mga3.src.rpm
Comment 3 Bill Wilkinson 2013-08-15 02:28:02 CEST
No PoC on securityfocus. Testing mga3-64 core.
Comment 4 Bill Wilkinson 2013-08-15 03:31:07 CEST
Tested mga3-64 core OK

General browsing, Sunspider javascript, javatester, youtube testing flash.

Logged in to google sync and synced bookmarks.
Comment 5 Bill Wilkinson 2013-08-15 03:59:13 CEST
Tested mga3-64 tainted.  Same tests as above, plus paying embedded file at http://archive.org/details/testmp3testfile to test mp3.  Main menu showed logged in as the proper gmail account.

MGA3-64 OK.
Comment 6 Bill Wilkinson 2013-08-15 04:56:50 CEST
Tested mga3-32, core as above. All OK.
Comment 7 Bill Wilkinson 2013-08-15 05:14:15 CEST
Tested mga3-32 tainted as above, all OK.
Comment 8 claire robinson 2013-08-15 07:54:35 CEST
Advisory uploaded.

There is actually a tainted srpm so 3 srpms rather than just the two listed.

chromium-browser-stable-28.0.1500.95-1.mga2.src.rpm
chromium-browser-stable-28.0.1500.95-1.mga3.src.rpm
chromium-browser-stable-28.0.1500.95-1.mga3.tainted.src.rpm

http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/3/SRPMS/tainted/updates_testing/chromium-browser-stable-28.0.1500.95-1.mga3.tainted.src.rpm
Comment 9 claire robinson 2013-08-15 08:34:21 CEST
Testing complete mga2 32 & 64

Validating

Could sysadmin please push from 2 core and 3 core & tainted to updates

Thanks!
Comment 10 David Walser 2013-08-15 17:15:08 CEST
Note that the CVE-2013-2882 issue is actually in the bundled v8 library.

Fedora has issued an advisory for this on August 3:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113963.html

As Fedora noted, the impact on Node.js is "lessened," but we may have to update nodejs at some point in the future due to this.
Comment 11 Thomas Backlund 2013-08-17 10:40:50 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0249.html

Note You need to log in before you can comment on or make changes to this bug.