Bug 11361 - chromium-browser-stable new security issues fixed in 30.0.1599.66
: chromium-browser-stable new security issues fixed in 30.0.1599.66
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/570682/
: MGA2TOO mga2-32-ok mga2-64-ok mga3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-02 18:38 CEST by David Walser
Modified: 2013-10-28 22:14 CET (History)
2 users (show)

See Also:
Source RPM: chromium-browser-stable-29.0.1547.65-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-10-02 18:38:15 CEST
Upstream has released version 30.0.1599.66 on October 1:
http://googlechromereleases.blogspot.ro/2013/10/stable-channel-update.html

This fixes a handful of new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-09 03:39:45 CEST
Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory is not available yet.

I don't know what it means or if it matters, but there was a file called chrome-remote-desktop.pak in the previous packages that is no longer available in this update.

Packages uploaded:
-----------------
chromium-browser-stable-30.0.1599.66-1.mga2
chromium-browser-30.0.1599.66-1.mga2
chromium-browser-stable-30.0.1599.66-1.mga3
chromium-browser-30.0.1599.66-1.mga3

from SRPMS:
chromium-browser-stable-30.0.1599.66-1.mga2.src.rpm
chromium-browser-stable-30.0.1599.66-1.mga3.src.rpm
Comment 2 claire robinson 2013-10-09 08:38:25 CEST
That sounds like the browser addon..
https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en
Comment 3 claire robinson 2013-10-09 09:01:14 CEST
It seems apps update automatically and silently now so it is probably nothing to worry about http://chrome.blogspot.co.uk/2013/09/a-new-breed-of-chrome-apps.html
Comment 4 claire robinson 2013-10-09 10:08:42 CEST
Testing complete mga3 32 & 64

Usual browser tests, java, flash, addons, https, general browsing stuff.
Comment 5 claire robinson 2013-10-09 13:24:51 CEST
Testing complete mga2 32
Comment 6 claire robinson 2013-10-09 14:05:17 CEST
Testing complete mga2 64

Ready for validating.

Advisory 11361.adv uploaded. It will need to be updated with the description and any references before passing to sysadmins please.
Comment 7 claire robinson 2013-10-14 09:30:02 CEST
Still need an advisory for this one please.
Comment 8 David Walser 2013-10-14 17:22:06 CEST
Debian still hasn't updated theirs, and the upstream blog post only lists some of the CVEs fixed, without any details.  Do we want to push this and do the advisory later or just wait?
Comment 9 claire robinson 2013-10-14 17:30:19 CEST
We usually treat browser updates as high priority, probably best to push with a temporary advisory and update it later.
Comment 10 claire robinson 2013-10-14 17:37:37 CEST
Added the advisory as..

+  This updates chromium-browser to the latest stable version, fixing
+  multiple security vulnerabilities.
+  
+  This advisory will be updated later when full details become available.

Validating.

Could sysadmin please push to updates

Thanks!
Comment 11 David Walser 2013-10-14 17:41:42 CEST
Claire, please add a reference to the advisory:
http://googlechromereleases.blogspot.ro/2013/10/stable-channel-update.html
Comment 12 claire robinson 2013-10-14 17:46:07 CEST
Done.
Comment 13 David Walser 2013-10-17 19:04:26 CEST
OpenSuSE has issued an advisory for this on October 16:
http://lists.opensuse.org/opensuse-updates/2013-10/msg00027.html

Their advisory doesn't have any more details than the upstream one does.

There are supposed to be 50 security fixes, but only 19 CVEs are listed:
- Security fixes:
  - CVE-2013-2906: Races in Web Audio
  - CVE-2013-2907: Out of bounds read in Window.prototype object
  - CVE-2013-2908: Address bar spoofing related to the "204 No Content"
                   status code
  - CVE-2013-2909: Use after free in inline-block rendering
  - CVE-2013-2910: Use-after-free in Web Audio
  - CVE-2013-2911: Use-after-free in XSLT
  - CVE-2013-2912: Use-after-free in PPAPI
  - CVE-2013-2913: Use-after-free in XML document parsing
  - CVE-2013-2914: Use after free in the Windows color chooser dialog
  - CVE-2013-2915: Address bar spoofing via a malformed scheme
  - CVE-2013-2916: Address bar spoofing related to the "204 No Content"
                   status code
  - CVE-2013-2917: Out of bounds read in Web Audio
  - CVE-2013-2918: Use-after-free in DOM
  - CVE-2013-2919: Memory corruption in V8
  - CVE-2013-2920: Out of bounds read in URL parsing
  - CVE-2013-2921: Use-after-free in resource loader
  - CVE-2013-2922: Use-after-free in template element
  - CVE-2013-2923: Various fixes from internal audits, fuzzing and other
                   initiatives
  - CVE-2013-2924: Use-after-free in ICU. Upstream bug
Comment 14 Thomas Backlund 2013-10-17 22:03:23 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0306.html
Comment 15 claire robinson 2013-10-21 14:18:51 CEST
Re-opening.

There is also a tainted SRPM for this on mga3 which wasn't listed/added/pushed.

Added chromium-browser-stable-30.0.1599.66-1.mga3.tainted to advisory.

Could sysadmin please push it to updates.

Thanks!
Comment 16 claire robinson 2013-10-21 14:28:48 CEST
hmm actually, I'm not seeing it in the repo. Was tainted built for this?
Comment 17 claire robinson 2013-10-21 14:45:38 CEST
Removed tainted srpm from the advisory again, for now, as it seems to be missing from the mirrors so I'm unable to test it.

Checking svnweb, there was a change to this for 30 so it looks to be an issue and could need a rebuild. It appears it is actually intended to be present though, although not listed with the srpms.
Comment 18 David Walser 2013-10-21 18:59:03 CEST
I'm guessing it was forgotten at the time.  I've just pushed it to the build system for Mageia 3 tainted/updates_testing.
Comment 19 claire robinson 2013-10-21 20:20:15 CEST
Thanks David, removing mga3 whiteboard for now.

Note to testers: When it lands, this is just the tainted packages which were missed previously.

Chromium-browser-stable & chromium-browser from tainted updates testing. One should require the other, I don't recall which one is which.

It should be able to play mp3's
Comment 20 claire robinson 2013-10-21 20:32:40 CEST
Advisory updated and cve list from comment 13 added.
Comment 21 claire robinson 2013-10-21 20:42:13 CEST
See here for previous tainted testing:
https://bugs.mageia.org/show_bug.cgi?id=10804#c7
Comment 22 claire robinson 2013-10-22 18:17:56 CEST
Testing complete. Re-Validating.

Could sysadmin please push the missing chromium-browser-stable from 3 tainted updates testing to updates. Advisory was updated in comment 20.

Thanks!
Comment 23 Thomas Backlund 2013-10-25 23:19:35 CEST
Tainted build pushed.
Comment 24 David Walser 2013-10-28 22:12:17 CET
The Debian advisory is finally available.  It lists a few more CVEs (2925 through 2928):
http://www.debian.org/security/2013/dsa-2785
Comment 25 David Walser 2013-10-28 22:14:24 CET
(In reply to David Walser from comment #24)
> The Debian advisory is finally available.  It lists a few more CVEs (2925
> through 2928):
> http://www.debian.org/security/2013/dsa-2785

Ahh, this would be because there's a newer version of Chromium fixing these:
http://googlechromereleases.blogspot.com/2013/10/stable-channel-update_15.html

And an even newer version fixing a regression:
http://googlechromereleases.blogspot.com/2013/10/stable-channel-update_22.html

Time for another update :o(

Note You need to log in before you can comment on or make changes to this bug.