Bug 13426 - chromium-browser-stable new security issues fixed in 37.0.2062.120
Summary: chromium-browser-stable new security issues fixed in 37.0.2062.120
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/601056/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-22 18:09 CEST by David Walser
Modified: 2014-10-09 16:50 CEST (History)
7 users (show)

See Also:
Source RPM: chromium-browser-stable-34.0.1847.137-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-22 18:09:43 CEST
Upstream has released version 35.0.1916.114 on May 20:
http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html

This fixes a handful of new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-05-22 18:11:00 CEST
This is Chromium 35, which as previously discusses, will require the Pepper Flash.

It also needs to be built with Aura (-Duse_aura=1 gyp flag) as I noted in Bug 13412.

CC: (none) => anssi.hannula
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 2 David Walser 2014-06-02 19:59:41 CEST
Debian has issued an advisory for this on May 31:
https://www.debian.org/security/2014/dsa-2939

URL: (none) => http://lwn.net/Vulnerabilities/601056/

Comment 3 David Walser 2014-06-16 16:42:13 CEST
Upstream has released version 35.0.1916.153 on June 10:
http://googlechromereleases.blogspot.com/2014/06/stable-channel-update.html

This fixes more security issues.

Debian has issued an advisory for this on June 14:
https://www.debian.org/security/2014/dsa-2959
Comment 4 David Walser 2014-06-17 14:03:19 CEST
LWN reference for 35.0.1916.153:
http://lwn.net/Vulnerabilities/602455/
David Walser 2014-06-24 20:40:30 CEST

Summary: chromium-browser-stable new security issues fixed in 35.0.1916.114 => chromium-browser-stable new security issues fixed in 35.0.1916.153

Comment 5 David Walser 2014-07-18 19:56:18 CEST
Upstream has released version 36.0.1985.125 on July 16:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 35.0.1916.153 => chromium-browser-stable new security issues fixed in 36.0.1985.125

Comment 6 David Walser 2014-08-18 23:52:21 CEST
Correct link for 36.0.1985.125:
http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html

Upstream has released version 36.0.1985.143 on August 12:
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 36.0.1985.125 => chromium-browser-stable new security issues fixed in 36.0.1985.143

Comment 7 David Walser 2014-08-31 20:13:58 CEST
Upstream has released version 37.0.2062.94 on August 26:
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 36.0.1985.143 => chromium-browser-stable new security issues fixed in 37.0.2062.94

Comment 8 David Walser 2014-09-02 20:59:57 CEST
Gentoo has issued an advisory for this on August 30:
http://www.gentoo.org/security/en/glsa/glsa-201408-16.xml

from http://lwn.net/Vulnerabilities/610416/
Comment 9 David Walser 2014-09-09 23:58:57 CEST
Upstream has released version 37.0.2062.120 today (September 9):
http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_9.html

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 37.0.2062.94 => chromium-browser-stable new security issues fixed in 37.0.2062.120

Comment 10 David Walser 2014-09-23 18:32:01 CEST
Gentoo has issued an advisory for this on September 19:
http://www.gentoo.org/security/en/glsa/glsa-201409-06.xml

from http://lwn.net/Vulnerabilities/612811/
Comment 11 Pascal Terjan 2014-10-02 02:10:22 CEST
37.0.2062.120 is in 4/updates_testing

CC: (none) => pterjan

Comment 12 Pascal Terjan 2014-10-04 00:50:14 CEST
Just a note, it is more difficult for 3 as it seems to require a more recent harfbuzz. Looking more into it.

../../third_party/WebKit/Source/platform/fonts/harfbuzz/HarfBuzzShaper.cpp: In member function 'bool WebCore::HarfBuzzShaper::shapeHarfBuzzRuns()':
../../third_party/WebKit/Source/platform/fonts/harfbuzz/HarfBuzzShaper.cpp:830:62: error: 'hb_buffer_clear_contents' was not declared in this scope
Comment 13 David Walser 2014-10-04 01:01:38 CEST
OK.  If there's a way to build with the bundled one, that would be fine.

Note the change I checked into Mageia 4 SVN (mostly the one Anssi forgot to commit) from Cauldron after you pushed the current build.
Comment 14 Pascal Terjan 2014-10-04 01:30:50 CEST
A simple patch was enough, and I had missed the change, I'll submit again for 3 and 4.
Comment 15 Pascal Terjan 2014-10-04 02:13:34 CEST
4 is uploaded and 3 should finish soon, time to sleep.
Comment 16 David Walser 2014-10-04 03:07:09 CEST
Thanks Pascal!

CC'ing the QA team just in case anyone wants to start playing with it.  Note that plugins are not supported anymore, so things like Java and Flash won't work, although Flash should if you also have Chrome installed.

TODO: update or remove in Cauldron (planning to remove before mga5) and push tainted builds.

Since we missed so many updates, I don't know how many of the CVEs along the way affect the current version that we have, so it'll be a generic advisory when I get to it.

CC: (none) => qa-bugs

Comment 17 Olivier Delaune 2014-10-07 08:03:00 CEST
I tested chromium-browser-37.0.2062.120-1.mga4 on Mageia 4 64-bits. I do not remember precisely how it was before I install this new version but for now, I am not able anymore to run Flash application.

rpm -qa | grep flash gives me
flash-player-plugin-kde-11.2.202.406-1.mga4.nonfree
flash-player-plugin-11.2.202.406-1.mga4.nonfree

Other thinks look to work fine.

CC: (none) => olivier.delaune

Comment 18 David Walser 2014-10-08 16:00:05 CEST
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Thanks again to Pascal for helping with this update.

Note to QA: there are both core and tainted builds for this package.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Several security issues and other bugs have been fixed since our previous
update.  See the upstream release announcements for details.

Note that as of version 35, the Chromium browser no longer supports browser
plugins, including Flash and Java.

If Flash functionality is needed, it is recommended to either use Firefox, or
to install the Chrome browser from Google's upstream repository.  See the
Mageia Forum topic on this for instructions on installing Chrome.

References:
http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
http://googlechromereleases.blogspot.com/2014/06/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html
http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_9.html
https://forums.mageia.org/en/viewtopic.php?t=2053
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-37.0.2062.120-1.mga3
chromium-browser-37.0.2062.120-1.mga3
chromium-browser-stable-37.0.2062.120-1.mga4
chromium-browser-37.0.2062.120-1.mga4

Updated packages in tainted/updates_testing:
========================
chromium-browser-stable-37.0.2062.120-1.mga3
chromium-browser-37.0.2062.120-1.mga3
chromium-browser-stable-37.0.2062.120-1.mga4
chromium-browser-37.0.2062.120-1.mga4

from SRPMS:
chromium-browser-stable-37.0.2062.120-1.mga3.src.rpm
chromium-browser-stable-37.0.2062.120-1.mga4.src.rpm

CC: qa-bugs => (none)
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 19 Len Lawrence 2014-10-08 22:53:21 CEST
Testing in mga4-32.
It seemed to work fine although I only tried a couple of things.  It succeeded in importing my Firefox bookmarks.  All links worked.  Apps -> YouTube came up OK.  Did not login or play videos.

CC: (none) => tarazed25

Comment 20 Bill Wilkinson 2014-10-08 23:13:20 CEST
Tested mga4-64 core and tainted builds

Tested general browsing, acid 3 test at acidtests.org, mp3 streaming through https://archive.org/details/Test_Audio_MP3_File on Tainted build. Javatester does not work, as expected with the plugins being ended. Right clicking a youtube video shows it using the html5 player.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 21 Otto Leipälä 2014-10-08 23:24:17 CEST
Yes java and adobe flash won't work because chrome from 35 version obsoleted npapi plugin support.
http://thenextweb.com/google/2014/05/27/google-removes-npapi-apps-extensions-chrome-web-store-homepage-search-results-category-pages/

CC: (none) => ozkyster

Comment 22 Otto Leipälä 2014-10-08 23:33:48 CEST
Here is more info about those npapi plugins.
http://www.webupd8.org/2014/05/google-chrome-stable-35-for-linux.html
Comment 23 Bill Wilkinson 2014-10-09 01:28:05 CEST
Tested mga3-64, core and tainted as in comment 20 above. All OK.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok

Comment 24 claire robinson 2014-10-09 13:41:17 CEST
Testing complete mga4 32, as comment 20

Needs testing mga3 32 to validate.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga3-64-ok mga4-32-ok mga4-64-ok

claire robinson 2014-10-09 14:46:12 CEST

Whiteboard: MGA3TOO mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Comment 25 claire robinson 2014-10-09 15:05:37 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 26 claire robinson 2014-10-09 15:42:17 CEST
Validating. Advisory uploaded. Added the tainted srpms to the advisory.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 27 Mageia Robot 2014-10-09 16:50:06 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0413.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.