Upstream has released version 39.0.2171.65 today (November 18): http://googlechromereleases.blogspot.com/search/label/Stable%20updates This fixes a handful of new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates There were a couple intermediate bugfix releases since our last update: http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html Reproducible: Steps to Reproduce:
If someone wants to push a build for this, please wait until the previous update (Bug 14258) has its tainted version pushed to updates, as it was missed.
CC: (none) => cjw
Updated packages are ready for testing: MGA4 SRPMS: chromium-browser-stable-39.0.2171.65-1.mga4.src.rpm RPMS: chromium-browser-39.0.2171.65-1.mga4.i586.rpm chromium-browser-stable-39.0.2171.65-1.mga4.i586.rpm chromium-browser-39.0.2171.65-1.mga4.x86_64.rpm chromium-browser-stable-39.0.2171.65-1.mga4.x86_64.rpm MGA3 SRPMS: chromium-browser-stable-39.0.2171.65-1.mga3.src.rpm chromium-browser-stable-39.0.2171.65-1.mga3.tainted.src.rpm RPMS: chromium-browser-39.0.2171.65-1.mga3.i586.rpm chromium-browser-stable-39.0.2171.65-1.mga3.i586.rpm chromium-browser-39.0.2171.65-1.mga3.x86_64.rpm chromium-browser-stable-39.0.2171.65-1.mga3.x86_64.rpm chromium-browser-stable-39.0.2171.65-1.mga3.tainted.i586.rpm chromium-browser-39.0.2171.65-1.mga3.tainted.i586.rpm chromium-browser-stable-39.0.2171.65-1.mga3.tainted.x86_64.rpm chromium-browser-39.0.2171.65-1.mga3.tainted.x86_64.rpm Advisory TBD.
Assignee: bugsquad => qa-bugsWhiteboard: (none) => MGA3TOO
Proposed advisory: This updates chromium-browser to the latest stable version, fixing multiple security vulnerabilities, amongst others: CVE-2014-7899: Address bar spoofing. CVE-2014-7900: Use-after-free in pdfium. CVE-2014-7901: Integer overflow in pdfium. CVE-2014-7902: Use-after-free in pdfium. CVE-2014-7903: Buffer overflow in pdfium. CVE-2014-7904: Buffer overflow in Skia. CVE-2014-7905: Flaw allowing navigation to intents that do not have the BROWSABLE category. CVE-2014-7906: Use-after-free in pepper plugins. CVE-2014-0574: Double-free in Flash. CVE-2014-7907: Use-after-free in blink. CVE-2014-7908: Integer overflow in media. CVE-2014-7909: Uninitialized memory read in Skia. CVE-2014-7910: Various fixes from internal audits, fuzzing and other initiatives. References: http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7910 [Nobody has added the pdf reader library to our packages yet so maybe the pdfium related issues should be removed?]
Tarball now available @ google commonstorage, it looks like I wasted a lot of time on those mga3 packages. ):
(In reply to Christiaan Welvaart from comment #3) > [Nobody has added the pdf reader library to our packages yet so maybe the > pdfium related issues should be removed?] Yes, if our Chromium package doesn't have pdfium we shouldn't list those CVEs. We also shouldn't list CVE-2014-0574 because Flash is only in Chrome, not Chromium. For the references, please include the interim announcements as well: http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
(In reply to Christiaan Welvaart from comment #4) > Tarball now available @ google commonstorage, it looks like I wasted a lot > of time on those mga3 packages. ): What do you mean?
(In reply to David Walser from comment #6) > (In reply to Christiaan Welvaart from comment #4) > > Tarball now available @ google commonstorage, it looks like I wasted a lot > > of time on those mga3 packages. ): > > What do you mean? The source tarballs I create usually don't contain bundled ffmpeg sources (and other bundled things). For MGA4 I managed to sync chromium-browser-stable with the cauldron package which itself is halfway synced to my local chromium-browser-unstable builds; AFAIR I didn't need to change settings for the source tar. For MGA3 I didn't even try to build with system ffmpeg, so I had to create a different source tarball. If I had expected the google source tar to be released within a day I would have used that instead.
Proposed advisory v2: This updates chromium-browser to the first stable release of chromium 39, fixing multiple security vulnerabilities, among others: Google Chrome before 38.0.2125.101 allows remote attackers to spoof the address bar by placing a blob: substring at the beginning of the URL, followed by the original URI scheme and a long username string. (CVE-2014-7899) Buffer overflow in Skia, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2014-7904) Use-after-free vulnerability in the Pepper plugins in Google Chrome before 39.0.2171.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Flash content that triggers an attempted PepperMediaDeviceManager access outside of the object's lifetime. (CVE-2014-7906) Multiple use-after-free vulnerabilities in modules/screen_orientation/ScreenOrientationController.cpp in Blink, as used in Google Chrome before 39.0.2171.65, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger improper handling of a detached frame, related to the (1) lock and (2) unlock methods. (CVE-2014-7907) Multiple integer overflows in the CheckMov function in media/base/container_names.cc in Google Chrome before 39.0.2171.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a large atom in (1) MPEG-4 or (2) QuickTime .mov data. (CVE-2014-7908) effects/SkDashPathEffect.cpp in Skia, as used in Google Chrome before 39.0.2171.65, computes a hash key using uninitialized integer values, which might allow remote attackers to cause a denial of service by rendering crafted data. (CVE-2014-7909) Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2014-7910) References: http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7910
Nice job. Just some formatting changes below. I actually removed CVE-2014-7899 because it was fixed in the last update, just not announced by Google at that time. Advisory: ======================== Updated chromium-browser-stable packages fix security vulnerabilities: Buffer overflow in Skia, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-7904). Use-after-free vulnerability in the Pepper plugins in Google Chrome before 39.0.2171.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Flash content that triggers an attempted PepperMediaDeviceManager access outside of the object's lifetime (CVE-2014-7906). Multiple use-after-free vulnerabilities in modules/screen_orientation/ScreenOrientationController.cpp in Blink, as used in Google Chrome before 39.0.2171.65, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger improper handling of a detached frame, related to the lock and unlock methods (CVE-2014-7907). Multiple integer overflows in the CheckMov function in media/base/container_names.cc in Google Chrome before 39.0.2171.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a large atom in MPEG-4 or QuickTime .mov data (CVE-2014-7908). effects/SkDashPathEffect.cpp in Skia, as used in Google Chrome before 39.0.2171.65, computes a hash key using uninitialized integer values, which might allow remote attackers to cause a denial of service by rendering crafted data (CVE-2014-7909). Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2014-7910). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7910 http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
Mga4 tainted packages or srpm not listed in comment 2 but are presumably there? I've added it to the advisory which is now uploaded. Could somebody please check.
Whiteboard: MGA3TOO => MGA3TOO advisory
We appear to be missing the tainted build for mga4 IINM.
Whiteboard: MGA3TOO advisory => MGA3TOO advisory feedback
(In reply to claire robinson from comment #11) > We appear to be missing the tainted build for mga4 IINM. A Mageia 4 tainted build is not missing but not needed because this mga4 build uses the packaged ffmpeg libraries (so one just needs to install the tainted version of libavcodec for additional codec support). I guess I should have mentioned this earlier.
CC: (none) => remiWhiteboard: MGA3TOO advisory feedback => MGA3TOO advisory
URL: (none) => http://lwn.net/Vulnerabilities/622349/
Tested chromium-browser-stable before and after the update on a Mageia 3 x86-64 and Mageia 4 x86-64. Everything seems to be working fine with https://www.google.com/ , https://metapcpan.org/ / etc.
CC: (none) => shlomifWhiteboard: MGA3TOO advisory => MGA3TOO advisory MGA4-64-OK MGA3-64-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: chromium-browser chromium-browser-stable default install of chromium-browser & chromium-browser-stable [root@localhost wilcal]# urpmi chromium-browser Package chromium-browser-38.0.2125.104-1.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi chromium-browser-stable Package chromium-browser-stable-38.0.2125.104-1.mga3.tainted.i586 is already installed Successfully renders: www.google.com https://en.wikipedia.org/wiki/Main_Page http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ install chromium-browser & chromium-browser-stable from updates_testing [root@localhost wilcal]# urpmi chromium-browser Package chromium-browser-39.0.2171.65-1.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi chromium-browser-stable Package chromium-browser-stable-39.0.2171.65-1.mga3.tainted.i586 is already installed Successfully renders: www.google.com https://en.wikipedia.org/wiki/Main_Page http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA3TOO advisory MGA4-64-OK MGA3-64-OK => MGA3TOO advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: chromium-browser chromium-browser-stable default install of chromium-browser & chromium-browser-stable [root@localhost wilcal]# urpmi chromium-browser Package chromium-browser-38.0.2125.104-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi chromium-browser-stable Package chromium-browser-stable-38.0.2125.104-1.mga4.tainted.i586 is already installed Successfully renders: www.google.com https://en.wikipedia.org/wiki/Main_Page http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Plays a http://vimeo.com/ video install chromium-browser & chromium-browser-stable from updates_testing [root@localhost wilcal]# urpmi chromium-browser Package chromium-browser-39.0.2171.65-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi chromium-browser-stable Package chromium-browser-stable-39.0.2171.65-1.mga4.i586 is already installed Successfully renders: www.google.com https://en.wikipedia.org/wiki/Main_Page http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Plays a http://vimeo.com/ video Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
If any are still installed could you test on these 3 https sites https://www.poodletest.com/ https://www.ssllabs.com/ssltest/viewMyClient.html https://www.howsmyssl.com/ I do not understand how we can keep doing security updates but include no info on how to launch it to use TSL rather than SSL for secure connections
CC: (none) => cae
It's not like POODLE didn't receive any press. If people are that concerned about it, they can look it up. Frankly, most people don't need to be, because POODLE is mostly a lot of hype. If it was that big of a deal, it would have been addressed upstream more quickly. Anyway, my understanding is that there's supposed to be an easier way to disable SSLv3 in 39 and it will be disabled by default in 40. That should be sufficient to alleviate any longterm concerns.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0485.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-7906: http://openwall.com/lists/oss-security/2014/11/25/12