Bug 14596 - chromium-browser-stable new security issues fixed in 39.0.2171.65
Summary: chromium-browser-stable new security issues fixed in 39.0.2171.65
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/622349/
Whiteboard: MGA3TOO advisory MGA4-64-OK MGA3-32-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-18 23:16 CET by David Walser
Modified: 2014-11-25 21:37 CET (History)
6 users (show)

See Also:
Source RPM: chromium-browser-stable-38.0.2125.104-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-18 23:16:44 CET
Upstream has released version 39.0.2171.65 today (November 18):
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

This fixes a handful of new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

There were a couple intermediate bugfix releases since our last update:
http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html
http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-18 23:17:41 CET
If someone wants to push a build for this, please wait until the previous update (Bug 14258) has its tainted version pushed to updates, as it was missed.

CC: (none) => cjw

Comment 2 Christiaan Welvaart 2014-11-19 09:51:12 CET
Updated packages are ready for testing:


MGA4
SRPMS:
chromium-browser-stable-39.0.2171.65-1.mga4.src.rpm

RPMS:
chromium-browser-39.0.2171.65-1.mga4.i586.rpm
chromium-browser-stable-39.0.2171.65-1.mga4.i586.rpm
chromium-browser-39.0.2171.65-1.mga4.x86_64.rpm
chromium-browser-stable-39.0.2171.65-1.mga4.x86_64.rpm


MGA3
SRPMS:
chromium-browser-stable-39.0.2171.65-1.mga3.src.rpm
chromium-browser-stable-39.0.2171.65-1.mga3.tainted.src.rpm

RPMS:
chromium-browser-39.0.2171.65-1.mga3.i586.rpm
chromium-browser-stable-39.0.2171.65-1.mga3.i586.rpm
chromium-browser-39.0.2171.65-1.mga3.x86_64.rpm
chromium-browser-stable-39.0.2171.65-1.mga3.x86_64.rpm
chromium-browser-stable-39.0.2171.65-1.mga3.tainted.i586.rpm
chromium-browser-39.0.2171.65-1.mga3.tainted.i586.rpm
chromium-browser-stable-39.0.2171.65-1.mga3.tainted.x86_64.rpm
chromium-browser-39.0.2171.65-1.mga3.tainted.x86_64.rpm


Advisory TBD.

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA3TOO

Comment 3 Christiaan Welvaart 2014-11-19 10:03:47 CET
Proposed advisory:


This updates chromium-browser to the latest stable version, fixing
multiple security vulnerabilities, amongst others:

CVE-2014-7899: Address bar spoofing.
CVE-2014-7900: Use-after-free in pdfium.
CVE-2014-7901: Integer overflow in pdfium.
CVE-2014-7902: Use-after-free in pdfium.
CVE-2014-7903: Buffer overflow in pdfium.
CVE-2014-7904: Buffer overflow in Skia.
CVE-2014-7905: Flaw allowing navigation to intents that do not have 
               the BROWSABLE category.
CVE-2014-7906: Use-after-free in pepper plugins.
CVE-2014-0574: Double-free in Flash.
CVE-2014-7907: Use-after-free in blink.
CVE-2014-7908: Integer overflow in media.
CVE-2014-7909: Uninitialized memory read in Skia.
CVE-2014-7910: Various fixes from internal audits, fuzzing and other 
               initiatives.


References:

http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7910




[Nobody has added the pdf reader library to our packages yet so maybe the pdfium related issues should be removed?]
Comment 4 Christiaan Welvaart 2014-11-19 10:09:05 CET
Tarball now available @ google commonstorage, it looks like I wasted a lot of time on those mga3 packages. ):
Comment 5 David Walser 2014-11-19 12:48:38 CET
(In reply to Christiaan Welvaart from comment #3)
> [Nobody has added the pdf reader library to our packages yet so maybe the
> pdfium related issues should be removed?]

Yes, if our Chromium package doesn't have pdfium we shouldn't list those CVEs.  We also shouldn't list CVE-2014-0574 because Flash is only in Chrome, not Chromium.

For the references, please include the interim announcements as well:
http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html
http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
Comment 6 David Walser 2014-11-19 12:48:58 CET
(In reply to Christiaan Welvaart from comment #4)
> Tarball now available @ google commonstorage, it looks like I wasted a lot
> of time on those mga3 packages. ):

What do you mean?
Comment 7 Christiaan Welvaart 2014-11-19 14:46:11 CET
(In reply to David Walser from comment #6)
> (In reply to Christiaan Welvaart from comment #4)
> > Tarball now available @ google commonstorage, it looks like I wasted a lot
> > of time on those mga3 packages. ):
> 
> What do you mean?

The source tarballs I create usually don't contain bundled ffmpeg sources (and other bundled things). For MGA4 I managed to sync chromium-browser-stable with the cauldron package which itself is halfway synced to my local chromium-browser-unstable builds; AFAIR I didn't need to change settings for the source tar.

For MGA3 I didn't even try to build with system ffmpeg, so I had to create a different source tarball. If I had expected the google source tar to be released within a day I would have used that instead.
Comment 8 Christiaan Welvaart 2014-11-20 00:10:18 CET
Proposed advisory v2:


This updates chromium-browser to the first stable release of chromium 39, fixing multiple security vulnerabilities, among others:

Google Chrome before 38.0.2125.101 allows remote attackers to spoof the address bar by placing a blob: substring at the beginning of the URL, followed by the original URI scheme and a long username string. (CVE-2014-7899)

Buffer overflow in Skia, as used in Google Chrome before 39.0.2171.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2014-7904)

Use-after-free vulnerability in the Pepper plugins in Google Chrome before 39.0.2171.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted Flash content that triggers an attempted PepperMediaDeviceManager access outside of the object's lifetime. (CVE-2014-7906)

Multiple use-after-free vulnerabilities in modules/screen_orientation/ScreenOrientationController.cpp in Blink, as used in Google Chrome before 39.0.2171.65, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger improper handling of a detached frame, related to the (1) lock and (2) unlock methods. (CVE-2014-7907)

Multiple integer overflows in the CheckMov function in media/base/container_names.cc in Google Chrome before 39.0.2171.65 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a large atom in (1) MPEG-4 or (2) QuickTime .mov data. (CVE-2014-7908)

effects/SkDashPathEffect.cpp in Skia, as used in Google Chrome before 39.0.2171.65, computes a hash key using uninitialized integer values, which might allow remote attackers to cause a denial of service by rendering crafted data. (CVE-2014-7909)

Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2014-7910)



References:

http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7910
Comment 9 David Walser 2014-11-20 00:19:05 CET
Nice job.  Just some formatting changes below.

I actually removed CVE-2014-7899 because it was fixed in the last update, just not announced by Google at that time.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Buffer overflow in Skia, as used in Google Chrome before 39.0.2171.65, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors (CVE-2014-7904).

Use-after-free vulnerability in the Pepper plugins in Google Chrome before
39.0.2171.65 allows remote attackers to cause a denial of service or possibly
have unspecified other impact via crafted Flash content that triggers an
attempted PepperMediaDeviceManager access outside of the object's lifetime
(CVE-2014-7906).

Multiple use-after-free vulnerabilities in
modules/screen_orientation/ScreenOrientationController.cpp in Blink, as used
in Google Chrome before 39.0.2171.65, allow remote attackers to cause a
denial of service or possibly have unspecified other impact via vectors that
trigger improper handling of a detached frame, related to the lock and unlock
methods (CVE-2014-7907).

Multiple integer overflows in the CheckMov function in
media/base/container_names.cc in Google Chrome before 39.0.2171.65 allow
remote attackers to cause a denial of service or possibly have unspecified
other impact via a large atom in MPEG-4 or QuickTime .mov data
(CVE-2014-7908).

effects/SkDashPathEffect.cpp in Skia, as used in Google Chrome before
39.0.2171.65, computes a hash key using uninitialized integer values, which
might allow remote attackers to cause a denial of service by rendering
crafted data (CVE-2014-7909).

Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors (CVE-2014-7910).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7910
http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_27.html
http://googlechromereleases.blogspot.com/2014/11/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
Comment 10 claire robinson 2014-11-20 10:00:22 CET
Mga4 tainted packages or srpm not listed in comment 2 but are presumably there?

I've added it to the advisory which is now uploaded. Could somebody please check.

Whiteboard: MGA3TOO => MGA3TOO advisory

Comment 11 claire robinson 2014-11-20 10:06:20 CET
We appear to be missing the tainted build for mga4 IINM.

Whiteboard: MGA3TOO advisory => MGA3TOO advisory feedback

Comment 12 Christiaan Welvaart 2014-11-20 10:17:28 CET
(In reply to claire robinson from comment #11)
> We appear to be missing the tainted build for mga4 IINM.

A Mageia 4 tainted build is not missing but not needed because this mga4 build uses the packaged ffmpeg libraries (so one just needs to install the tainted version of libavcodec for additional codec support). I guess I should have mentioned this earlier.
Rémi Verschelde 2014-11-20 14:05:16 CET

CC: (none) => remi
Whiteboard: MGA3TOO advisory feedback => MGA3TOO advisory

David Walser 2014-11-20 18:16:36 CET

URL: (none) => http://lwn.net/Vulnerabilities/622349/

Comment 13 Shlomi Fish 2014-11-23 17:22:19 CET
Tested chromium-browser-stable before and after the update on a Mageia 3 x86-64 and Mageia 4 x86-64. Everything seems to be working fine with https://www.google.com/ , https://metapcpan.org/ / etc.

CC: (none) => shlomif
Whiteboard: MGA3TOO advisory => MGA3TOO advisory MGA4-64-OK MGA3-64-OK

Comment 14 William Kenney 2014-11-25 02:17:53 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
chromium-browser chromium-browser-stable

default install of chromium-browser & chromium-browser-stable

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-38.0.2125.104-1.mga3.tainted.i586 is already installed
[root@localhost wilcal]# urpmi chromium-browser-stable
Package chromium-browser-stable-38.0.2125.104-1.mga3.tainted.i586 is already installed

Successfully renders:
www.google.com
https://en.wikipedia.org/wiki/Main_Page
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/

install chromium-browser & chromium-browser-stable from updates_testing

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-39.0.2171.65-1.mga3.tainted.i586 is already installed
[root@localhost wilcal]# urpmi chromium-browser-stable
Package chromium-browser-stable-39.0.2171.65-1.mga3.tainted.i586 is already installed

Successfully renders:
www.google.com
https://en.wikipedia.org/wiki/Main_Page
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2014-11-25 02:18:31 CET

Whiteboard: MGA3TOO advisory MGA4-64-OK MGA3-64-OK => MGA3TOO advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 15 William Kenney 2014-11-25 02:32:58 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
chromium-browser chromium-browser-stable

default install of chromium-browser & chromium-browser-stable

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-38.0.2125.104-1.mga4.tainted.i586 is already installed
[root@localhost wilcal]# urpmi chromium-browser-stable
Package chromium-browser-stable-38.0.2125.104-1.mga4.tainted.i586 is already installed

Successfully renders:
www.google.com
https://en.wikipedia.org/wiki/Main_Page
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
Plays a http://vimeo.com/ video

install chromium-browser & chromium-browser-stable from updates_testing

[root@localhost wilcal]# urpmi chromium-browser
Package chromium-browser-39.0.2171.65-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi chromium-browser-stable
Package chromium-browser-stable-39.0.2171.65-1.mga4.i586 is already installed

Successfully renders:
www.google.com
https://en.wikipedia.org/wiki/Main_Page
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
Plays a http://vimeo.com/ video

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 16 William Kenney 2014-11-25 02:34:22 CET
This update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Charles Edwards 2014-11-25 04:04:54 CET
If any are still installed could you test on these 3 https sites

https://www.poodletest.com/
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.howsmyssl.com/

I do not understand how we can keep doing security updates but include no info
on how to launch it to use TSL rather than SSL for secure connections

CC: (none) => cae

Comment 18 David Walser 2014-11-25 04:23:03 CET
It's not like POODLE didn't receive any press.  If people are that concerned about it, they can look it up.  Frankly, most people don't need to be, because POODLE is mostly a lot of hype.  If it was that big of a deal, it would have been addressed upstream more quickly.  Anyway, my understanding is that there's supposed to be an easier way to disable SSLv3 in 39 and it will be disabled by default in 40.  That should be sufficient to alleviate any longterm concerns.
Comment 19 Mageia Robot 2014-11-25 10:21:57 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0485.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 20 David Walser 2014-11-25 21:37:15 CET
LWN reference for CVE-2014-7906:
http://openwall.com/lists/oss-security/2014/11/25/12

Note You need to log in before you can comment on or make changes to this bug.