Upstream has released version 40.0.2214.91 today (January 21): http://googlechromereleases.blogspot.com/2015/01/stable-update.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates There were a few intermediate bugfix releases since our last update: http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_25.html http://googlechromereleases.blogspot.com/2014/12/stable-channel-update.html http://googlechromereleases.blogspot.com/2015/01/stable-channel-update.html Reproducible: Steps to Reproduce:
New chromium-browser(-stable) packages are ready for testing: MGA4: SRPM chromium-browser-stable-40.0.2214.91-1.mga4.src.rpm RPMS chromium-browser-stable-40.0.2214.91-1.mga4.i586.rpm chromium-browser-40.0.2214.91-1.mga4.i586.rpm chromium-browser-stable-40.0.2214.91-1.mga4.x86_64.rpm chromium-browser-40.0.2214.91-1.mga4.x86_64.rpm Proposed advisory: Updated chromium-browser packages fix security vulnerabilities: Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc (CVE-2014-7924). Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained (CVE-2014-7925). The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code (CVE-2014-7927). hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy (CVE-2014-7928). Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data (CVE-2014-7930). factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers (CVE-2014-7931). Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents (CVE-2014-7929). Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements (CVE-2014-7932). Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures (CVE-2014-7934). Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab (CVE-2014-7935). Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble (CVE-2014-7936). The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors (CVE-2014-7938). Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header (CVE-2014-7939). The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data (CVE-2014-7941). The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-7942). Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2014-7943). The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation (CVE-2014-7946). The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate (CVE-2014-7948). Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2015-1205). References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7924 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7925 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7927 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7928 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7929 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7930 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7931 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7932 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7934 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7935 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7936 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7938 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7939 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7941 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7942 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7943 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7946 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7948 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1205 http://googlechromereleases.blogspot.com/2015/01/stable-update.html
Assignee: cjw => qa-bugs
No tainted build this time?
CC: (none) => wrw105
Mga4 is now built against system libs so tainted build is no longer needed. As of the last update: http://advisories.mageia.org/MGASA-2014-0485.html https://bugs.mageia.org/show_bug.cgi?id=14596#c12
Thanks Christiaan! Just formatting fixes and adding the intermediate announcements to the advisory. Updated chromium-browser packages fix security vulnerabilities: Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc (CVE-2014-7924). Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained (CVE-2014-7925). The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code (CVE-2014-7927). hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy (CVE-2014-7928). Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data (CVE-2014-7930). factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers (CVE-2014-7931). Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents (CVE-2014-7929). Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements (CVE-2014-7932). Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures (CVE-2014-7934). Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab (CVE-2014-7935). Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble (CVE-2014-7936). The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors (CVE-2014-7938). Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header (CVE-2014-7939). The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data (CVE-2014-7941). The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-7942). Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2014-7943). The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation (CVE-2014-7946). The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate (CVE-2014-7948). Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2015-1205). References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7924 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7925 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7927 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7928 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7929 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7930 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7931 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7932 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7934 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7935 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7936 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7938 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7939 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7941 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7942 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7943 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7946 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7948 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1205 http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_25.html http://googlechromereleases.blogspot.com/2014/12/stable-channel-update.html http://googlechromereleases.blogspot.com/2015/01/stable-channel-update.html http://googlechromereleases.blogspot.com/2015/01/stable-update.html
Testing complete mga4 32 & 64 https, java (with icedtea-web), sign into google account, acid3 javascript test, plays mp3 with tainted ffmpeg. Flash, not supported in recent releases. https://archive.org/details/testmp3testfile http://acid3.acidtests.org/ http://javatester.org/version.html (click on the box)
Whiteboard: (none) => has_procedure mga4-32-ok mga4-64-ok
Comment 4 advisory uploaded. Validating. Please push to 4 updates Thanks
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0036.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/630706/