Bug 15213 - chromium-browser-stable new security issues fixed in 40.0.2214.111
Summary: chromium-browser-stable new security issues fixed in 40.0.2214.111
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/632901/
Whiteboard: advisory mga4-64-ok mga4-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-02-06 13:53 CET by David Walser
Modified: 2015-02-11 21:48 CET (History)
3 users (show)

See Also:
Source RPM: chromium-browser-stable-40.0.2214.91-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-02-06 13:53:40 CET
Upstream has released version 40.0.2214.111 on February 5:
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html

This fixes several new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

There were a couple of intermediate bugfix releases since our last update:
http://googlechromereleases.blogspot.com/2015/01/stable-channel-update_26.html
http://googlechromereleases.blogspot.com/2015/01/stable-channel-update_30.html

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-06 13:53:46 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Christiaan Welvaart 2015-02-07 19:00:56 CET
Updated packages are ready for testing.

MGA4
SRPM:
chromium-browser-stable-40.0.2214.111-1.mga4.src.rpm

RPMS:
chromium-browser-stable-40.0.2214.111-1.mga4.i586.rpm
chromium-browser-40.0.2214.111-1.mga4.i586.rpm
chromium-browser-stable-40.0.2214.111-1.mga4.x86_64.rpm
chromium-browser-40.0.2214.111-1.mga4.x86_64.rpm



Advisory:


Chromium-browser 40.0.2214.111 fixes security issues:

Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor. (CVE-2015-1209)

The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. (CVE-2015-1210)

The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI. (CVE-2015-1211)

Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2015-1212)


References:
http://googlechromereleases.blogspot.com/2015/01/stable-channel-update_26.html
http://googlechromereleases.blogspot.com/2015/01/stable-channel-update_30.html
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1209
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1210
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1211
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1212

Assignee: cjw => qa-bugs

Comment 2 David Walser 2015-02-07 19:07:44 CET
Thanks!  Freeze push for Cauldron still pending.

Re-formatting the advisory.

Updated chromium-browser packages fix security vulnerabilities:

Use-after-free vulnerability in the
VisibleSelection::nonBoundaryShadowTreeRootNode function in
core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used
in Google Chrome before 40.0.2214.111 allows remote attackers to cause a
denial of service or possibly have unspecified other impact via crafted
JavaScript code that triggers improper handling of a shadow-root anchor
(CVE-2015-1209).

The V8ThrowException::createDOMException function in
bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in
Google Chrome before 40.0.2214.111 does not properly consider frame access
restrictions during the throwing of an exception, which allows remote
attackers to bypass the Same Origin Policy via a crafted web site
(CVE-2015-1210).

The OriginCanAccessServiceWorkers function in
content/browser/service_worker/service_worker_dispatcher_host.cc in Google
Chrome before 40.0.2214.111 does not properly restrict the URI scheme during
a ServiceWorker registration, which allows remote attackers to gain
privileges via a filesystem: URI (CVE-2015-1211).

Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors (CVE-2015-1212).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1212
http://googlechromereleases.blogspot.com/2015/01/stable-channel-update_26.html
http://googlechromereleases.blogspot.com/2015/01/stable-channel-update_30.html
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 3 Bill Wilkinson 2015-02-09 18:47:37 CET
Tested general use, acid3 test at acidtests.org and sunspider for javascript.  No plugins tested.  All OK.

CC: (none) => wrw105
Whiteboard: (none) => mga4-64-ok

Christiaan Welvaart 2015-02-09 19:27:42 CET

CC: (none) => cjw

Comment 4 David Walser 2015-02-10 00:06:09 CET
Works fine for me on Mageia 4 i586.  Validating now.  The advisory still needs to be uploaded.

Please push to core/updates once the advisory is uploaded.  Thanks.

Keywords: (none) => validated_update
Whiteboard: mga4-64-ok => mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-02-10 15:47:26 CET
Advisory from comment 2 uploaded.

Whiteboard: mga4-64-ok mga4-32-ok => advisory mga4-64-ok mga4-32-ok

Comment 6 David Walser 2015-02-11 18:38:08 CET
RedHat has issued an advisory for this on February 10:
https://rhn.redhat.com/errata/RHSA-2015-0163.html

URL: (none) => http://lwn.net/Vulnerabilities/632901/

Comment 7 Mageia Robot 2015-02-11 21:48:46 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0062.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.