Bug 15433 - chromium-browser-stable new security issues fixed in 41.0.2272.76
Summary: chromium-browser-stable new security issues fixed in 41.0.2272.76
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635753/
Whiteboard: has_procedure advisory mga4-64-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-05 19:56 CET by David Walser
Modified: 2015-04-01 14:14 CEST (History)
5 users (show)

See Also:
Source RPM: chromium-browser-stable-40.0.2214.111-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-05 19:56:23 CET
Upstream has released version 41.0.2272.76 on March 3:
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html

This fixes several new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

There was one intermediate bugfix release since our last update:
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update_19.html

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-05 19:56:30 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-06 20:09:11 CET
RedHat has issued an advisory for this on March 5:
https://rhn.redhat.com/errata/RHSA-2015-0627.html

URL: (none) => http://lwn.net/Vulnerabilities/635753/

Comment 2 David Walser 2015-03-11 14:03:52 CET
Upstream has released version 41.0.2272.89 on March 10:
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_10.html

It has additional bugfixes.
Comment 3 Sander Lepik 2015-03-11 14:07:43 CET
We still have the option to throw it out the window, if Christiaan doesn't want to fix those CVE's, I can't see no one else doing it. And it would be a shame if it passes yet another release like that.. :/

CC: (none) => mageia

Comment 4 David Walser 2015-03-11 14:16:00 CET
Sure.  Christiaan has been maintaining it well the last four months.  As long as he intends to continue that, I'm OK with keeping it.  I'm not sure what his plans are for this update.  He might have decided to hold it until after the Mageia 5 release.
Comment 5 Christiaan Welvaart 2015-03-11 15:21:34 CET
chromium 41 apparently thinks the emulated usb tablet in qemu/kvm is a touchscreen, causing a serious regression for VMs. I started looking for the touchscreen auto detection code but maybe I should just set the touch events setting to disabled by default.

I'll see if I can first test 41.0.2272.89 since the change "ozone: evdev: Keep track of settings & apply to new devices" could be related.
Comment 6 David Walser 2015-03-20 21:28:13 CET
Upstream has released version 41.0.2272.101 on March 19:
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_19.html

It has additional bugfixes.
Comment 7 Pascal Terjan 2015-03-22 16:49:53 CET
I have uploaded 41.0.2272.101 to cauldron/core/updates_testing but haven't tested it yet.

CC: (none) => pterjan

Comment 8 David Walser 2015-03-31 12:30:29 CEST
chromium-browser-stable-41.0.2272.101-2.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 9 Christiaan Welvaart 2015-04-01 02:41:53 CEST
Updated packages are ready for testing:

MGA4
Source RPM:
chromium-browser-stable-41.0.2272.101-1.mga4.src.rpm

Binary RPMS:
chromium-browser-stable-41.0.2272.101-1.mga4.i586.rpm
chromium-browser-41.0.2272.101-1.mga4.i586.rpm
chromium-browser-stable-41.0.2272.101-1.mga4.x86_64.rpm
chromium-browser-41.0.2272.101-1.mga4.x86_64.rpm


Proposed advisory:


Chromium-browser 41.0.2272.101 fixes security issues:

Array index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation, a different vulnerability than CVE-2015-1212. (CVE-2015-1232)

The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation. (CVE-2015-1213)

Integer overflow in the SkAutoSTArray implementation in include/core/SkTemplates.h in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a reset action with a large count value, leading to an out-of-bounds write operation. (CVE-2015-1214)

The filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation. (CVE-2015-1215)

Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a frame detachment. (CVE-2015-1216)

The V8LazyEventListener::prepareListenerObject function in bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, does not properly compile listeners, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." (CVE-2015-1217)

Multiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger movement of a SCRIPT element to different documents, related to (1) the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and (2) the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp. (CVE-2015-1218)

Integer overflow in the SkMallocPixelRef::NewAllocate function in core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted allocation of a large amount of memory during WebGL rendering. (CVE-2015-1219)

Use-after-free vulnerability in the GIFImageReader::parseData function in platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted frame size in a GIF image. (CVE-2015-1220)

Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect ordering of operations in the Web SQL Database thread relative to Blink's main thread, related to the shutdown function in web/WebKit.cpp. (CVE-2015-1221)

Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap implementation in content/browser/service_worker/service_worker_script_cache_map.cc in Google Chrome before 41.0.2272.76 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the NotifyStartedCaching and NotifyFinishedCaching functions. (CVE-2015-1222)

Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger extraneous change events, as demonstrated by events for invalid input or input to read-only fields, related to the initializeTypeInParsing and updateType functions. (CVE-2015-1223)

The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data. (CVE-2015-1224)

PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2015-1225)

The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension. (CVE-2015-1226)

The DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have an unspecified impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used. (CVE-2015-1227)

The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not force a relayout operation and consequently does not initialize memory for a data structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted Cascading Style Sheets (CSS) token sequence. (CVE-2015-1228)

net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response. (CVE-2015-1229)



References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1232
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1213
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1214
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1215
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1216
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1217
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1218
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1219
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1220
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1221
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1222
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1223
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1224
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1225
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1226
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1227
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1228
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1229
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_10.html
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_19.html

CC: (none) => cjw
Assignee: cjw => qa-bugs

Comment 10 Bill Wilkinson 2015-04-01 05:10:16 CEST
tested general use, mga4-64.

sunspider for javascript, acid3 for rendering, general browsing.

All OK

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga4-64-ok

Comment 11 claire robinson 2015-04-01 13:30:37 CEST
Testing complete mga4 32.

Validating. Advisory uploaded.
The nist.gov links will be replaced with mitre ones when the CVE's are expanded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2015-04-01 13:31:58 CEST
Re-formatting the advisory.

Updated chromium-browser packages fix security vulnerabilities:

The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters
implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via vectors that trigger an out-of-bounds write operation
(CVE-2015-1213).

Integer overflow in the SkAutoSTArray implementation in
include/core/SkTemplates.h in the filters implementation in Skia, as used in
Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial
of service or possibly have unspecified other impact via vectors that trigger
a reset action with a large count value, leading to an out-of-bounds write
operation (CVE-2015-1214).

The filters implementation in Skia, as used in Google Chrome before
41.0.2272.76, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via vectors that trigger an
out-of-bounds write operation (CVE-2015-1215).

Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom
function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in
Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers
to cause a denial of service or possibly have unspecified other impact via
vectors that trigger a frame detachment (CVE-2015-1216).

The V8LazyEventListener::prepareListenerObject function in
bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used
in Google Chrome before 41.0.2272.76, does not properly compile listeners,
which allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that leverage "type confusion"
(CVE-2015-1217).

Multiple use-after-free vulnerabilities in the DOM implementation in Blink,
as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause
a denial of service or possibly have unspecified other impact via vectors
that trigger movement of a SCRIPT element to different documents, related to
the HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp and the
SVGScriptElement::didMoveToNewDocument function in
core/svg/SVGScriptElement.cpp (CVE-2015-1218).

Integer overflow in the SkMallocPixelRef::NewAllocate function in
core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before
41.0.2272.76, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via vectors that trigger an attempted
allocation of a large amount of memory during WebGL rendering
(CVE-2015-1219).

Use-after-free vulnerability in the GIFImageReader::parseData function in
platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google
Chrome before 41.0.2272.76, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via a crafted frame size in
a GIF image (CVE-2015-1220).

Use-after-free vulnerability in Blink, as used in Google Chrome before
41.0.2272.76, allows remote attackers to cause a denial of service or
possibly have unspecified other impact by leveraging incorrect ordering of
operations in the Web SQL Database thread relative to Blink's main thread,
related to the shutdown function in web/WebKit.cpp (CVE-2015-1221).

Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap
implementation in
content/browser/service_worker/service_worker_script_cache_map.cc in Google
Chrome before 41.0.2272.76 allow remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors that trigger a
ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the
NotifyStartedCaching and NotifyFinishedCaching functions (CVE-2015-1222).

Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in
the DOM implementation in Blink, as used in Google Chrome before
41.0.2272.76, allow remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors that trigger extraneous change
events, as demonstrated by events for invalid input or input to read-only
fields, related to the initializeTypeInParsing and updateType functions
(CVE-2015-1223).

The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc
in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does
not ensure that alpha-plane dimensions are identical to image dimensions,
which allows remote attackers to cause a denial of service (out-of-bounds
read) via crafted VPx video data (CVE-2015-1224).

PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers
to cause a denial of service (out-of-bounds read) via unspecified vectors
(CVE-2015-1225).

The DebuggerFunction::InitAgentHost function in
browser/extensions/api/debugger/debugger_api.cc in Google Chrome before
41.0.2272.76 does not properly restrict what URLs are available as debugger
targets, which allows remote attackers to bypass intended access restrictions
via a crafted extension (CVE-2015-1226).

The DragImage::create function in platform/DragImage.cpp in Blink, as used in
Google Chrome before 41.0.2272.76, does not initialize memory for image
drawing, which allows remote attackers to have an unspecified impact by
triggering a failed image decoding, as demonstrated by an image for which the
default orientation cannot be used (CVE-2015-1227).

The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp
in Blink, as used in Google Chrome before 41.0.2272.76, does not force a
relayout operation and consequently does not initialize memory for a data
structure, which allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
Cascading Style Sheets (CSS) token sequence (CVE-2015-1228).

net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not
properly handle a 407 (aka Proxy Authentication Required) HTTP status code
accompanied by a Set-Cookie header, which allows remote proxy servers to
conduct cookie-injection attacks via a crafted response (CVE-2015-1229).

Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors (CVE-2015-1231).

Array index error in the MidiManagerUsb::DispatchSendMidiData function in
media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows
remote attackers to cause a denial of service or possibly have unspecified
other impact by leveraging renderer access to provide an invalid port index
that triggers an out-of-bounds write operation (CVE-2015-1232).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1215
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1232
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update_19.html
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_10.html
http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_19.html
https://security.gentoo.org/glsa/201503-12
Comment 13 claire robinson 2015-04-01 13:39:39 CEST
Updated on svn
Comment 14 Mageia Robot 2015-04-01 14:14:12 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0123.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.