Upstream has released version 41.0.2272.76 on March 3: http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates There was one intermediate bugfix release since our last update: http://googlechromereleases.blogspot.com/2015/02/stable-channel-update_19.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
RedHat has issued an advisory for this on March 5: https://rhn.redhat.com/errata/RHSA-2015-0627.html
URL: (none) => http://lwn.net/Vulnerabilities/635753/
Upstream has released version 41.0.2272.89 on March 10: http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_10.html It has additional bugfixes.
We still have the option to throw it out the window, if Christiaan doesn't want to fix those CVE's, I can't see no one else doing it. And it would be a shame if it passes yet another release like that.. :/
CC: (none) => mageia
Sure. Christiaan has been maintaining it well the last four months. As long as he intends to continue that, I'm OK with keeping it. I'm not sure what his plans are for this update. He might have decided to hold it until after the Mageia 5 release.
chromium 41 apparently thinks the emulated usb tablet in qemu/kvm is a touchscreen, causing a serious regression for VMs. I started looking for the touchscreen auto detection code but maybe I should just set the touch events setting to disabled by default. I'll see if I can first test 41.0.2272.89 since the change "ozone: evdev: Keep track of settings & apply to new devices" could be related.
Upstream has released version 41.0.2272.101 on March 19: http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_19.html It has additional bugfixes.
I have uploaded 41.0.2272.101 to cauldron/core/updates_testing but haven't tested it yet.
CC: (none) => pterjan
chromium-browser-stable-41.0.2272.101-2.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Updated packages are ready for testing: MGA4 Source RPM: chromium-browser-stable-41.0.2272.101-1.mga4.src.rpm Binary RPMS: chromium-browser-stable-41.0.2272.101-1.mga4.i586.rpm chromium-browser-41.0.2272.101-1.mga4.i586.rpm chromium-browser-stable-41.0.2272.101-1.mga4.x86_64.rpm chromium-browser-41.0.2272.101-1.mga4.x86_64.rpm Proposed advisory: Chromium-browser 41.0.2272.101 fixes security issues: Array index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation, a different vulnerability than CVE-2015-1212. (CVE-2015-1232) The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation. (CVE-2015-1213) Integer overflow in the SkAutoSTArray implementation in include/core/SkTemplates.h in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a reset action with a large count value, leading to an out-of-bounds write operation. (CVE-2015-1214) The filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation. (CVE-2015-1215) Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a frame detachment. (CVE-2015-1216) The V8LazyEventListener::prepareListenerObject function in bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, does not properly compile listeners, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." (CVE-2015-1217) Multiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger movement of a SCRIPT element to different documents, related to (1) the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and (2) the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp. (CVE-2015-1218) Integer overflow in the SkMallocPixelRef::NewAllocate function in core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted allocation of a large amount of memory during WebGL rendering. (CVE-2015-1219) Use-after-free vulnerability in the GIFImageReader::parseData function in platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted frame size in a GIF image. (CVE-2015-1220) Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect ordering of operations in the Web SQL Database thread relative to Blink's main thread, related to the shutdown function in web/WebKit.cpp. (CVE-2015-1221) Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap implementation in content/browser/service_worker/service_worker_script_cache_map.cc in Google Chrome before 41.0.2272.76 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the NotifyStartedCaching and NotifyFinishedCaching functions. (CVE-2015-1222) Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger extraneous change events, as demonstrated by events for invalid input or input to read-only fields, related to the initializeTypeInParsing and updateType functions. (CVE-2015-1223) The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data. (CVE-2015-1224) PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2015-1225) The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension. (CVE-2015-1226) The DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have an unspecified impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used. (CVE-2015-1227) The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not force a relayout operation and consequently does not initialize memory for a data structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted Cascading Style Sheets (CSS) token sequence. (CVE-2015-1228) net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response. (CVE-2015-1229) References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1232 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1213 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1214 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1215 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1216 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1217 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1218 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1219 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1220 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1221 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1222 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1223 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1224 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1225 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1226 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1227 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1228 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1229 http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_10.html http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_19.html
CC: (none) => cjwAssignee: cjw => qa-bugs
tested general use, mga4-64. sunspider for javascript, acid3 for rendering, general browsing. All OK
CC: (none) => wrw105Whiteboard: (none) => has_procedure mga4-64-ok
Testing complete mga4 32. Validating. Advisory uploaded. The nist.gov links will be replaced with mitre ones when the CVE's are expanded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
Re-formatting the advisory. Updated chromium-browser packages fix security vulnerabilities: The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation (CVE-2015-1213). Integer overflow in the SkAutoSTArray implementation in include/core/SkTemplates.h in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a reset action with a large count value, leading to an out-of-bounds write operation (CVE-2015-1214). The filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation (CVE-2015-1215). Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a frame detachment (CVE-2015-1216). The V8LazyEventListener::prepareListenerObject function in bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, does not properly compile listeners, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion" (CVE-2015-1217). Multiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger movement of a SCRIPT element to different documents, related to the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp (CVE-2015-1218). Integer overflow in the SkMallocPixelRef::NewAllocate function in core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted allocation of a large amount of memory during WebGL rendering (CVE-2015-1219). Use-after-free vulnerability in the GIFImageReader::parseData function in platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted frame size in a GIF image (CVE-2015-1220). Use-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect ordering of operations in the Web SQL Database thread relative to Blink's main thread, related to the shutdown function in web/WebKit.cpp (CVE-2015-1221). Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap implementation in content/browser/service_worker/service_worker_script_cache_map.cc in Google Chrome before 41.0.2272.76 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the NotifyStartedCaching and NotifyFinishedCaching functions (CVE-2015-1222). Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger extraneous change events, as demonstrated by events for invalid input or input to read-only fields, related to the initializeTypeInParsing and updateType functions (CVE-2015-1223). The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data (CVE-2015-1224). PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2015-1225). The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension (CVE-2015-1226). The DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have an unspecified impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used (CVE-2015-1227). The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not force a relayout operation and consequently does not initialize memory for a data structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted Cascading Style Sheets (CSS) token sequence (CVE-2015-1228). net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response (CVE-2015-1229). Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76 allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2015-1231). Array index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation (CVE-2015-1232). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1218 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1232 http://googlechromereleases.blogspot.com/2015/02/stable-channel-update_19.html http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_10.html http://googlechromereleases.blogspot.com/2015/03/stable-channel-update_19.html https://security.gentoo.org/glsa/201503-12
Updated on svn
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0123.html
Status: NEW => RESOLVEDResolution: (none) => FIXED