Upstream has released version 44.0.2403.89 on July 21: http://googlechromereleases.blogspot.com/2015/06/chrome-stable-update.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates Reproducible: Steps to Reproduce:
We'll also need to extract the CVE-2015-1270 fix for ICU and CVE-2015-1283 fix for expat and apply them to those packages.
Whiteboard: (none) => MGA5TOO, MGA4TOO
Oops, correct URL for the 44 update is here: http://googlechromereleases.blogspot.cz/2015/07/stable-channel-update_21.html
Chrome 44 has a serious regression: http://www.zdnet.com/article/brand-new-chrome-44-release-added-a-bug/ A fix has already been committed upstream: http://src.chromium.org/viewvc/blink?view=revision&revision=199090 Another update is expected soon.
Debian has issued an advisory for this on July 23: https://lists.debian.org/debian-security-announce/2015/msg00211.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3315
URL: (none) => http://lwn.net/Vulnerabilities/652361/
As you already saw, Chrome 44.0.2403.107 was released on July 24: http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_24.html
Updated packages are available for testing: MGA4 SRPM: chromium-browser-stable-44.0.2403.107-1.mga4.src.rpm RPMS: chromium-browser-stable-44.0.2403.107-1.mga4.i586.rpm chromium-browser-44.0.2403.107-1.mga4.i586.rpm chromium-browser-stable-44.0.2403.107-1.mga4.x86_64.rpm chromium-browser-44.0.2403.107-1.mga4.x86_64.rpm MGA5 SRPM: chromium-browser-stable-44.0.2403.107-1.mga5.src.rpm RPMS: chromium-browser-stable-44.0.2403.107-1.mga5.i586.rpm chromium-browser-44.0.2403.107-1.mga5.i586.rpm chromium-browser-stable-44.0.2403.107-1.mga5.x86_64.rpm chromium-browser-44.0.2403.107-1.mga5.x86_64.rpm Proposed advisory: Chromium-browser 44.0.2403.107 fixes several security issues: PDFium, as used in Google Chrome before 44.0.2403.89, does not properly handle certain out-of-memory conditions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted PDF document that triggers a large memory allocation. (CVE-2015-1271) Use-after-free vulnerability in the GPU process implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging the continued availability of a GPUChannelHost data structure during Blink shutdown, related to content/browser/gpu/browser_gpu_channel_host_factory.cc and content/renderer/render_thread_impl.cc. (CVE-2015-1272) Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid JPEG2000 data in a PDF document. (CVE-2015-1273) Google Chrome before 44.0.2403.89 does not ensure that the auto-open list omits all dangerous file types, which makes it easier for remote attackers to execute arbitrary code by providing a crafted file and leveraging a user's previous "Always open files of this type" choice, related to download_commands.cc and download_prefs.cc. (CVE-2015-1274) Use-after-free vulnerability in content/browser/indexed_db/indexed_db_backing_store.cc in the IndexedDB implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an abort action before a certain write operation. (CVE-2015-1276) Use-after-free vulnerability in the accessibility implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging lack of certain validity checks for accessibility-tree data structures. (CVE-2015-1277) content/browser/web_contents/web_contents_impl.cc in Google Chrome before 44.0.2403.89 does not ensure that a PDF document's modal dialog is closed upon navigation to an interstitial page, which allows remote attackers to spoof URLs via a crafted document, as demonstrated by the alert_dialog.pdf document. (CVE-2015-1278) Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2/JBig2_Image.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via large height and stride values. (CVE-2015-1279) SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging access to a renderer process and providing crafted serialized data. (CVE-2015-1280) core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source. (CVE-2015-1281) Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Document.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to the (1) Document::delay and (2) Document::DoFieldDelay functions. (CVE-2015-1282) The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service (invalid count value and use-after-free) or possibly have unspecified other impact via crafted JavaScript code that makes many createElement calls for IFRAME elements. (CVE-2015-1284) The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89, does not properly choose a truncation point, which makes it easier for remote attackers to obtain sensitive information via an unspecified linear-time attack. (CVE-2015-1285) Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler::GetModuleSystem function in extensions/renderer/v8_context_native_handler.cc in Google Chrome before 44.0.2403.89 allows remote attackers to inject arbitrary web script or HTML by leveraging the lack of a certain V8 context restriction, aka a Blink "Universal XSS (UXSS)." (CVE-2015-1286) Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode exception that limits the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to core/fetch/CSSStyleSheetResource.cpp. (CVE-2015-1287) The Spellcheck API implementation in Google Chrome before 44.0.2403.89 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file, a related issue to CVE-2015-1263. (CVE-2015-1288) Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2015-1289) References: http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_21.html http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_24.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1279 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1280 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1282 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1284 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1289
CC: (none) => cjwVersion: Cauldron => 5Assignee: cjw => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Tested general use mga5-64 Sunspider java, acid3, youtube for flash, all OK as is general browsing.
CC: (none) => wrw105Whiteboard: MGA4TOO => MGA4TOO mga5-64-ok
Chromium is working fine in a Mageia 5 x86-64 VM.
(In reply to Bill Wilkinson from comment #7) > Tested general use mga5-64 > > Sunspider java, acid3, youtube for flash, all OK as is general browsing. OK, who will test what now? Can I test Mageia 4 i586?
CC: (none) => shlomif
Tested mga4-64 as above. all OK. Shlomi: have at the 32 bit versions. They don't run on my older AMD processor.
Whiteboard: MGA4TOO mga5-64-ok => MGA4TOO mga5-64-ok mga4-64-ok
(In reply to Bill Wilkinson from comment #10) > Tested mga4-64 as above. all OK. Shlomi: have at the 32 bit versions. They > don't run on my older AMD processor. Thanks! I have some bad news. On a Mageia 5 i586 VM I am getting this problem with https:// on www.google.co.il: http://www.shlomifish.org/Files/files/images/chromium-browser-i586-Mageia-5-HTTPS-problem--cropped.png How can we fix it? Regards, -- Shlomi Fish
(In reply to Shlomi Fish from comment #11) > I have some bad news. On a Mageia 5 i586 VM I am getting this problem with > https:// on www.google.co.il: > > http://www.shlomifish.org/Files/files/images/chromium-browser-i586-Mageia-5- > HTTPS-problem--cropped.png > > How can we fix it? Maybe the clock of your VM is not set correctly? Google's self-signed certificates change at least once a month so the clock may not need to be a decade off to get this error message.
(In reply to Christiaan Welvaart from comment #12) > (In reply to Shlomi Fish from comment #11) > > I have some bad news. On a Mageia 5 i586 VM I am getting this problem with > > https:// on www.google.co.il: > > > > http://www.shlomifish.org/Files/files/images/chromium-browser-i586-Mageia-5- > > HTTPS-problem--cropped.png > > > > How can we fix it? > > Maybe the clock of your VM is not set correctly? Google's self-signed > certificates change at least once a month so the clock may not need to be a > decade off to get this error message. Thanks for the hint - this ineeded fixed the problem . I verified chromium to work on a Mageia 5 32-bit/i586 VM. Will test 4 i586 next.
Whiteboard: MGA4TOO mga5-64-ok mga4-64-ok => MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK
Works fine on an Mageia 4 i586 VM. Please validate.
Whiteboard: MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK => MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK MGA4-32-OK
Make sure you test this with the patched icu and expat packages.
Depends on: (none) => 16477, 16478Whiteboard: MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK MGA4-32-OK => MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK
(In reply to David Walser from comment #15) > Make sure you test this with the patched icu and expat packages. Tested with these. ADding MGA4-32-OK.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK MGA4-32-OK => MGA4TOO mga5-64-ok mga4-64-ok mga5-32-OK MGA4-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Please add the OKs to the expat and icu bugs if you tested with them.
CVE-2015-5605 is also fixed in this update: http://lwn.net/Vulnerabilities/652549/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0288.html
Status: NEW => RESOLVEDResolution: (none) => FIXED