Upstream has released version 48.0.2564.109 on February 9: http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates There were also two bugfix releases since our last update: http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_27.html http://googlechromereleases.blogspot.com/2016/02/stable-channel-update.html Reproducible: Steps to Reproduce:
OpenSuSE has issued an advisory for this today (February 17): http://lists.opensuse.org/opensuse-updates/2016-02/msg00104.html
URL: (none) => http://lwn.net/Vulnerabilities/676077/
Upstream has released version 48.0.2564.116 today (February 18): http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_18.html It fixes one more security issue.
Summary: chromium-browser-stable new security issues fixed in 48.0.2564.109 => chromium-browser-stable new security issues fixed in 48.0.2564.116
LWN reference for one more issue fixed in 48.0.2564.109: http://lwn.net/Vulnerabilities/676786/ LWN reference for 48.0.2564.116: http://lwn.net/Vulnerabilities/676784/ OpenSuSE has issued an advisory for this on February 20: http://lists.opensuse.org/opensuse-updates/2016-02/msg00126.html
Summary: chromium-browser-stable new security issues fixed in 48.0.2564.116 => chromium-browser-stable security issues fixed in 49.0.2623.75
Upstream has released version 49.0.2623.75 on March 2: http://googlechromereleases.blogspot.com/2016/03/stable-channel-update.html The Chrome releases blog no longer renders in Firefox :o(
My apologies for the delay; the disk that holds the virtual machines I use for security updates broke down. After unsuccessfully trying to copy all data, I now ordered two new disks to replace the broken one (in RAID 1). Hopefully I can make some progress this weekend, after installing the disks and recreating the VMs.
Status: NEW => ASSIGNED
LWN reference for 49.0.2623.75: http://lwn.net/Vulnerabilities/678807/
(In reply to David Walser from comment #6) > LWN reference for 49.0.2623.75: > http://lwn.net/Vulnerabilities/678807/ OpenSuSE has issued an advisory for this on March 6: http://lists.opensuse.org/opensuse-updates/2016-03/msg00019.html
49.0.2623.87 was released yesterday with more security fixes, I will use this version for the update.
Upstream has released version 49.0.2623.75 on March 8: http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_8.html
Summary: chromium-browser-stable security issues fixed in 49.0.2623.75 => chromium-browser-stable security issues fixed in 49.0.2623.87
(In reply to David Walser from comment #9) > Upstream has released version 49.0.2623.75 on March 8: > http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_8.html Oops, that's 49.0.2623.87, as Christiaan said.
LWN reference for 49.0.2623.87: http://lwn.net/Vulnerabilities/679613/ Debian and RedHat have issued advisories for this today (March 10): https://www.debian.org/security/2016/dsa-3513 https://rhn.redhat.com/errata/RHSA-2016-0429.html
Updated packages are available for testing. MGA5 SRPM: chromium-browser-stable-49.0.2623.87-1.mga5.src.rpm RPMS: chromium-browser-stable-49.0.2623.87-1.mga5.i586.rpm chromium-browser-49.0.2623.87-1.mga5.i586.rpm chromium-browser-stable-49.0.2623.87-1.mga5.x86_64.rpm chromium-browser-49.0.2623.87-1.mga5.x86_64.rpm Proposed advisory: Chromium-browser-stable 49.0.2623.87 fixes security issues: Three security issues were found in upstream chromium 49.0.2623.75: type confusion in Blink (CVE-2016-1643), a use-after-free bug in Blink (CVE-2016-1644), and an out-of-bounds write error in PDFium (CVE-2016-1645). The ContainerNode::parserRemoveChild function in WebKit/Source/core/dom/ContainerNode.cpp in Blink, as used in Google Chrome before 49.0.2623.75, mishandles widget updates, which makes it easier for remote attackers to bypass the Same Origin Policy via a crafted web site. (CVE-2016-1630) The PPB_Flash_MessageLoop_Impl::InternalRun function in content/renderer/pepper/ppb_flash_message_loop_impl.cc in the Pepper plugin in Google Chrome before 49.0.2623.75 mishandles nested message loops, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. (CVE-2016-1631) The Extensions subsystem in Google Chrome before 49.0.2623.75 does not properly maintain own properties, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code that triggers an incorrect cast, related to extensions/renderer/v8_helpers.h and gin/converter.h. (CVE-2016-1632) Use-after-free vulnerability in Blink, as used in Google Chrome before 49.0.2623.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2016-1633) Use-after-free vulnerability in the StyleResolver::appendCSSStyleSheet function in WebKit/Source/core/css/resolver/StyleResolver.cpp in Blink, as used in Google Chrome before 49.0.2623.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that triggers Cascading Style Sheets (CSS) style invalidation during a certain subtree-removal action. (2016-1634) extensions/renderer/render_frame_observer_natives.cc in Google Chrome before 49.0.2623.75 does not properly consider object lifetimes and re-entrancy issues during OnDocumentElementCreated handling, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via unknown vectors. (CVE-2016-1635) The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead of integrity-check successes, which allows remote attackers to bypass the Subresource Integrity (aka SRI) protection mechanism by triggering two loads of the same resource. (CVE-2016-1636) The SkATan2_255 function in effects/gradients/SkSweepGradient.cpp in Skia, as used in Google Chrome before 49.0.2623.75, mishandles arctangent calculations, which allows remote attackers to obtain sensitive information via a crafted web site. (CVE-2016-1637) extensions/renderer/resources/platform_app.js in the Extensions subsystem in Google Chrome before 49.0.2623.75 does not properly restrict use of Web APIs, which allows remote attackers to bypass intended access restrictions via a crafted platform app. (CVE-2016-1638) Use-after-free vulnerability in browser/extensions/api/webrtc_audio_private/webrtc_audio_private_api.cc in the WebRTC Audio Private API implementation in Google Chrome before 49.0.2623.75 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect reliance on the resource context pointer. (CVE-2016-1639) The Web Store inline-installer implementation in the Extensions UI in Google Chrome before 49.0.2623.75 does not block installations upon deletion of an installation frame, which makes it easier for remote attackers to trick a user into believing that an installation request originated from the user's next navigation target via a crafted web site. (CVE-2016-1640) Use-after-free vulnerability in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 49.0.2623.75 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an image download after a certain data structure is deleted, as demonstrated by a favicon.ico download. (CVE-2016-1641) Multiple unspecified vulnerabilities in Google Chrome before 49.0.2623.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2016-1642) Google Chrome before 48.0.2564.116 allows remote attackers to bypass the Blink Same Origin Policy and a sandbox protection mechanism via unspecified vectors. (CVE-2016-1629) The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code. (CVE-2016-1622) The DOM implementation in Google Chrome before 48.0.2564.109 does not properly restrict frame-attach operations from occurring during or after frame-detach operations, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to FrameLoader.cpp, HTMLFrameOwnerElement.h, LocalFrame.cpp, and WebLocalFrameImpl.cpp. (CVE-2016-1623) Integer underflow in the ProcessCommandsInternal function in dec/decode.c in Brotli, as used in Google Chrome before 48.0.2564.109, allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted data with brotli compression. (CVE-2016-1624) The Chrome Instant feature in Google Chrome before 48.0.2564.109 does not ensure that a New Tab Page (NTP) navigation target is on the most-visited or suggestions list, which allows remote attackers to bypass intended restrictions via unspecified vectors, related to instant_service.cc and search_tab_helper.cc. (CVE-2016-1625) The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, miscalculates a certain layer index value, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. (CVE-2016-1626) pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions. (CVE-2016-1628) The Developer Tools (aka DevTools) subsystem in Google Chrome before 48.0.2564.109 does not validate URL schemes and ensure that the remoteBase parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL, related to browser/devtools/devtools_ui_bindings.cc and WebKit/Source/devtools/front_end/Runtime.js. (CVE-2016-1627) References: http://googlechromereleases.blogspot.com/2016/02/stable-channel-update.html http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_18.html http://googlechromereleases.blogspot.com/2016/03/stable-channel-update.html http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_8.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1623 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1645
CC: (none) => cjwAssignee: cjw => qa-bugs
Hmm, using the HTML5 player, I am getting repeated crashes in Youtube videos. I can't reproduce that with our last build in updates.
I did get crashes on youtube videos but it looked like the video driver crashed as the video kept playing invisibly (the whole VM screen freezes) - the audio continued and even switched to the next video.
In my case, it was just the tab that would crash. The first time I was able to reload it and play the video, but after restarting the browser, it kept crashing over and over. Even on an error video (one that it won't play with HTML5) it crashed.
Not noticed a crash here, can you give a url David. All otherwise OK mga5 64. Are you mga5 32?
Yes, I'm on i586. I do have some x86_64 installs here now too so I could also test there. Even though I have Chrome installed, it wasn't using Flash in Chromium (although the Adobe Flash test page works, so Flash does work when it's called for), which is also the case with the old version. I was trying to play some Ladyhawke music videos, most of which were VEVO and wouldn't play with the HTML5 player. The video I got to play was Morning Dreams (uploaded by summerlink), should be easy to find. The first time it crashed after a few seconds, and then I reloaded and it played, but after restarting the browser it kept crashing on that one, then even clicking some of her other videos, the ones that won't even play, even those would sometimes crash the tab. I just tried it again and I can still reproduce the problems, and I got crashes with a few other videos I tried too. I got Another Runaway to play fine, but I'm having a harder time finding one that will run fine than I am finding ones that crash.
The VEVO ones are smothered in advertising, including overlaid on top of the video and ads before the video plays, could be related. All play fine here though. I don't have chrome installed. What are you thoughts Christiaan?
Probably with my proxy filters all the VEVO ads are getting blocked. I tried on x86_64, and the HTML5 player still won't play most videos, but while clicking around I didn't get any crashes and Morning Dreams played fine too.
Maybe a specific codec is broken on i586, I can probably use a different display driver in the VM and test a bit more. To see what codec chromium is decoding, load chrome://media-internals in a different tab. If the video crashes quickly it may not be possible to view the info there. NB Note that x86 32-bit google chrome for linux was apparently discontinued with 48 the last released version.
Yes, I'm aware Chrome is dead, and I wonder if having the Chrome 48 Flash plugin loaded (even if it's using the HTML5 player and *using* the plugin) is what causes the crashes.
(In reply to David Walser from comment #21) > Yes, I'm aware Chrome is dead, and I wonder if having the Chrome 48 Flash > plugin loaded (even if it's using the HTML5 player and *using* the plugin) > is what causes the crashes. Nope, that's not the problem. I uninstalled Chrome and I'm still getting crashes in Chromium.
Error messages in the console show the stack trace, and I've noticed it's always a MAPERR. Received signal 11 SEGV_MAPERR 0000c1d4e63d #0 0x00008089b30c <unknown> #1 0x00008089b746 <unknown> #2 0x0000b779bbc8 ([vdso]+0xbc7) #3 0x000021627ea1 <unknown> #4 0x000026e106be <unknown> #5 0x000041370559 <unknown> #6 0x000026e106be <unknown> #7 0x0000538cfbde <unknown> #8 0x000026e106be <unknown> #9 0x00005385816c <unknown> #10 0x000026e106be <unknown> #11 0x000053857e86 <unknown> #12 0x000026e106be <unknown> #13 0x000026e2f441 <unknown> #14 0x000026e1a27f <unknown> #15 0x00008154e146 <unknown> gs: 00000033 fs: 00000000 es: 0000007b ds: 0000007b edi: 00000002 esi: 57a09d15 ebp: bf9181dc esp: bf9181ac ebx: 816faae0 edx: 893a6a40 ecx: 57a09d8d eax: c1d4e635 trp: 0000000e err: 00000005 ip: 21627ea1 cs: 00000073 efl: 00210202 usp: bf9181ac ss: 0000007b [end of stack trace]
Media internals from Morning Dreams: render_id: 16 player_id: 21 pipeline_state: kPlaying event: PLAY url: blob:https%3A//www.youtube.com/d6b2df4a-f7df-4eed-9d5e-d1ef00100342 duration: 410.801 found_video_stream: true video_codec_name: vp9 info: (Log limit reached. Further similar entries may be suppressed): Estimating WebM block duration to be 167ms for the last (Simple)Block in the Cluster for this Track. Use BlockGroups with BlockDurations at the end of each Track in a Cluster to avoid estimation. found_audio_stream: true audio_codec_name: opus audio_dds: false audio_decoder: FFmpegAudioDecoder video_dds: false video_decoder: VpxVideoDecoder
I don't think the media details matter, and I just got that video to play through fine again.
Ooh, got this this time: Received signal 11 SEGV_ACCERR 000035b3bcbc Playing with this more (Chrome installed again) I've seen crashes on videos using the HTML5 player and on ones using Flash (sometimes it'll switch to Flash on the ones HTML5 can't play, probably aac ones).
So far I have not had any crashes on x86-64 but only played a few videos. I'll create an mga5 x86 VM and check what happens there.
Tried this on my computer at home, same thing, crashing like crazy on YouTube all around.
Whiteboard: (none) => feedback
I created a mga5 x86 VM and chromium 49 crashes there as well. Unfortunately a backtrace doesn't show anything obvious - it appears to crash in javascript. Valgrind does not work for complex pages like youtube (probably some timeout expires). Actually chromium itself sometimes emits a long javascript backtrace but I don't know anything about that.
Are the crashes specific to youtube or is it all html5 video?
Is there any progress with this issue please?
Probably gonna take a new upstream release unless someone can debug these crashes and fix it themselves. Nothing new from upstream yet.
I installed the cauldron i586 build in my cauldron x86-64 VM but could not get chromium to crash there. It looks like a problem specific to the mga5 build, possibly related to vpx decoding (one of the few clear differences between the two builds).
With the Mageia 5 build using the bundled libvpx, I wouldn't expect a problem with that. Or should the unbled-libvpx_new-fix.patch be removed in Mageia 5? In Cauldron it's built with cflags -D_XOPEN_SOURCE=600 -D_DEFAULT_SOURCE=1. Should it have that in Mageia 5 or is that only needed for newer glibc/gcc?
(In reply to David Walser from comment #34) > With the Mageia 5 build using the bundled libvpx, I wouldn't expect a > problem with that. Or should the unbled-libvpx_new-fix.patch be removed in > Mageia 5? > > In Cauldron it's built with cflags -D_XOPEN_SOURCE=600 -D_DEFAULT_SOURCE=1. > Should it have that in Mageia 5 or is that only needed for newer glibc/gcc? I wouldn't expect the bundled libvpx to be a problem either, but chromium is built against system ffmpeg which uses the system libvpx which might cause issues. unbundle-libvpx_new-fix.patch can't cause problems - the patched file is not used -D_XOPEN_SOURCE=600 -D_DEFAULT_SOURCE=1 - No compilation warning caused by this, so this can't really be a problem. I did find "../../media/base/mime_util.cc:681:10: warning: enumeration value 'MP2' not handled in switch [-Wswitch]" which is most likely caused by one of my patches so I'll see if I can fix that one (but it is the same in cauldron).
Indeed, libvpx is not the cause of the crash, so it must be something else. When built for mga5 i586 using clang instead of gcc, this chromium version does not crash in a short test. I suppose I could add a subrel and upload the updated package.
Still no crash in a longer test on youtube, maybe the problem is really gone. Updated packages available: MGA5 SRPM: chromium-browser-stable-49.0.2623.87-1.1.mga5.src.rpm RPMS: chromium-browser-stable-49.0.2623.87-1.1.mga5.i586.rpm chromium-browser-49.0.2623.87-1.1.mga5.i586.rpm chromium-browser-stable-49.0.2623.87-1.1.mga5.x86_64.rpm chromium-browser-49.0.2623.87-1.1.mga5.x86_64.rpm
Yes, this one works fine on Mageia 5 i586.
Whiteboard: feedback => MGA5-32-OK
I just tested on x86_64 and every time I close it, it launches the KWallet Setup. What's that about?
David: On close is pretty odd. Usually I get it on launch presumably because I have the sync set up. Will test 64-bit shortly.
CC: (none) => wrw105
Tested mga5-64. General browsing, jetstream for javascript, acid3, video on YouTube. All OK. Validating. ready for push when advisory added to svn.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-okCC: (none) => sysadmin-bugs
What about the KWallet problem? This was on a fresh profile.
I've had kwallet come up on chromium going back as far as I've used it. I'm pretty sure chromium uses it for saving passwords, but using kwallet is certainly nothing new.
I don't recall it ever launching KWallet on i586, and I wasn't doing anything involving passwords, and having it launch it when Chromium exits is clearly wrong.
I do not use keyrings (nor kde) chromium must be sending something on dbus, right? On my dev build, I see: method call time=1458801586.055580 sender=:1.27 -> destination=:1.3 serial=131 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=SearchItems so run dbus-monitor and check if this is what causes kwalletsomething to pop up...
I don't use KWallet myself either. I've confirmed this on another computer. The previous version doesn't exhibit this behavior. This is what dbus-monitor shows when I close Chromium: method call sender=:1.82 -> dest=org.kde.kwalletd serial=5 path=/modules/kwalletd; interface=org.kde.KWallet; member=open string "kdewallet" int64 0 string "Chromium" signal sender=:1.22 -> dest=(null destination) serial=355 path=/net/launchpad/DockManager; interface=net.launchpad.DockManager; member=ItemRemoved object path "/net/launchpad/DockManager/Item15"
Keywords: validated_update => (none)Whiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK feedback
chromium supposte gnome keyring and kwallet password storage systems as can be seen from this command-line option: --password-store=<basic|gnome|kwallet> Set the password store to use. The default is to automatically detect based on the desktop environment. basic selects the built in, unencrypted password store. gnome selects Gnome keyring. kwallet selects (KDE) KWallet. (Note that KWallet may not work reliably outside KDE.) I installed kde and logged in as a new user, and I got a kwallet dialog upon opening the chromium settings (so not when closing the browser). After selecting basic setup, then finish (this disables kwallet AFAICT), the kwallet dialog did not pop up the next time.
Version 49.0.2623.108 was released March 24th, fixing more security issues: http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html
Summary: chromium-browser-stable security issues fixed in 49.0.2623.87 => chromium-browser-stable security issues fixed in 49.0.2623.108Whiteboard: MGA5-32-OK feedback => feedback
I was going to do the advisory for this, but that looks premature. The RPMs as in Comment 37, or await an update (Comment 48)?
CC: (none) => lewyssmith
A new update to 49.0.2623.108 is coming. There will be a new advisory.
Oops, I forgot to remove the subrel. New packages are available: MGA5 SRPM: chromium-browser-stable-49.0.2623.108-1.1.mga5.src.rpm RPMS: chromium-browser-stable-49.0.2623.108-1.1.mga5.i586.rpm chromium-browser-49.0.2623.108-1.1.mga5.i586.rpm chromium-browser-stable-49.0.2623.108-1.1.mga5.x86_64.rpm chromium-browser-49.0.2623.108-1.1.mga5.x86_64.rpm Updated advisory: Chromium-browser-stable 49.0.2623.108 fixes security issues: Multiple security issues were found in upstream chromium 49.0.2623.87: an out-of-bounds read problem in V8 (CVE-2016-1646), use-after-free bugs in Navigation (CVE-2016-1647) and Extensions (CVE-2016-1648); a buffer overflow in libANGLE (CVE-2016-1649), various security issues found in internal audits, fuzzing, and other initiatives (CVE-2016-1650); multiple vulnerabilities in V8 were fixed in 4.9.385.33. The ImageInputType::ensurePrimaryContent function in WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly maintain the user agent shadow DOM, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." (CVE-2016-1643) WebKit/Source/core/layout/LayoutObject.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly restrict relayout scheduling, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted HTML document. (CVE-2016-1644) Multiple integer signedness errors in the opj_j2k_update_image_data function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 49.0.2623.87, allow remote attackers to cause a denial of service (incorrect cast and out-of-bounds write) or possibly have unspecified other impact via crafted JPEG 2000 data. (CVE-2016-1645) The ContainerNode::parserRemoveChild function in WebKit/Source/core/dom/ContainerNode.cpp in Blink, as used in Google Chrome before 49.0.2623.75, mishandles widget updates, which makes it easier for remote attackers to bypass the Same Origin Policy via a crafted web site. (CVE-2016-1630) The PPB_Flash_MessageLoop_Impl::InternalRun function in content/renderer/pepper/ppb_flash_message_loop_impl.cc in the Pepper plugin in Google Chrome before 49.0.2623.75 mishandles nested message loops, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. (CVE-2016-1631) The Extensions subsystem in Google Chrome before 49.0.2623.75 does not properly maintain own properties, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code that triggers an incorrect cast, related to extensions/renderer/v8_helpers.h and gin/converter.h. (CVE-2016-1632) Use-after-free vulnerability in Blink, as used in Google Chrome before 49.0.2623.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2016-1633) Use-after-free vulnerability in the StyleResolver::appendCSSStyleSheet function in WebKit/Source/core/css/resolver/StyleResolver.cpp in Blink, as used in Google Chrome before 49.0.2623.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that triggers Cascading Style Sheets (CSS) style invalidation during a certain subtree-removal action. (2016-1634) extensions/renderer/render_frame_observer_natives.cc in Google Chrome before 49.0.2623.75 does not properly consider object lifetimes and re-entrancy issues during OnDocumentElementCreated handling, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via unknown vectors. (CVE-2016-1635) The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead of integrity-check successes, which allows remote attackers to bypass the Subresource Integrity (aka SRI) protection mechanism by triggering two loads of the same resource. (CVE-2016-1636) The SkATan2_255 function in effects/gradients/SkSweepGradient.cpp in Skia, as used in Google Chrome before 49.0.2623.75, mishandles arctangent calculations, which allows remote attackers to obtain sensitive information via a crafted web site. (CVE-2016-1637) extensions/renderer/resources/platform_app.js in the Extensions subsystem in Google Chrome before 49.0.2623.75 does not properly restrict use of Web APIs, which allows remote attackers to bypass intended access restrictions via a crafted platform app. (CVE-2016-1638) Use-after-free vulnerability in browser/extensions/api/webrtc_audio_private/webrtc_audio_private_api.cc in the WebRTC Audio Private API implementation in Google Chrome before 49.0.2623.75 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect reliance on the resource context pointer. (CVE-2016-1639) The Web Store inline-installer implementation in the Extensions UI in Google Chrome before 49.0.2623.75 does not block installations upon deletion of an installation frame, which makes it easier for remote attackers to trick a user into believing that an installation request originated from the user's next navigation target via a crafted web site. (CVE-2016-1640) Use-after-free vulnerability in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 49.0.2623.75 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an image download after a certain data structure is deleted, as demonstrated by a favicon.ico download. (CVE-2016-1641) Multiple unspecified vulnerabilities in Google Chrome before 49.0.2623.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2016-1642) Google Chrome before 48.0.2564.116 allows remote attackers to bypass the Blink Same Origin Policy and a sandbox protection mechanism via unspecified vectors. (CVE-2016-1629) The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code. (CVE-2016-1622) The DOM implementation in Google Chrome before 48.0.2564.109 does not properly restrict frame-attach operations from occurring during or after frame-detach operations, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to FrameLoader.cpp, HTMLFrameOwnerElement.h, LocalFrame.cpp, and WebLocalFrameImpl.cpp. (CVE-2016-1623) Integer underflow in the ProcessCommandsInternal function in dec/decode.c in Brotli, as used in Google Chrome before 48.0.2564.109, allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted data with brotli compression. (CVE-2016-1624) The Chrome Instant feature in Google Chrome before 48.0.2564.109 does not ensure that a New Tab Page (NTP) navigation target is on the most-visited or suggestions list, which allows remote attackers to bypass intended restrictions via unspecified vectors, related to instant_service.cc and search_tab_helper.cc. (CVE-2016-1625) The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, miscalculates a certain layer index value, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. (CVE-2016-1626) pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions. (CVE-2016-1628) The Developer Tools (aka DevTools) subsystem in Google Chrome before 48.0.2564.109 does not validate URL schemes and ensure that the remoteBase parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL, related to browser/devtools/devtools_ui_bindings.cc and WebKit/Source/devtools/front_end/Runtime.js. (CVE-2016-1627) References: http://googlechromereleases.blogspot.com/2016/02/stable-channel-update.html http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_18.html http://googlechromereleases.blogspot.com/2016/03/stable-channel-update.html http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_8.html http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1623 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1648 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1650
Working fine on Mageia 5 i586 and x86_64, except that it's still popping up KWallet when I close it on x86_64 :o(
LWN reference for 49.0.2623.108: http://lwn.net/Vulnerabilities/681568/
(In reply to David Walser from comment #52) > Working fine on Mageia 5 i586 and x86_64, except that it's still popping up > KWallet when I close it on x86_64 :o( Can you take a screenshot of the kwallet window and explain what you do to get rid of it? Then maybe we can find a maintainer for kwallet and figure out what's going on. For chromium, kwallet is presumably a service without any user interface, so I don't really see how chromium can cause the problem you describe.
Created attachment 7609 [details] KWallet
What I do to get rid of it? I close it, of course. Of course Chromium is causing the problem I describe. With the last version we have in updates, this doesn't happen. With the updates_testing version, I can reliably reproduce every time, when I close Chromium, it pops up this KWallet window.
(In reply to David Walser from comment #56) > What I do to get rid of it? I close it, of course. What I did was click "next", then "finish". After that the kwallet dialog did not reappear.
(In reply to Christiaan Welvaart from comment #57) > (In reply to David Walser from comment #56) > > What I do to get rid of it? I close it, of course. > > What I did was click "next", then "finish". After that the kwallet dialog > did not reappear. That's good to know, but it shouldn't pop up in the first place, and it didn't with previous versions. As we now have students using this, I don't want this thing popping up on them.
Testing M5 x64 Using LXDE desktop, but I have KDE & Kwallet about the place. Kwallet causes me a lot of grief the instant that I use KDE or invoke some KDE applications, like KNotes (in Systray). But it is not popping the dialogue David sees, being already configured; just repeated requests for Radicale related passwords - even though that daemon is STOPPED. BEFORE update Installed & played minimally with Chromium-stable from normal repos. No specific problems. AFTER update to: chromium-browser-stable-49.0.2623.108-1.1.mga5 It seemed to work as previously; and thank goodness, no Kwallet hassle. We need more people to try this. David's problem is I guess more likely to be down to Kwallet than Chromium, even though the latter is triggering it. Holding OK and the Advisory for the moment.
to disable kwallet completely: add the file /var/lib/mageia/kde4-profiles/common/share/config/kwalletrc with contents: [Wallet] Enabled=false
It would be better if it wasn't called KWallet when you close it to begin with, but I can confirm that that setting does fix the problem.
Happy to proceed David?
There has to be a way to fix this. I don't believe Chrome does this, though I should confirm that when I get to work.
OK, Google Chrome does it too. I guess it's a new "feature." Ugh. Validating this now as it otherwise works fine on both arches. Package list and advisory in Comment 51.
Keywords: (none) => validated_updateWhiteboard: feedback => MGA5-32-OK MGA5-64-OK
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0127.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CVE-2016-3679 was fixed in the bundled v8 library in this update: http://lwn.net/Vulnerabilities/682155/