Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 499502 - <www-client/chromium-32.0.1700.102: multiple vulnerabilities (CVE-2013-{6649,6650},CVE-2014-1681)
Summary: <www-client/chromium-32.0.1700.102: multiple vulnerabilities (CVE-2013-{6649,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-27 21:45 UTC by Ulenrich
Modified: 2014-03-05 11:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulenrich 2014-01-27 21:45:00 UTC
www-client/chromium-32.0.1700.102 !
Comment 1 Agostino Sarubbo gentoo-dev 2014-01-28 09:59:01 UTC
Some vulnerabilities have been reported in Google Chrome where some have an unknown impact and others can be exploited by malicious people to compromise a user's system.

1) Some unspecified errors exist. No further information is currently available.

2) A use-after-free error exists when handling SVG images.

3) An error related to v8 can be exploited to corrupt memory.

Successful exploitation of the vulnerabilities #2 and #3 may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 32.0.1700.102.


Solution:
Update to version 32.0.1700.102.
Comment 2 Mike Gilbert gentoo-dev 2014-01-30 17:59:10 UTC
Sorry, please proceed with stabilizing chromium-32.0.1700.102.
Comment 3 Richard Freeman gentoo-dev 2014-01-30 21:16:52 UTC
amd64 stable
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-02-04 17:48:35 UTC
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:11:39 UTC
CVE-2014-1681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1681):
  Multiple unspecified vulnerabilities in Google Chrome before 32.0.1700.102
  have unknown impact and attack vectors, related to 12 "security fixes [that
  were not] either contributed by external researchers or particularly
  interesting."

CVE-2013-6650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6650):
  The StoreBuffer::ExemptPopularPages function in store-buffer.cc in Google V8
  before 3.22.24.16, as used in Google Chrome before 32.0.1700.102, allows
  remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via vectors that trigger incorrect
  handling of "popular pages."

CVE-2013-6649 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6649):
  Use-after-free vulnerability in the RenderSVGImage::paint function in
  core/rendering/svg/RenderSVGImage.cpp in Blink, as used in Google Chrome
  before 32.0.1700.102, allows remote attackers to cause a denial of service
  or possibly have unspecified other impact via vectors involving a zero-size
  SVG image.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-02-13 17:05:30 UTC
Maintainer(s), thank you for cleanup ahead of time.

Added to existing GLSA Draft.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-03-05 11:23:37 UTC
This issue was resolved and addressed in
 GLSA 201403-01 at http://security.gentoo.org/glsa/glsa-201403-01.xml
by GLSA coordinator Mikle Kolyada (Zlogene).