Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537366 - <www-client/chromium-40.0.2214.91: multiple vulnerabilities (CVE-2014-{7923,7924,7925,7926,7927,7928,7929,7930,7931,7932,7933,7934,7935,7936,7937,7938,7939,7940,7941,7942,7943,7944,7945,7946,7947,7948,9646,9647,9648},CVE-2015-{1205,1346,1359,1360,1361})
Summary: <www-client/chromium-40.0.2214.91: multiple vulnerabilities (CVE-2014-{7923,7...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-22 17:08 UTC by Agostino Sarubbo
Modified: 2019-09-08 18:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-22 17:08:40 UTC
From ${URL} :

The Chrome team is delighted to announce the promotion of Chrome 40 to the stable channel for Windows, Mac and Linux. Chrome 40.0.2214.91 contains a number of fixes and improvements, including:
Updated info dialog for Chrome app on Windows and Linux.
A new clock behind/ahead error message.
A partial list of changes is available in the log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 62 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. 

[$5000][430353] High CVE-2014-7923: Memory corruption in ICU. Credit to yangdingning.
[$4500][435880] High CVE-2014-7924: Use-after-free in IndexedDB. Credit to Collin Payne.
[$4000][434136] High CVE-2014-7925: Use-after-free in WebAudio. Credit to mark.buer.
[$4000][422824] High CVE-2014-7926: Memory corruption in ICU. Credit to yangdingning.
[$3500][444695] High CVE-2014-7927: Memory corruption in V8. Credit to Christian Holler.
[$3500][435073] High CVE-2014-7928: Memory corruption in V8. Credit to Christian Holler.
[$3000][442806] High CVE-2014-7930: Use-after-free in DOM. Credit to cloudfuzzer.
[$3000][442710] High CVE-2014-7931: Memory corruption in V8. Credit to cloudfuzzer.
[$2000][443115] High CVE-2014-7929: Use-after-free in DOM. Credit to cloudfuzzer.
[$2000][429666] High CVE-2014-7932: Use-after-free in DOM. Credit to Atte Kettunen of OUSPG.
[$2000][427266] High CVE-2014-7933: Use-after-free in FFmpeg. Credit to aohelin.
[$2000][427249] High CVE-2014-7934: Use-after-free in DOM. Credit to cloudfuzzer.
[$2000][402957] High CVE-2014-7935: Use-after-free in Speech. Credit to Khalil Zhani.
[$1500][428561] High CVE-2014-7936: Use-after-free in Views. Credit to Christoph Diehl.
[$1500][419060] High CVE-2014-7937: Use-after-free in FFmpeg. Credit to Atte Kettunen of OUSPG.
[$1000][416323] High CVE-2014-7938: Memory corruption in Fonts. Credit to Atte Kettunen of OUSPG.
[$1000][399951] High CVE-2014-7939: Same-origin-bypass in V8. Credit to Takeshi Terada.
[$1000][433866] Medium CVE-2014-7940: Uninitialized-value in ICU. Credit to miaubiz.
[$1000][428557] Medium CVE-2014-7941: Out-of-bounds read in UI. Credit to Atte Kettunen of OUSPG and Christoph Diehl.
[$1000][426762] Medium CVE-2014-7942: Uninitialized-value in Fonts. Credit to miaubiz.
[$1000][422492] Medium CVE-2014-7943: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
[$1000][418881] Medium CVE-2014-7944: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
[$1000][414310] Medium CVE-2014-7945: Out-of-bounds read in PDFium. Credit to cloudfuzzer.
[$1000][414109] Medium CVE-2014-7946: Out-of-bounds read in Fonts. Credit to miaubiz.
[$500][430566] Medium CVE-2014-7947: Out-of-bounds read in PDFium. Credit to fuzztercluck.
[$500][414026] Medium CVE-2014-7948: Caching error in AppCache. Credit to jiayaoqijia.


We would also like to thank Atte Kettunen of OUSPG, Christian Holler, cloudfuzzer and Khalil Zhani for working with us during the development cycle to prevent security bugs from ever reaching the stable channel. $35000 in additional rewards were issued.

As usual, our ongoing internal security work was responsible for a wide range of fixes
[449894] CVE-2015-1205: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 3.30 branch (currently 3.30.33.15).
Many of the above bugs were detected using AddressSanitizer or MemorySanitizer.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2015-01-22 18:37:10 UTC
I am still waiting for upstream to post a tarball for 40.0.2214.91.
Comment 2 Mike Gilbert gentoo-dev 2015-01-23 17:52:17 UTC
I had to use the "fat" tarball since the "lite" tarball is still missing. 40.2214.91 is now in the tree.

Please stabilize on amd64 and x86.
Comment 3 Agostino Sarubbo gentoo-dev 2015-01-23 21:02:58 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-23 21:03:13 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-23 22:35:26 UTC
CVE-2014-7948 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7948):
  The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in
  content/browser/appcache/appcache_update_job.cc in Google Chrome before
  40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there
  is an X.509 certificate error, which allows man-in-the-middle attackers to
  spoof HTML5 application content via a crafted certificate.

CVE-2014-7947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7947):
  OpenJPEG before r2944, as used in PDFium in Google Chrome before
  40.0.2214.91, allows remote attackers to cause a denial of service
  (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c,
  pi.c, t1.c, t2.c, and tcd.c.

CVE-2014-7946 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7946):
  The RenderTable::simplifiedNormalFlowLayout function in
  core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before
  40.0.2214.91, skips captions during table layout in certain situations,
  which allows remote attackers to cause a denial of service (out-of-bounds
  read) via unspecified vectors related to the Fonts implementation.

CVE-2014-7945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7945):
  OpenJPEG before r2908, as used in PDFium in Google Chrome before
  40.0.2214.91, allows remote attackers to cause a denial of service
  (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c,
  and t2.c.

CVE-2014-7944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7944):
  The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium,
  as used in Google Chrome before 40.0.2214.91, does not properly handle odd
  values of image width, which allows remote attackers to cause a denial of
  service (out-of-bounds read) via a crafted PDF document.

CVE-2014-7943 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7943):
  Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers
  to cause a denial of service (out-of-bounds read) via unspecified vectors.

CVE-2014-7942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7942):
  The Fonts implementation in Google Chrome before 40.0.2214.91 does not
  initialize memory for a data structure, which allows remote attackers to
  cause a denial of service or possibly have unspecified other impact via
  unknown vectors.

CVE-2014-7941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7941):
  The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc
  in the UI implementation in Google Chrome before 40.0.2214.91 uses an
  incorrect data type for a certain length value, which allows remote
  attackers to cause a denial of service (out-of-bounds read) via crafted X11
  data.

CVE-2014-7940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7940):
  The collator implementation in i18n/ucol.cpp in International Components for
  Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome
  before 40.0.2214.91, does not initialize memory for a data structure, which
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via a crafted character sequence.

CVE-2014-7939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7939):
  Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is
  enabled, allows remote attackers to bypass the Same Origin Policy via
  crafted JavaScript code with Proxy.create and console.log calls, related to
  HTTP responses that lack an "X-Content-Type-Options: nosniff" header.

CVE-2014-7938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7938):
  The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote
  attackers to cause a denial of service (memory corruption) or possibly have
  unspecified other impact via unknown vectors.

CVE-2014-7937 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7937):
  Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2,
  as used in Google Chrome before 40.0.2214.91, allow remote attackers to
  cause a denial of service (use-after-free) or possibly have unspecified
  other impact via crafted Vorbis I data.

CVE-2014-7936 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7936):
  Use-after-free vulnerability in the ZoomBubbleView::Close function in
  browser/ui/views/location_bar/zoom_bubble_view.cc in the Views
  implementation in Google Chrome before 40.0.2214.91 allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via a
  crafted document that triggers improper maintenance of a zoom bubble.

CVE-2014-7935 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7935):
  Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the
  Speech implementation in Google Chrome before 40.0.2214.91 allows remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via vectors involving utterances from a closed tab.

CVE-2014-7934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7934):
  Use-after-free vulnerability in the DOM implementation in Blink, as used in
  Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial
  of service or possibly have unspecified other impact via vectors related to
  unexpected absence of document data structures.

CVE-2014-7933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7933):
  Use-after-free vulnerability in the matroska_read_seek function in
  libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome
  before 40.0.2214.91, allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted Matroska file that
  triggers improper maintenance of tracks data.

CVE-2014-7932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7932):
  Use-after-free vulnerability in the Element::detach function in
  core/dom/Element.cpp in the DOM implementation in Blink, as used in Google
  Chrome before 40.0.2214.91, allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via vectors involving
  pending updates of detached elements.

CVE-2014-7931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7931):
  factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91,
  allows remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via crafted JavaScript code that
  triggers improper maintenance of backing-store pointers.

CVE-2014-7930 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7930):
  Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the
  DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91,
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via crafted JavaScript code that triggers improper
  maintenance of TreeScope data.

CVE-2014-7929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7929):
  Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument
  function in core/html/HTMLScriptElement.cpp in the DOM implementation in
  Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors involving movement of a SCRIPT element across documents.

CVE-2014-7928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7928):
  hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does
  not properly handle arrays with holes, which allows remote attackers to
  cause a denial of service (memory corruption) or possibly have unspecified
  other impact via crafted JavaScript code that triggers an array copy.

CVE-2014-7927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7927):
  The SimplifiedLowering::DoLoadBuffer function in
  compiler/simplified-lowering.cc in Google V8, as used in Google Chrome
  before 40.0.2214.91, does not properly choose an integer data type, which
  allows remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via crafted JavaScript code.

CVE-2014-7926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7926):
  The Regular Expressions package in International Components for Unicode
  (ICU) 52 before SVN revision 292944, as used in Google Chrome before
  40.0.2214.91, allows remote attackers to cause a denial of service (memory
  corruption) or possibly have unspecified other impact via vectors related to
  a (1) zero-length quantifier or (2) look-behind expression, a different
  vulnerability than CVE-2014-7923.

CVE-2014-7925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7925):
  Use-after-free vulnerability in the WebAudio implementation in Blink, as
  used in Google Chrome before 40.0.2214.91, allows remote attackers to cause
  a denial of service or possibly have unspecified other impact via vectors
  that trigger an audio-rendering thread in which AudioNode data is improperly
  maintained.

CVE-2014-7924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7924):
  Use-after-free vulnerability in the IndexedDB implementation in Google
  Chrome before 40.0.2214.91 allows remote attackers to cause a denial of
  service or possibly have unspecified other impact by triggering duplicate
  BLOB references, related to
  content/browser/indexed_db/indexed_db_callbacks.cc and
  content/browser/indexed_db/indexed_db_dispatcher_host.cc.

CVE-2014-7923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7923):
  The Regular Expressions package in International Components for Unicode
  (ICU) 52 before SVN revision 292944, as used in Google Chrome before
  40.0.2214.91, allows remote attackers to cause a denial of service (memory
  corruption) or possibly have unspecified other impact via vectors related to
  a (1) zero-length quantifier or (2) look-behind expression, a different
  vulnerability than CVE-2014-7926.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-01-23 22:39:30 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-13 17:52:59 UTC
CVE-2015-1361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1361):
  platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome
  before 40.0.2214.91, does not initialize a variable that is used in calls to
  the Skia SkBitmap::setAlphaType function, which might allow remote attackers
  to cause a denial of service or possibly have unspecified other impact via a
  crafted HTML document, a different vulnerability than CVE-2015-1205.

CVE-2015-1360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1360):
  Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers
  to cause a denial of service (buffer over-read) or possibly have unspecified
  other impact via crafted data that is improperly handled during text
  drawing, related to gpu/GrBitmapTextContext.cpp and
  gpu/GrDistanceFieldTextContext.cpp, a different vulnerability than
  CVE-2015-1205.

CVE-2015-1359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1359):
  Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, as
  used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a
  denial of service (buffer overflow) or possibly have unspecified other
  impact via a crafted PDF document, related to an "intra-object-overflow"
  issue, a different vulnerability than CVE-2015-1205.

CVE-2015-1346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1346):
  Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, as used
  in Google Chrome before 40.0.2214.91, allow attackers to cause a denial of
  service or possibly have other impact via unknown vectors.

CVE-2015-1205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1205):
  Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91
  allow attackers to cause a denial of service or possibly have other impact
  via unknown vectors.

CVE-2014-9648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9648):
  components/navigation_interception/intercept_navigation_resource_throttle.cc
  in Google Chrome before 40.0.2214.91 on Android does not properly restrict
  use of intent: URLs to open an application after navigation to a web site,
  which allows remote attackers to cause a denial of service (loss of browser
  access to that site) via crafted JavaScript code, as demonstrated by
  pandora.com and the Pandora application, a different vulnerability than
  CVE-2015-1205.

CVE-2014-9647 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9647):
  Use-after-free vulnerability in PDFium, as used in Google Chrome before
  40.0.2214.91, allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted PDF document, related
  to fpdfsdk/src/fpdfview.cpp and fpdfsdk/src/fsdk_mgr.cpp, a different
  vulnerability than CVE-2015-1205.

CVE-2014-9646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9646):
  Unquoted Windows search path vulnerability in the
  GoogleChromeDistribution::DoPostUninstallOperations function in
  installer/util/google_chrome_distribution.cc in the uninstall-survey feature
  in Google Chrome before 40.0.2214.91 allows local users to gain privileges
  via a Trojan horse program in the %SYSTEMDRIVE% directory, as demonstrated
  by program.exe, a different vulnerability than CVE-2015-1205.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-02-17 22:29:57 UTC
This issue was resolved and addressed in
 GLSA 201502-13 at http://security.gentoo.org/glsa/glsa-201502-13.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-08 18:22:40 UTC
Restricting spam.