Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 335750 - <www-client/chromium-6.0.472.59 multiple vulnerabilities (CVE-2010-{3111,3246,3247,3248,3249,3250,3251,3252,3253,3254,3256,3258,3411,3412,3413,3415,3416,3417})
Summary: <www-client/chromium-6.0.472.59 multiple vulnerabilities (CVE-2010-{3111,3246...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-03 03:09 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-09-10 23:57 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-03 03:09:52 UTC
See the release notes at http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html

Some details:

[34414] Low Pop-up blocker bypass with blank frame target. Credit to Google Chrome Security Team (Inferno) and “ironfist99”.
[37201] Medium URL bar visual spoofing with homographic sequences. Credit to Chris Weber of Casaba Security.
[41654] Medium Apply more restrictions on setting clipboard content. Credit to Brook Novak.
[45659] High Stale pointer with SVG filters. Credit to Tavis Ormandy of the Google Security Team.
[45876] Medium Possible installed extension enumeration. Credit to Lostmon.
[46750] [51846] Low Browser NULL crash with WebSockets. Credit to Google Chrome Security Team (SkyLined), Google Chrome Security Team (Justin Schuh) and Keith Campbell.
[$1000] [50386] High Use-after-free in Notifications presenter. Credit to Sergey Glazunov.
[50839] High Notification permissions memory corruption. Credit to Michal Zalewski of the Google Security Team and Google Chrome Security Team (SkyLined).
[$1337] [51630] [51739] High Integer errors in WebSockets. Credit to Keith Campbell and Google Chrome Security Team (Cris Neckar).
[$500] [51653] High Memory corruption with counter nodes. Credit to kuzzcc.
[51727] Low Avoid storing excessive autocomplete entries. Credit to Google Chrome Security Team (Inferno).
[52443] High Stale pointer in focus handling. Credit to VUPEN Vulnerability Research Team (VUPEN-SR-2010-249).
[$1000] [52682] High Sandbox parameter deserialization error. Credit to Ashutosh Mehra and Vineet Batra of the Adobe Reader Sandbox Team.
[$500] [53001] Medium Cross-origin image theft. Credit to Isaac Dawson.

You can read more about the severity ratings at
http://sites.google.com/a/chromium.org/dev/developers/severity-guidelines . I
suggest to rate it B2 on the Gentoo scale.

Security, this bug sort of obsoletes bug #333559 (you now have 5
www-client/chromium bugs in the queue).

Arches, please test and stabilize. In case you don't like it, I think we can consider lowering the cups dependency to the previous level. If you want that, please test printing with the current stable cups.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-03 08:37:25 UTC
@printing? Is a CUPS from the 1.4 series good to go?
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-03 12:28:25 UTC
Works fine so far as I can print into a file with CUPS 1.3*, but no real test as my normal setup has CUPS 1.4.  Can an archtester please test?
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2010-09-03 17:24:44 UTC
I compiled it on x86:
-) Fonts look pretty different from that in the 5.* branch (this is a feature, right?)
-) Printing with cups 1.3.* works more or less. Fat black boxes appear instead of drop-down lists on webpages, don't know if this is a cups issue though. I also don't want to migrate this stable box to 1.4 yet.
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2010-09-03 17:30:10 UTC
P.S. It also kind of fails the acid3 test here. The score runs to 100, but instead of the colorful squares I get black lines across the whole thing. When 100 is reached everything looks messed up.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-04 01:54:54 UTC
(In reply to comment #3)
> I compiled it on x86:
> -) Fonts look pretty different from that in the 5.* branch (this is a feature,
> right?)

No idea. Unless it's clearly bad, I guess it's expected. Feel free to post some screenshots if you think it's important enough (probably shouldn't block security stabilization though).

> -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead
> of drop-down lists on webpages, don't know if this is a cups issue though. I
> also don't want to migrate this stable box to 1.4 yet.

I have revbumped it for ~arch, and lowered the CUPS dependency for 6.0.472.53 that we're targeting for stable. Please take another look.

Acid3 passes perfectly for me. It might be an issue with gpu rendering, possibly worth a separate bug report (not blocking this one).
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2010-09-04 17:58:02 UTC
(In reply to comment #5)
> > -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead
> > of drop-down lists on webpages, don't know if this is a cups issue though. I
> > also don't want to migrate this stable box to 1.4 yet.
> 
> I have revbumped it for ~arch, and lowered the CUPS dependency for 6.0.472.53
> that we're targeting for stable. Please take another look.

I tried another printer and on this one it did not print at all!! The printing dialog pops up, I press "print", the dialog is gone but there are no traces of printing jobs anywhere. Printer does nothing, cups shows no jobs.

> Acid3 passes perfectly for me. It might be an issue with gpu rendering,
> possibly worth a separate bug report (not blocking this one).

Also works now after a restart of chromium. Weird.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-04 17:59:35 UTC
(In reply to comment #6)
> I tried another printer and on this one it did not print at all!! The printing
> dialog pops up, I press "print", the dialog is gone but there are no traces of
> printing jobs anywhere. Printer does nothing, cups shows no jobs.

So it seems for those cases we'd need cups-1.4.
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2010-09-05 16:11:12 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > I tried another printer and on this one it did not print at all!! The printing
> > dialog pops up, I press "print", the dialog is gone but there are no traces of
> > printing jobs anywhere. Printer does nothing, cups shows no jobs.
> 
> So it seems for those cases we'd need cups-1.4.

I can confirm that printing works with cups-1.4 on that machine, however the black boxes remain.
Comment 9 Richard Freeman gentoo-dev 2010-09-06 01:10:46 UTC
What is the plan?  Fix cups issues?  Backport fixes to version that works with stable cups?  Try to get cups 1.4 stabilized?  Not sure what the arch teams should be doing at this point...
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-06 04:04:16 UTC
(In reply to comment #9)
> What is the plan?  Fix cups issues?  Backport fixes to version that works with
> stable cups?  Try to get cups 1.4 stabilized?  Not sure what the arch teams
> should be doing at this point...

I'd prefer to stabilize cups-1.4 if possible. Backporting fixes to 5.x series would be difficult, because some details are still not publicly disclosed.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-06 08:31:53 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > What is the plan?  Fix cups issues?  Backport fixes to version that works with
> > stable cups?  Try to get cups 1.4 stabilized?  Not sure what the arch teams
> > should be doing at this point...
> 
> I'd prefer to stabilize cups-1.4 if possible. Backporting fixes to 5.x series
> would be difficult, because some details are still not publicly disclosed.

 1.4 series works fine for a long time here on two mostly stable computers, feedback over identi.ca was positive, too.  So I think we can go for it and try to stabilise it...I hate those kind of bugs.
Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-08 00:37:38 UTC
The target for stabilization is now 6.0.472.55.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-09 09:40:30 UTC
There is already a tracker for CUPS 1.4 stabilisation.  And there is a shit-load of work still to do.  Either someone steps up or we have to go with partly broken printing support in Chromium.
Comment 14 Richard Freeman gentoo-dev 2010-09-09 13:02:04 UTC
I don't think we can put a web-browser security bug on hold while waiting for an orderly CUPS 1.4 stabilization.  We could mask the stable versions of chromium so that at least users are made aware that they are using insecure software, or backport the fixes.  Or, we could mask until CUPS is ready to go.  Or, if "those in charge" agree we could rush in a semi-broken CUPS, but that would seem to me to be much bigger in impact (there are lots of web-browsers - there aren't so many options when your printer doesn't work).
Comment 15 Pacho Ramos gentoo-dev 2010-09-09 13:27:21 UTC
But looks like most of the issues blocking cups-1.4 stabilization already have a patch or fix available that should be applied by printing team, then, I think that would be better to try to fix cups, stabilize ir and stabilize chromium.

Does printing team allow other people to work on blocking bugs? Maybe they are overloaded now :-/

Thanks
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-09 14:07:54 UTC
(In reply to comment #15)
> Does printing team allow other people to work on blocking bugs? Maybe they are
> overloaded now :-/

 Because they lack man-power, we should just do it (TM).  Unfortunately, I cannot add much here the next days until Monday.  Will prepare a news item tomorrow, we can discuss on the weekend and someone should clean out the remaining bugs, plus updating the printing guide, then commit news item and stabilisation on Monday latest.
Comment 17 Timo Gurr (RETIRED) gentoo-dev 2010-09-09 15:46:58 UTC
As stated on devml I'll have added a new cups revision fixing some QA issues till then. However I've no intention to add any 3rd party patches to CUPS which are not approved upstream. There'll be some fallout and/or upgrade hassle, but that's life. Tommorrow is my last day @paid work before my vacation so I'll have some more time on the weekend and the comming days to discuss things. Thanks for all your help and work in advance, greatly appreciated!
Comment 18 Dmitri Pogosian 2010-09-15 16:50:08 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > > -) Printing with cups 1.3.* works more or less. Fat black boxes appear instead
> > > of drop-down lists on webpages, don't know if this is a cups issue though. I
> > > also don't want to migrate this stable box to 1.4 yet.
> > 
> > I have revbumped it for ~arch, and lowered the CUPS dependency for 6.0.472.53
> > that we're targeting for stable. Please take another look.
> 
> I tried another printer and on this one it did not print at all!! The printing
> dialog pops up, I press "print", the dialog is gone but there are no traces of
> printing jobs anywhere. Printer does nothing, cups shows no jobs.
> 
> > Acid3 passes perfectly for me. It might be an issue with gpu rendering,
> > possibly worth a separate bug report (not blocking this one).
> 
> Also works now after a restart of chromium. Weird.
> 

(In reply to comment #7)
> (In reply to comment #6)
> > I tried another printer and on this one it did not print at all!! The printing
> > dialog pops up, I press "print", the dialog is gone but there are no traces of
> > printing jobs anywhere. Printer does nothing, cups shows no jobs.
> 
> So it seems for those cases we'd need cups-1.4.
> 

cups-1.3 as shipped in stable has broken printing of PDF files for the last 1/2 year - see trivial bug http://bugs.gentoo.org/show_bug.cgi?id=309901

chromium generates PDF's as its output printing format which then can't be printed by CUPS.   Could it be that your other printer was able to process raw PDF's ?
Comment 19 Thomas Kahle (RETIRED) gentoo-dev 2010-09-15 18:57:29 UTC
(In reply to comment #18)
> cups-1.3 as shipped in stable has broken printing of PDF files for the last 1/2
> year - see trivial bug http://bugs.gentoo.org/show_bug.cgi?id=309901

Hmm, that's another reason to get 1.4 stable. 

> chromium generates PDF's as its output printing format which then can't be
> printed by CUPS.   Could it be that your other printer was able to process raw
> PDF's ?

I don't know, and I also don't have access to that printer anymore, but now everything makes complete sense. The only question is: Did chromium-5 also print via pdf, i.e. would it be a regression to stable chromium-6?
Comment 20 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-16 17:03:08 UTC
Now the target for stabilization is www-client/chromium-6.0.472.59, target keywords: "amd64 ~arm x86". This version does not require more recent CUPS. There are bugs in both configurations, but we shouldn't wait more with a browser security update.

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
[$500] [50250] High Use-after-free when using document APIs during parse. Credit to David Weston of Microsoft + Microsoft Vulnerability Research (MSVR) and wushi of team 509 (independent discoveries).
[$1000] [50712] High Use-after-free in SVG styles. Credit to kuzzcc.
[$500] [51252] High Use-after-free with nested SVG elements. Credit to kuzzcc.
[Linux only] [51709] Low Possible browser assert in cursor handling. Credit to “magnusmorton”.
[$500] [51919] High Race condition in console handling. Credit to kuzzcc.
[53176] Low Unlikely browser crash in pop-up blocking. Credit to kuzzcc.
[$500 x 2] [Mac only] [53361] Critical Fix bug 45400 properly on the Mac. Credit to Sergey Glazunov and “remy.saissy”.
[$500] [53394] High Memory corruption in Geolocation. Credit to kuzzcc.
[Linux only] [53930] High Memory corruption in Khmer handling. Credit to Google Chrome Security Team (Chris Evans).
[54006] Low Failure to prompt for extension history access. Credit to “adriennefelt”.
Comment 21 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-17 10:09:12 UTC
x86 stable
Comment 22 Markos Chandras (RETIRED) gentoo-dev 2010-09-18 09:55:41 UTC
amd64 done
Comment 23 Dmitri Pogosian 2010-09-20 06:43:47 UTC
(In reply to comment #19)
> The only question is: Did chromium-5 also
> print via pdf, i.e. would it be a regression to stable chromium-6?
> 

It did, so no regression here 
Comment 24 Tim Sammut (RETIRED) gentoo-dev 2010-10-02 15:28:12 UTC
GLSA with bug 326717.
Comment 25 Tobias Heinlein (RETIRED) gentoo-dev 2010-12-18 00:06:46 UTC
GLSA 201012-01, thanks everyone.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2012-09-10 23:57:10 UTC
CVE-2010-3417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3417):
  Google Chrome before 6.0.472.59 does not prompt the user before granting
  access to the extension history, which allows attackers to obtain
  potentially sensitive information via unspecified vectors.

CVE-2010-3416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3416):
  Google Chrome before 6.0.472.59 on Linux does not properly implement the
  Khmer locale, which allows remote attackers to cause a denial of service
  (memory corruption) or possibly have unspecified other impact via unknown
  vectors.

CVE-2010-3415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3415):
  Google Chrome before 6.0.472.59 does not properly implement Geolocation,
  which allows remote attackers to cause a denial of service (memory
  corruption) or possibly have unspecified other impact via unknown vectors.

CVE-2010-3413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3413):
  Unspecified vulnerability in the pop-up blocking functionality in Google
  Chrome before 6.0.472.59 allows remote attackers to cause a denial of
  service (application crash) via unknown vectors.

CVE-2010-3412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3412):
  Race condition in the console implementation in Google Chrome before
  6.0.472.59 has unspecified impact and attack vectors.

CVE-2010-3411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3411):
  Google Chrome before 6.0.472.59 on Linux does not properly handle cursors,
  which might allow attackers to cause a denial of service (assertion failure)
  via unspecified vectors.

CVE-2010-3258 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3258):
  The sandbox implementation in Google Chrome before 6.0.472.53 does not
  properly deserialize parameters, which has unspecified impact and remote
  attack vectors.

CVE-2010-3256 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3256):
  Google Chrome before 6.0.472.53 does not properly limit the number of stored
  autocomplete entries, which has unspecified impact and attack vectors.

CVE-2010-3254 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3254):
  The WebSockets implementation in Google Chrome before 6.0.472.53 does not
  properly handle integer values, which allows remote attackers to cause a
  denial of service or possibly have unspecified other impact via unknown
  vectors.

CVE-2010-3253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3253):
  The implementation of notification permissions in Google Chrome before
  6.0.472.53 allows attackers to cause a denial of service (memory corruption)
  or possibly have unspecified other impact via unknown vectors.

CVE-2010-3252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3252):
  Use-after-free vulnerability in the Notifications presenter in Google Chrome
  before 6.0.472.53 allows attackers to cause a denial of service or possibly
  have unspecified other impact via unknown vectors.

CVE-2010-3251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3251):
  The WebSockets implementation in Google Chrome before 6.0.472.53 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  application crash) via unspecified vectors.

CVE-2010-3250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3250):
  Unspecified vulnerability in Google Chrome before 6.0.472.53 allows remote
  attackers to enumerate the set of installed extensions via unknown vectors.

CVE-2010-3249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3249):
  Google Chrome before 6.0.472.53 does not properly implement SVG filters,
  which allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via unknown vectors, related to a "stale pointer"
  issue.

CVE-2010-3248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3248):
  Google Chrome before 6.0.472.53 does not properly restrict copying to the
  clipboard, which has unspecified impact and attack vectors.

CVE-2010-3247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3247):
  Google Chrome before 6.0.472.53 does not properly restrict the characters in
  URLs, which allows remote attackers to spoof the appearance of the URL bar
  via homographic sequences.

CVE-2010-3246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3246):
  Google Chrome before 6.0.472.53 does not properly handle the _blank value
  for the target attribute of unspecified elements, which allows remote
  attackers to bypass the pop-up blocker via unknown vectors.

CVE-2010-3111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3111):
  Google Chrome before 6.0.472.53 does not properly mitigate an unspecified
  flaw in the Windows kernel, which has unknown impact and attack vectors, a
  different vulnerability than CVE-2010-2897.