Release notes: http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html At this moment we have no CVE numbers for the vulnerabilities described here. Synopsis: Multiple vulnerabilities have been reported in Chromium, some of which may allow user-assisted execution of arbitrary code. Impact: A remote attacker could trick a user to perform a set of UI actions or install a malicious extension that trigger a crash, leading to Denial of Service. It was also possible for an attacker to entice a user to visit a specially-crafted web page that would trigger one of the vulnerabilities, leading to execution of arbitrary code, Denial of Service, and violation of same-origin policy. Arches, please apply the following for =www-client/chromium-9.0.597.84: KEYWORDS="amd64 ~arm x86" You'll probably need to stabilize chromium-tools. Please use chromium-tools-0.1.6 then. I will update chromium-bin soon, we're not going to stabilize it (fully ~arch).
also pulled in: =dev-util/chromium-tools-0.1.5 and =dev-python/pysvn-1.7.4 @chromium: we proceed right? @python: you have problem to stabilize this package?
(In reply to comment #1) > also pulled in: > =dev-util/chromium-tools-0.1.5 Please use chromium-tools-0.1.6 as indicated in the initial report.
(In reply to comment #1) > =dev-python/pysvn-1.7.4 > > @python: you have problem to stabilize this package? Please request stabilization in a separate bug.
amd64 ok
I've bumped chromium-bin, now we only need to stabilize/keyword chromium.
ok also on my x86 hardened
stable x86/amd64, thanks Ago, with ok from hwoarang for amd64
05 Feb 2011; Markus Meier <maekke@gentoo.org> chromium-9.0.597.84.ebuild: add ~arm, bug #350648
Thanks, everyone. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201111-01 at http://security.gentoo.org/glsa/glsa-201111-01.xml by GLSA coordinator Alex Legler (a3li).
CVE-2011-0784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0784): Race condition in Google Chrome before 9.0.597.84 allows remote attackers to execute arbitrary code via vectors related to audio. CVE-2011-0783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0783): Unspecified vulnerability in Google Chrome before 9.0.597.84 allows user-assisted remote attackers to cause a denial of service (application crash) via vectors involving a "bad volume setting." CVE-2011-0781 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0781): Google Chrome before 9.0.597.84 does not properly handle autofill profile merging, which has unspecified impact and remote attack vectors. CVE-2011-0779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0779): Google Chrome before 9.0.597.84 does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension. CVE-2011-0778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0778): Google Chrome before 9.0.597.84 does not properly restrict drag and drop operations, which might allow remote attackers to bypass the Same Origin Policy via unspecified vectors. CVE-2011-0777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0777): Use-after-free vulnerability in Google Chrome before 9.0.597.84 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to image loading.
