Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504328 - <www-client/chromium-33.0.1750.149 : Multiple Vulnerabilities (CVE-2014-{1700,1701,1702,1703,1704})
Summary: <www-client/chromium-33.0.1750.149 : Multiple Vulnerabilities (CVE-2014-{1700...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57164/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-12 15:59 UTC by Agostino Sarubbo
Modified: 2014-09-02 07:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-12 15:59:31 UTC
From ${URL} :

Description

Multiple vulnerabilities have been reported in Google Chrome, where multiple have an unknown impact and the others can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and 
compromise a user's system.

1) A use-after-free error exists within speech.

2) An unspecified error within events can be exploited to conduct cross-site scripting attacks.

3) A use-after-free error exists within web database.

4) A use-after-free error exists within web sockets.

5) Multiple unspecified errors exist within v8.

6) The application bundles a vulnerable version of Adobe Flash Player.

For more information:
SA57271

Successful exploitation of the vulnerabilities #1 and #3 through #5 may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 33.0.1750.149.


Solution:
Update to version 33.0.1750.149.

Provided and/or discovered by:
4, 5) Reported by the vendor.

The vendor credits:
1) Chamal de Silva.
2) aidanhs.
3) Collin Payne.

Original Advisory:
http://googlechromereleases.blogspot.dk/2014/03/stable-channel-update_11.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2014-03-12 18:33:06 UTC
Please go ahead and stabilize.

=www-client/chromium-33.0.1750.149
Comment 2 Richard Freeman gentoo-dev 2014-03-12 22:24:06 UTC
amd64 stable

You might want to CC x86
Comment 3 Hanno Böck gentoo-dev 2014-03-13 09:31:50 UTC
34.x and 35.x are probably also affected (?). Upstream release notes don't tell and bugs are not public yet.
Comment 4 Mike Gilbert gentoo-dev 2014-03-13 15:34:12 UTC
(In reply to Hanno Boeck from comment #3)

Google never discloses that information for the beta and dev channel releases, and we have never worried about warning ~arch users about it.
Comment 5 Hanno Böck gentoo-dev 2014-03-13 17:16:57 UTC
@Mike Gilbert: Probably bumping to the latest 34.x/35.x versions will do.
Comment 6 Mike Gilbert gentoo-dev 2014-03-13 17:34:59 UTC
(In reply to Hanno Boeck from comment #5)

Right, we do that anyway, regardless of security bugs.
Comment 7 Mike Gilbert gentoo-dev 2014-03-17 15:58:31 UTC
x86: We can skip this in favor of bug 504890.
Comment 8 Sergey Popov gentoo-dev 2014-03-21 08:47:23 UTC
Added to existing GLSA draft
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:36:18 UTC
CVE-2014-1704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1704):
  Multiple unspecified vulnerabilities in Google V8 before 3.23.17.18, as used
  in Google Chrome before 33.0.1750.149, allow attackers to cause a denial of
  service or possibly have other impact via unknown vectors.

CVE-2014-1703 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1703):
  Use-after-free vulnerability in the WebSocketDispatcherHost::SendOrDrop
  function in content/browser/renderer_host/websocket_dispatcher_host.cc in
  the Web Sockets implementation in Google Chrome before 33.0.1750.149 might
  allow remote attackers to bypass the sandbox protection mechanism by
  leveraging an incorrect deletion in a certain failure case.

CVE-2014-1702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1702):
  Use-after-free vulnerability in the DatabaseThread::cleanupDatabaseThread
  function in modules/webdatabase/DatabaseThread.cpp in the web database
  implementation in Blink, as used in Google Chrome before 33.0.1750.149,
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact by leveraging improper handling of scheduled tasks
  during shutdown of a thread.

CVE-2014-1701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1701):
  The GenerateFunction function in bindings/scripts/code_generator_v8.pm in
  Blink, as used in Google Chrome before 33.0.1750.149, does not implement a
  certain cross-origin restriction for the EventTarget::dispatchEvent
  function, which allows remote attackers to conduct Universal XSS (UXSS)
  attacks via vectors involving events.

CVE-2014-1700 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1700):
  Use-after-free vulnerability in modules/speech/SpeechSynthesis.cpp in Blink,
  as used in Google Chrome before 33.0.1750.149, allows remote attackers to
  cause a denial of service or possibly have unspecified other impact by
  leveraging improper handling of a certain utterance data structure.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-08-30 00:47:06 UTC
This issue was resolved and addressed in
 GLSA 201408-16 at http://security.gentoo.org/glsa/glsa-201408-16.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-09-02 07:58:11 UTC
This issue was resolved and addressed in
 GLSA 201408-16 at http://security.gentoo.org/glsa/glsa-201408-16.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).