Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522484 (CVE-2014-3178) - <www-client/chromium-37.0.2062.120: Multiple vulnerabilities (CVE-2014-{3178,3179})
Summary: <www-client/chromium-37.0.2062.120: Multiple vulnerabilities (CVE-2014-{3178,...
Status: RESOLVED FIXED
Alias: CVE-2014-3178
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-10 07:22 UTC by Agostino Sarubbo
Modified: 2014-09-19 19:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-10 07:22:19 UTC
From ${URL} :


TUESDAY, SEPTEMBER 9, 2014

Stable Channel Update
The stable channel has been updated to 37.0.2062.120 for Windows, Mac and Linux.

This release contains an update for Adobe Flash as well as a number of other fixes.  A full list of changes is available in the log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 4 security fixes. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information.

[$2000][401362] High CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz.

As usual, our ongoing internal security work responsible for a wide range of fixes:
[411014] CVE-2014-3179: Various fixes from internal audits, fuzzing and other initiatives.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2014-09-10 20:22:37 UTC
www-client/chromium-37.0.2062.120 is in the tree. It compiles, but I have not been able to do runtime testing.

Nonetheless, I assume it is safe to stabilize on amd64 and x86. Please proceed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-09-10 20:41:38 UTC
CVE-2014-3179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3179):
  Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062.120
  allow attackers to cause a denial of service or possibly have other impact
  via unknown vectors.

CVE-2014-3178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3178):
  Use-after-free vulnerability in core/dom/Node.cpp in Blink, as used in
  Google Chrome before 37.0.2062.120, allows remote attackers to cause a
  denial of service or possibly have unspecified other impact by leveraging
  improper handling of render-tree inconsistencies.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 20:52:28 UTC
Arches, please test and mark stable:

=www-client/chromium-37.0.2062.120

Target Keywords : "amd64 x86"

Thank you!
Comment 4 Richard Freeman gentoo-dev 2014-09-10 22:52:54 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-11 15:54:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-11 17:05:49 UTC
New GLSA request filed.
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-14 07:33:21 UTC
cleanup done.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-09-19 19:07:55 UTC
This issue was resolved and addressed in
 GLSA 201409-06 at http://security.gentoo.org/glsa/glsa-201409-06.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).