Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 414199 - <www-client/chromium-18.0.1025.168: multiple vulnerabilities (CVE-2011-{3078,3081},CVE-2012-1521)
Summary: <www-client/chromium-18.0.1025.168: multiple vulnerabilities (CVE-2011-{3078,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-01 03:35 UTC by Mike Gilbert
Modified: 2012-05-15 07:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2012-05-01 03:35:51 UTC
Release notes in URL.
Comment 1 Mike Gilbert gentoo-dev 2012-05-01 03:37:52 UTC
Please stabilize for amd64 and x86.
Comment 2 Mike Gilbert gentoo-dev 2012-05-01 03:39:08 UTC
Sorry, target is:

=www-client/chromium-18.0.1025.168

The release notes do not mention V8, so no security bump there.
Comment 3 Agostino Sarubbo gentoo-dev 2012-05-01 09:38:53 UTC
amd64 stable
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-05-01 19:44:52 UTC
CVE-2012-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1521):
  Use-after-free vulnerability in the XML parser in Google Chrome before
  18.0.1025.168 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors.

CVE-2011-3081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3081):
  Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to the floating of elements, a different
  vulnerability than CVE-2011-3078.

CVE-2011-3080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3080):
  Race condition in the Inter-process Communication (IPC) implementation in
  Google Chrome before 18.0.1025.168 allows attackers to bypass intended
  sandbox restrictions via unspecified vectors.

CVE-2011-3079 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3079):
  The Inter-process Communication (IPC) implementation in Google Chrome before
  18.0.1025.168 does not properly validate messages, which has unspecified
  impact and attack vectors.

CVE-2011-3078 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3078):
  Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to the floating of elements, a different
  vulnerability than CVE-2011-3081.
Comment 5 Agostino Sarubbo gentoo-dev 2012-05-02 08:06:27 UTC
x86 stable.

Pawel, go ahead with the advisory.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-02 15:54:38 UTC
Removed Windows-specific vulnerabilities that do not affect Gentoo.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-02 16:02:06 UTC
(In reply to comment #5)
> Pawel, go ahead with the advisory.

GLSA draft ready, please review.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-05-15 07:13:02 UTC
This issue was resolved and addressed in
 GLSA 201205-01 at http://security.gentoo.org/glsa/glsa-201205-01.xml
by GLSA coordinator Tim Sammut (underling).