Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524764 (CVE-2014-3188) - <www-client/chromium-38.0.2125.101: multiple vulnerabilities (CVE-2014-{3188,3189,3190,3191,3192,3193,3194,3195,3196,3197,3198,3199,3200})
Summary: <www-client/chromium-38.0.2125.101: multiple vulnerabilities (CVE-2014-{3188,...
Status: RESOLVED FIXED
Alias: CVE-2014-3188
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-08 13:10 UTC by Agostino Sarubbo
Modified: 2014-12-13 16:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-08 13:10:37 UTC
From ${URL} :

The Chrome team is delighted to announce the promotion of Chrome 38 to the stable channel for Windows, Mac and Linux. Chrome 38.0.2125.101 contains a number of fixes and improvements, including:

- A number of new apps/extension APIs
- Lots of under the hood changes for stability and performance

A full list of changes is available in the log.

Security Fixes and Rewards 

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. 

This update includes 159 security fixes, including 113 relatively minor fixes found using MemorySanitizer. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more 
information. 

[$27633.70][416449] Critical CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox. 
[$3000][398384] High CVE-2014-3189: Out-of-bounds read in PDFium. Credit to cloudfuzzer. 
[$3000][400476] High CVE-2014-3190: Use-after-free in Events. Credit to cloudfuzzer. 
[$3000][402407] High CVE-2014-3191: Use-after-free in Rendering. Credit to cloudfuzzer. 
[$2000][403276] High CVE-2014-3192: Use-after-free in DOM. Credit to cloudfuzzer. 
[$1500][399655] High CVE-2014-3193: Type confusion in Session Management. Credit to miaubiz. 
[$1500][401115] High CVE-2014-3194: Use-after-free in Web Workers. Credit to Collin Payne. 
[$4500][403409] Medium CVE-2014-3195: Information Leak in V8. Credit to Jüri Aedla. 
[$3000][338538] Medium CVE-2014-3196: Permissions bypass in Windows Sandbox. Credit to James Forshaw. 
[$1500][396544] Medium CVE-2014-3197: Information Leak in XSS Auditor. Credit to Takeshi Terada. 
[$1500][415307] Medium CVE-2014-3198: Out-of-bounds read in PDFium. Credit to Atte Kettunen of OUSPG. 
[$500][395411] Low CVE-2014-3199: Release Assert in V8 bindings. Credit to Collin Payne. 

We would also like to thank Atte Kettunen of OUSPG and Collin Payne for working with us during the development cycle to prevent security bugs from ever reaching the stable channel. $23,000 in additional rewards were issued. 

As usual, our ongoing internal security work responsible for a wide range of fixes: 
[420899] CVE-2014-3200: Various fixes from internal audits, fuzzing and other initiatives (Chrome 38). 
Multiple vulnerabilities in V8 fixed at the tip of the 3.28 branch (currently 3.28.71.15).

Some of the above bugs were also detected using AddressSanitizer.



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2014-10-08 16:01:33 UTC
I see a couple of possible blockers:

Bug 518668 is a build failure with gcc-4.7 (latest stable).

Bug 523744 is a build failure on x86.

I am not sure if either bug occurs in the latest version on the chromium-38 branch. If you run into them, please add the appropriate dependencies here.

Otherwise, lets proceed with stabilization on amd64 and x86.

=www-client/chromium-38.0.2125.101
Comment 2 Richard Freeman gentoo-dev 2014-10-08 16:43:17 UTC
amd64 stable - no build issues on gcc-4.7.3
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-09 13:25:13 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-09 13:26:32 UTC
cleanup done.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 04:32:51 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-10-15 04:37:02 UTC
CVE-2014-3200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3200):
  Multiple unspecified vulnerabilities in Google Chrome before 38.0.2125.101
  allow attackers to cause a denial of service or possibly have other impact
  via unknown vectors.

CVE-2014-3199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3199):
  The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the V8
  bindings in Blink, as used in Google Chrome before 38.0.2125.101, has an
  erroneous fallback outcome for wrapper-selection failures, which allows
  remote attackers to cause a denial of service via vectors that trigger
  stopping a worker process that had been handling an Event object.

CVE-2014-3198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3198):
  The Instance::HandleInputEvent function in pdf/instance.cc in the PDFium
  component in Google Chrome before 38.0.2125.101 interprets a certain -1
  value as an index instead of a no-visible-page error code, which allows
  remote attackers to cause a denial of service (out-of-bounds read) via
  unspecified vectors.

CVE-2014-3197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3197):
  The NavigationScheduler::schedulePageBlock function in
  core/loader/NavigationScheduler.cpp in Blink, as used in Google Chrome
  before 38.0.2125.101, does not properly provide substitute data for pages
  blocked by the XSS auditor, which allows remote attackers to obtain
  sensitive information via a crafted web site.

CVE-2014-3196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3196):
  base/memory/shared_memory_win.cc in Google Chrome before 38.0.2125.101 on
  Windows does not properly implement read-only restrictions on shared memory,
  which allows attackers to bypass a sandbox protection mechanism via
  unspecified vectors.

CVE-2014-3195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3195):
  Google V8, as used in Google Chrome before 38.0.2125.101, does not properly
  track JavaScript heap-memory allocations as allocations of uninitialized
  memory and does not properly concatenate arrays of double-precision
  floating-point numbers, which allows remote attackers to obtain sensitive
  information via crafted JavaScript code, related to the
  PagedSpace::AllocateRaw and NewSpace::AllocateRaw functions in
  heap/spaces-inl.h, the LargeObjectSpace::AllocateRaw function in
  heap/spaces.cc, and the Runtime_ArrayConcat function in runtime.cc.

CVE-2014-3194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3194):
  Use-after-free vulnerability in the Web Workers implementation in Google
  Chrome before 38.0.2125.101 allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via unknown vectors.

CVE-2014-3193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3193):
  The SessionService::GetLastSession function in
  browser/sessions/session_service.cc in Google Chrome before 38.0.2125.101
  allows remote attackers to cause a denial of service (use-after-free) or
  possibly have unspecified other impact via vectors that leverage "type
  confusion" for callback processing.

CVE-2014-3192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3192):
  Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet
  function in core/dom/ProcessingInstruction.cpp in the DOM implementation in
  Blink, as used in Google Chrome before 38.0.2125.101, allows remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via unknown vectors.

CVE-2014-3191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3191):
  Use-after-free vulnerability in Blink, as used in Google Chrome before
  38.0.2125.101, allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via crafted JavaScript code that
  triggers a widget-position update that improperly interacts with the render
  tree, related to the FrameView::updateLayoutAndStyleForPainting function in
  core/frame/FrameView.cpp and the RenderLayerScrollableArea::setScrollOffset
  function in core/rendering/RenderLayerScrollableArea.cpp.

CVE-2014-3190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3190):
  Use-after-free vulnerability in the Event::currentTarget function in
  core/events/Event.cpp in Blink, as used in Google Chrome before
  38.0.2125.101, allows remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact via crafted
  JavaScript code that accesses the path property of an Event object.

CVE-2014-3189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3189):
  The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the PDFium
  component in Google Chrome before 38.0.2125.101 does not properly validate
  image-data dimensions, which allows remote attackers to cause a denial of
  service (out-of-bounds read) or possibly have unspecified other impact via
  unknown vectors.

CVE-2014-3188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3188):
  Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not
  properly handle the interaction of IPC and Google V8, which allows remote
  attackers to execute arbitrary code via vectors involving JSON data, related
  to improper parsing of an escaped index by ParseJsonObject in json-parser.h.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 16:46:29 UTC
This issue was resolved and addressed in
 GLSA 201412-13 at http://security.gentoo.org/glsa/glsa-201412-13.xml
by GLSA coordinator Sean Amoss (ackle).