Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 433551

Summary: <www-client/chromium-21.0.1180.89 multiple vulnerabilities (CVE-2012-{2865,2866,2867,2868,2869,2872})
Product: Gentoo Security Reporter: Mike Gilbert <floppym>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ago, chromium
Priority: Normal Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://googlechromereleases.blogspot.com/2012/08/stable-channel-update_30.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Mike Gilbert gentoo-dev 2012-08-31 16:17:20 UTC 
See URL.
Comment 1 Mike Gilbert gentoo-dev 2012-09-01 02:00:26 UTC 
Please stabilize:

=dev-lang/v8-3.11.10.20
=www-client/chromium-21.0.1180.89
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-01 07:07:54 UTC 
CVE-2012-{2870,2871} are bugs in system libxslt, handled in bug #433603
Comment 3 Agostino Sarubbo gentoo-dev 2012-09-01 14:39:44 UTC 
amd64 stable
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-06 13:07:34 UTC 
x86 stable since 2 Sep, GLSA draft ready.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:39:17 UTC 
CVE-2012-2872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2872):
  Cross-site scripting (XSS) vulnerability in an SSL interstitial page in
  Google Chrome before 21.0.1180.89 allows remote attackers to inject
  arbitrary web script or HTML via unspecified vectors.

CVE-2012-2869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2869):
  Google Chrome before 21.0.1180.89 does not properly load URLs, which allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors that trigger a "stale buffer."

CVE-2012-2868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2868):
  Race condition in Google Chrome before 21.0.1180.89 allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors involving improper interaction between worker processes and an
  XMLHttpRequest (aka XHR) object.

CVE-2012-2867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2867):
  The SPDY implementation in Google Chrome before 21.0.1180.89 allows remote
  attackers to cause a denial of service (application crash) via unspecified
  vectors.

CVE-2012-2866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2866):
  Google Chrome before 21.0.1180.89 does not properly perform a cast of an
  unspecified variable during handling of run-in elements, which allows remote
  attackers to cause a denial of service or possibly have unknown other impact
  via a crafted document.

CVE-2012-2865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2865):
  Google Chrome before 21.0.1180.89 does not properly perform line breaking,
  which allows remote attackers to cause a denial of service (out-of-bounds
  read) via a crafted document.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-10-21 15:43:31 UTC 
This issue was resolved and addressed in
 GLSA 201210-07 at http://security.gentoo.org/glsa/glsa-201210-07.xml
by GLSA coordinator Sean Amoss (ackle).