Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 451334

Summary: <www-client/chromium-24.0.1313.52, <dev-lang/v8-3.14.5.3 multiple vulnerabilities (CVE-2012-{5145,5146,5147,5148,5149,5150,5152,5153,5154},CVE-2013-{0828,0829,0830,0831,0832,0833,0834,0835,0836,0837,0838})
Product: Gentoo Security Reporter: Mike Gilbert <floppym>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chromium
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://googlechromereleases.blogspot.com/2013/01/stable-channel-update.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Mike Gilbert gentoo-dev 2013-01-11 02:07:55 UTC
Release notes in URL.
Comment 1 Mike Gilbert gentoo-dev 2013-01-11 02:12:38 UTC
Please stabilize:

=dev-lang/v8-3.14.5.3
=www-client/chromium-24.0.1313.52
Comment 2 Mike Gilbert gentoo-dev 2013-01-11 02:16:06 UTC
Removed CVE numbers pertaining to PDF support.
Comment 3 Agostino Sarubbo gentoo-dev 2013-01-11 10:05:51 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-01-11 10:06:09 UTC
x86 stable
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 21:09:19 UTC
Added to existing GLSA draft.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-01-18 20:30:02 UTC
CVE-2013-0838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0838):
  Google Chrome before 24.0.1312.52 on Linux uses weak permissions for shared
  memory segments, which has unspecified impact and attack vectors.

CVE-2013-0837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0837):
  Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial
  of service or possibly have unspecified other impact via vectors related to
  the handling of extension tabs.

CVE-2013-0836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0836):
  Google V8 before 3.14.5.3, as used in Google Chrome before 24.0.1312.52,
  does not properly implement garbage collection, which allows remote
  attackers to cause a denial of service (application crash) or possibly have
  unspecified other impact via crafted JavaScript code.

CVE-2013-0835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0835):
  Unspecified vulnerability in the Geolocation implementation in Google Chrome
  before 24.0.1312.52 allows remote attackers to cause a denial of service
  (application crash) via unknown vectors.

CVE-2013-0834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0834):
  Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial
  of service (out-of-bounds read) via vectors involving glyphs.

CVE-2013-0833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0833):
  Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial
  of service (out-of-bounds read) via vectors related to printing.

CVE-2013-0832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0832):
  Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to printing.

CVE-2013-0831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0831):
  Directory traversal vulnerability in Google Chrome before 24.0.1312.52
  allows remote attackers to have an unspecified impact by leveraging access
  to an extension process.

CVE-2013-0829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0829):
  Google Chrome before 24.0.1312.52 does not properly maintain database
  metadata, which allows remote attackers to bypass intended file-access
  restrictions via unspecified vectors.

CVE-2012-5153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5153):
  Google V8 before 3.14.5.3, as used in Google Chrome before 24.0.1312.52,
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via crafted JavaScript code that triggers an
  out-of-bounds access to stack memory.

CVE-2012-5152 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5152):
  Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial
  of service (out-of-bounds read) via vectors involving seek operations on
  video data.

CVE-2012-5150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5150):
  Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors involving seek operations on video data.

CVE-2012-5149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5149):
  Integer overflow in the audio IPC layer in Google Chrome before 24.0.1312.52
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via unknown vectors.

CVE-2012-5148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5148):
  The hyphenation functionality in Google Chrome before 24.0.1312.52 does not
  properly validate file names, which has unspecified impact and attack
  vectors.

CVE-2012-5147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5147):
  Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to DOM handling.

CVE-2012-5146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5146):
  Google Chrome before 24.0.1312.52 allows remote attackers to bypass the Same
  Origin Policy via a malformed URL.

CVE-2012-5145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5145):
  Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to SVG layout.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 00:10:34 UTC
This issue was resolved and addressed in
 GLSA 201309-16 at http://security.gentoo.org/glsa/glsa-201309-16.xml
by GLSA coordinator Sean Amoss (ackle).