| Summary: | <www-client/chromium-37.0.2062.94: Multiple Vulnerabilities (CVE-2014-{3168,3169,3170,3171,3172,3173,3174,3175,3176,3177}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | chromium |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://googlechromereleases.blogspot.fr/2014/08/stable-channel-update_26.html | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
(In reply to Agostino Sarubbo from comment #0) > @maintainer(s): since the fixed package is already in the tree, please let > us know if it is ready for the stabilization or not. It is. Please stabilize =www-client/chromium-37.0.2062.94 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. cleanup done. Added to existing GLSA draft This issue was resolved and addressed in GLSA 201408-16 at http://security.gentoo.org/glsa/glsa-201408-16.xml by GLSA coordinator Kristian Fiskerstrand (K_F). CVE-2014-3177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3177): Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3176. CVE-2014-3176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3176): Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177. CVE-2014-3175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3175): Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062.94 allow attackers to cause a denial of service or possibly have other impact via unknown vectors, related to the load_truetype_glyph function in truetype/ttgload.c in FreeType and other functions in other components. CVE-2014-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3174): modules/webaudio/BiquadDSPKernel.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 37.0.2062.94, does not properly consider concurrent threads during attempts to update biquad filter coefficients, which allows remote attackers to cause a denial of service (read of uninitialized memory) via crafted API calls. CVE-2014-3173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3173): The WebGL implementation in Google Chrome before 37.0.2062.94 does not ensure that clear calls interact properly with the state of a draw buffer, which allows remote attackers to cause a denial of service (read of uninitialized memory) via a crafted CANVAS element, related to gpu/command_buffer/service/framebuffer_manager.cc and gpu/command_buffer/service/gles2_cmd_decoder.cc. CVE-2014-3172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3172): The Debugger extension API in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 37.0.2062.94 does not validate a tab's URL before an attach operation, which allows remote attackers to bypass intended access limitations via an extension that uses a restricted URL, as demonstrated by a chrome:// URL. CVE-2014-3171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3171): Use-after-free vulnerability in the V8 bindings in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper use of HashMap add operations instead of HashMap set operations, related to bindings/core/v8/DOMWrapperMap.h and bindings/core/v8/SerializedScriptValue.cpp. CVE-2014-3170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3170): extensions/common/url_pattern.cc in Google Chrome before 37.0.2062.94 does not prevent use of a '\0' character in a host name, which allows remote attackers to spoof the extension permission dialog by relying on truncation after this character. CVE-2014-3169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3169): Use-after-free vulnerability in core/dom/ContainerNode.cpp in the DOM implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging script execution that occurs before notification of node removal. CVE-2014-3168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3168): Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper caching associated with animation. |
From ${URL} : The Chrome team is delighted to announce the promotion of Chrome 37 to the stable channel for Windows, Mac and Linux. Chrome 37.0.2062.94 contains a number of fixes and improvements, including: - DirectWrite support on Windows for improved font rendering - A number of new apps/extension APIs - Lots of under the hood changes for stability and performance A full list of changes is available in the log. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 50 security fixes. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information. [$30000][386988] Critical CVE-2014-3176, CVE-2014-3177: A special reward to lokihardt@asrt for a combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox. [$2000][369860] High CVE-2014-3168: Use-after-free in SVG. Credit to cloudfuzzer. [$2000][387389] High CVE-2014-3169: Use-after-free in DOM. Credit to Andrzej Dyjak. [$1000][390624] High CVE-2014-3170: Extension permission dialog spoofing. Credit to Rob Wu. [$4000][390928] High CVE-2014-3171: Use-after-free in bindings. Credit to cloudfuzzer. [$1500][367567] Medium CVE-2014-3172: Issue related to extension debugging. Credit to Eli Grey. [$2000][376951] Medium CVE-2014-3173: Uninitialized memory read in WebGL. Credit to jmuizelaar. [$500][389219] Medium CVE-2014-3174: Uninitialized memory read in Web Audio. Credit to Atte Kettunen from OUSPG. We would also like to thank Collin Payne, Christoph Diehl, Sebastian Mauer, Atte Kettunen, and cloudfuzzer for working with us during the development cycle to prevent security bugs from ever reaching the stable channel. $8000 in additional rewards were issued. As usual, our ongoing internal security work responsible for a wide range of fixes: [406143] CVE-2014-3175: Various fixes from internal audits, fuzzing and other initiatives (Chrome 37). Many of the above bugs were detected using AddressSanitizer. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. Alex Mineer Google Chrome @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.