Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 552904

Summary: <www-client/chromium-43.0.2357.130: multiple vulnerabilities (CVE-2015-{1266,1267,1268,1269})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chromium
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://googlechromereleases.blogspot.it/2015/06/chrome-stable-update.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-06-23 07:27:06 UTC
From ${URL} :

The stable channel has been updated to 43.0.2357.130 for Windows, Mac, and Linux.  A partial list of changes is available in the log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

Below, we highlight 4 fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$5000][464922] High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous.
[TBD][494640] High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[TBD][497507] Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous.
[TBD][461481] Medium CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2015-06-23 23:55:04 UTC
Please stabilize:

=www-client/chromium-43.0.2357.130
Comment 2 Agostino Sarubbo gentoo-dev 2015-06-24 08:16:59 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-06-24 08:17:15 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-06-24 09:00:06 UTC
New GLSA request filed
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-06-30 23:40:31 UTC
CVE-2015-1269 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1269):
  The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in
  Google Chrome before 43.0.2357.130 does not properly canonicalize DNS
  hostnames before making comparisons to HSTS or HPKP preload entries, which
  allows remote attackers to bypass intended access restrictions via a string
  that (1) ends in a . (dot) character or (2) is not entirely lowercase.

CVE-2015-1268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1268):
  bindings/scripts/v8_types.py in Blink, as used in Google Chrome before
  43.0.2357.130, does not properly select a creation context for a return
  value's DOM wrapper, which allows remote attackers to bypass the Same Origin
  Policy via crafted JavaScript code, as demonstrated by use of a data: URL.

CVE-2015-1267 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1267):
  Blink, as used in Google Chrome before 43.0.2357.130, does not properly
  restrict the creation context during creation of a DOM wrapper, which allows
  remote attackers to bypass the Same Origin Policy via crafted JavaScript
  code that uses a Blink public API, related to WebArrayBufferConverter.cpp,
  WebBlob.cpp, WebDOMError.cpp, and WebDOMFileSystem.cpp.

CVE-2015-1266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1266):
  content/browser/webui/content_web_ui_controller_factory.cc in Google Chrome
  before 43.0.2357.130 does not properly consider the scheme in determining
  whether a URL is associated with a WebUI SiteInstance, which allows remote
  attackers to bypass intended access restrictions via a similar URL, as
  demonstrated by use of http://gpu when there is a WebUI class for handling
  chrome://gpu requests.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-07-10 13:22:58 UTC
This issue was resolved and addressed in
 GLSA 201507-18 at https://security.gentoo.org/glsa/201507-18
by GLSA coordinator Mikle Kolyada (Zlogene).