From secunia advisory: 1) A use-after-free error exists within v8 element wrapper handling. 2) A use-after-free error exists within SVG value handling. 3) A buffer overflow exists within the Skia drawing library. 4) A use-after-free error exists within SVG document handling. 5) A use-after-free error exists within SVG use handling. 6) A casting error exists within line box handling. 7) A casting error exists within anonymous block splitting. 8) A use-after-free error exists within multi-column handling. 9) A use-after-free error exists within quote handling. 10) An out-of-bounds read error exists within text handling. 11) A use-after-free error exits within class attribute handling. 12) A use-after-free error exists within table section handling. 13) A use-after-free error exists within flexbox with floats handling. 14) A use-after-free error exists within SVG animation elements handling. 15) The application bundles a vulnerable version of the Adobe Flash player.
From $URL: Rockstar CVE-1337-d00d1: Excessive WebKit fuzzing. Credit to miaubiz. Legend CVE-1337-d00d2: Awesome variety of fuzz targets. Credit to Aki Helin of OUSPG. Superhero CVE-1337-d00d3: Significant pain inflicted upon SVG. Credit to Arthur Gerkis. High CVE-2011-3031: Use-after-free in v8 element wrapper. Credit to Chamal de Silva. High CVE-2011-3032: Use-after-free in SVG value handling. Credit to Arthur Gerkis. High CVE-2011-3033: Buffer overflow in the Skia drawing library. Credit to Aki Helin of OUSPG. High CVE-2011-3034: Use-after-free in SVG document handling. Credit to Arthur Gerkis. High CVE-2011-3035: Use-after-free in SVG use handling. Credit to Arthur Gerkis. High CVE-2011-3036: Bad cast in line box handling. Credit to miaubiz. High CVE-2011-3037: Bad casts in anonymous block splitting. Credit to miaubiz. High CVE-2011-3038: Use-after-free in multi-column handling. Credit to miaubiz. High CVE-2011-3039: Use-after-free in quote handling. Credit to miaubiz. High CVE-2011-3040: Out-of-bounds read in text handling. Credit to miaubiz. High CVE-2011-3041: Use-after-free in class attribute handling. Credit to miaubiz. High CVE-2011-3042: Use-after-free in table section handling. Credit to miaubiz. High CVE-2011-3043: Use-after-free in flexbox with floats. Credit to miaubiz. High CVE-2011-3044: Use-after-free with SVG animation elements. Credit to Arthur Gerkis.
Working on a version bump.
The release notes mention "v8 element wrapper handling", but I'm not sure if that means a new version of dev-lang/v8 is required. I suppose we can stablize that anyway, just to be safe. New versions are in CVS: =dev-lang/v8-3.7.12.27 =www-client/chromium-17.0.963.65 There is a new test failure in chromium (bug 407001). I don't think it should block stabilization. Please stabilize. I assume ago will handle amd64, as usual.
Google just cut another stable channel release to fix a regression in DOM processing. Although it is not security related, the fix is probably worth having. http://googlechromereleases.blogspot.com/2012/03/stable-channel-update.html Please hold off on stabilization until I have the new version in the tree later this evening.
New stable targets: =dev-lang/v8-3.7.12.28 =www-client/chromium-17.0.963.66
x86 done
@x86: I think you forgot to commit the stable keyword.
amd64 is done. 07 Mar 2012; Agostino Sarubbo <ago@gentoo.org> chromium-17.0.963.66.ebuild: Stable for amd64, wrt bug #406975
(In reply to comment #7) > @x86: I think you forgot to commit the stable keyword. thanks. should be done now.
GLSA draft ready, security please review and send.
Chromium is not a system package.
CVE-2011-3044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3044): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG animation elements. CVE-2011-3043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3043): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a flexbox (aka flexible box) in conjunction with the floating of elements. CVE-2011-3042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3042): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of table sections. CVE-2011-3041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3041): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of class attributes. CVE-2011-3040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3040): Google Chrome before 17.0.963.65 does not properly handle text, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document. CVE-2011-3039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3039): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to quote handling. CVE-2011-3038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3038): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to multi-column handling. CVE-2011-3037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3037): Google Chrome before 17.0.963.65 does not properly perform casts of unspecified variables during the splitting of anonymous blocks, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document. CVE-2011-3036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3036): Google Chrome before 17.0.963.65 does not properly perform a cast of an unspecified variable during handling of line boxes, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document. CVE-2011-3035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3035): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG use elements. CVE-2011-3034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3034): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving an SVG document. CVE-2011-3033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3033): Buffer overflow in Skia, as used in Google Chrome before 17.0.963.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2011-3032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3032): Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of SVG values. CVE-2011-3031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3031): Use-after-free vulnerability in the element wrapper in Google V8, as used in Google Chrome before 17.0.963.65, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
(In reply to comment #11) > Chromium is not a system package. But I suspect it is on 1/20th of installs. You have a feeling on that?
(In reply to comment #13) > (In reply to comment #11) > > Chromium is not a system package. > > But I suspect it is on 1/20th of installs. You have a feeling on that? Ah right, I was misreading vulnerability treatment policy. Makes sense now.
This issue was resolved and addressed in GLSA 201203-19 at http://security.gentoo.org/glsa/glsa-201203-19.xml by GLSA coordinator Tim Sammut (underling).
