From ${URL} : The Chrome team is delighted to announce the promotion of Chrome 38 to the stable channel for Windows, Mac and Linux. Chrome 38.0.2125.101 contains a number of fixes and improvements, including: - A number of new apps/extension APIs - Lots of under the hood changes for stability and performance A full list of changes is available in the log. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 159 security fixes, including 113 relatively minor fixes found using MemorySanitizer. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information. [$27633.70][416449] Critical CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox. [$3000][398384] High CVE-2014-3189: Out-of-bounds read in PDFium. Credit to cloudfuzzer. [$3000][400476] High CVE-2014-3190: Use-after-free in Events. Credit to cloudfuzzer. [$3000][402407] High CVE-2014-3191: Use-after-free in Rendering. Credit to cloudfuzzer. [$2000][403276] High CVE-2014-3192: Use-after-free in DOM. Credit to cloudfuzzer. [$1500][399655] High CVE-2014-3193: Type confusion in Session Management. Credit to miaubiz. [$1500][401115] High CVE-2014-3194: Use-after-free in Web Workers. Credit to Collin Payne. [$4500][403409] Medium CVE-2014-3195: Information Leak in V8. Credit to Jüri Aedla. [$3000][338538] Medium CVE-2014-3196: Permissions bypass in Windows Sandbox. Credit to James Forshaw. [$1500][396544] Medium CVE-2014-3197: Information Leak in XSS Auditor. Credit to Takeshi Terada. [$1500][415307] Medium CVE-2014-3198: Out-of-bounds read in PDFium. Credit to Atte Kettunen of OUSPG. [$500][395411] Low CVE-2014-3199: Release Assert in V8 bindings. Credit to Collin Payne. We would also like to thank Atte Kettunen of OUSPG and Collin Payne for working with us during the development cycle to prevent security bugs from ever reaching the stable channel. $23,000 in additional rewards were issued. As usual, our ongoing internal security work responsible for a wide range of fixes: [420899] CVE-2014-3200: Various fixes from internal audits, fuzzing and other initiatives (Chrome 38). Multiple vulnerabilities in V8 fixed at the tip of the 3.28 branch (currently 3.28.71.15). Some of the above bugs were also detected using AddressSanitizer. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
I see a couple of possible blockers: Bug 518668 is a build failure with gcc-4.7 (latest stable). Bug 523744 is a build failure on x86. I am not sure if either bug occurs in the latest version on the chromium-38 branch. If you run into them, please add the appropriate dependencies here. Otherwise, lets proceed with stabilization on amd64 and x86. =www-client/chromium-38.0.2125.101
amd64 stable - no build issues on gcc-4.7.3
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
cleanup done.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
CVE-2014-3200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3200): Multiple unspecified vulnerabilities in Google Chrome before 38.0.2125.101 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2014-3199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3199): The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 38.0.2125.101, has an erroneous fallback outcome for wrapper-selection failures, which allows remote attackers to cause a denial of service via vectors that trigger stopping a worker process that had been handling an Event object. CVE-2014-3198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3198): The Instance::HandleInputEvent function in pdf/instance.cc in the PDFium component in Google Chrome before 38.0.2125.101 interprets a certain -1 value as an index instead of a no-visible-page error code, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. CVE-2014-3197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3197): The NavigationScheduler::schedulePageBlock function in core/loader/NavigationScheduler.cpp in Blink, as used in Google Chrome before 38.0.2125.101, does not properly provide substitute data for pages blocked by the XSS auditor, which allows remote attackers to obtain sensitive information via a crafted web site. CVE-2014-3196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3196): base/memory/shared_memory_win.cc in Google Chrome before 38.0.2125.101 on Windows does not properly implement read-only restrictions on shared memory, which allows attackers to bypass a sandbox protection mechanism via unspecified vectors. CVE-2014-3195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3195): Google V8, as used in Google Chrome before 38.0.2125.101, does not properly track JavaScript heap-memory allocations as allocations of uninitialized memory and does not properly concatenate arrays of double-precision floating-point numbers, which allows remote attackers to obtain sensitive information via crafted JavaScript code, related to the PagedSpace::AllocateRaw and NewSpace::AllocateRaw functions in heap/spaces-inl.h, the LargeObjectSpace::AllocateRaw function in heap/spaces.cc, and the Runtime_ArrayConcat function in runtime.cc. CVE-2014-3194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3194): Use-after-free vulnerability in the Web Workers implementation in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2014-3193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3193): The SessionService::GetLastSession function in browser/sessions/session_service.cc in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors that leverage "type confusion" for callback processing. CVE-2014-3192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3192): Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet function in core/dom/ProcessingInstruction.cpp in the DOM implementation in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2014-3191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3191): Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree, related to the FrameView::updateLayoutAndStyleForPainting function in core/frame/FrameView.cpp and the RenderLayerScrollableArea::setScrollOffset function in core/rendering/RenderLayerScrollableArea.cpp. CVE-2014-3190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3190): Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code that accesses the path property of an Event object. CVE-2014-3189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3189): The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the PDFium component in Google Chrome before 38.0.2125.101 does not properly validate image-data dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via unknown vectors. CVE-2014-3188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3188): Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and Google V8, which allows remote attackers to execute arbitrary code via vectors involving JSON data, related to improper parsing of an escaped index by ParseJsonObject in json-parser.h.
This issue was resolved and addressed in GLSA 201412-13 at http://security.gentoo.org/glsa/glsa-201412-13.xml by GLSA coordinator Sean Amoss (ackle).