CVE-2008-6994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6994): Stack-based buffer overflow in the SaveAs feature (SaveFileAsWithFilter function) in win_util.cc in Google Chrome 0.2.149.27 allows user-assisted remote attackers to execute arbitrary code via a web page with a long TITLE element, which triggers the overflow when the user saves the page and a long filename is generated. NOTE: it might be possible to exploit this issue via an HTTP response that includes a long filename in a Content-Disposition header.
CVE-2008-6995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6995): Integer underflow in net/base/escape.cc in chrome.dll in Google Chrome 0.2.149.27 allows remote attackers to cause a denial of service (browser crash) via a URI with an invalid handler followed by a "%" (percent) character, which triggers a buffer over-read, as demonstrated using an "about:%" URI. CVE-2008-6996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6996): Google Chrome BETA (0.2.149.27) does not prompt the user before saving an executable file, which makes it easier for remote attackers or malware to cause a denial of service (disk consumption) or exploit other vulnerabilities via a URL that references an executable file, possibly related to the "ask where to save each file before downloading" setting. CVE-2008-6997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6997): Google Chrome 0.2.149.27 allows user-assisted remote attackers to cause a denial of service (browser crash) via an IMG tag with a long src attribute, which triggers the crash when the victim performs an "Inspect Element" action. CVE-2008-6998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6998): Stack-based buffer overflow in chrome/common/gfx/url_elider.cc in Google Chrome 0.2.149.27 and other versions before 0.2.149.29 might allow user-assisted remote attackers to execute arbitrary code via a link target (href attribute) with a large number of path elements, which triggers the overflow when the status bar is updated after the user hovers over the link. CVE-2008-7061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7061): The tooltip manager (chrome/views/tooltip_manager.cc) in Google Chrome 0.2.149.29 Build 1798 and possibly other versions before 0.2.149.30 allows remote attackers to cause a denial of service (CPU consumption or crash) via a tag with a long title attribute, which is not properly handled when displaying a tooltip, a different vulnerability than CVE-2008-6994. NOTE: there is inconsistent information about the environments under which this issue exists. CVE-2009-2935 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2935): Google V8, as used in Google Chrome before 2.0.172.43, allows remote attackers to bypass intended restrictions on reading memory, and possibly obtain sensitive information or execute arbitrary code in the Chrome sandbox, via crafted JavaScript. CVE-2009-2955 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2955): Google Chrome 1.0.154.48 and earlier allows remote attackers to cause a denial of service (CPU consumption and application hang) via JavaScript code with a long string value for the hash property (aka location.hash), a related issue to CVE-2008-5715. CVE-2009-2973 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2973): Google Chrome before 2.0.172.43 does not prevent SSL connections to a site with an X.509 certificate signed with the (1) MD2 or (2) MD4 algorithm, which makes it easier for man-in-the-middle attackers to spoof arbitrary HTTPS servers via a crafted certificate, a related issue to CVE-2009-2409. CVE-2009-2974 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2974): Google Chrome 1.0.154.65, 1.0.154.48, and earlier allows remote attackers to (1) cause a denial of service (application hang) via vectors involving a chromehtml: URI value for the document.location property or (2) cause a denial of service (application hang and CPU consumption) via vectors involving a series of function calls that set a chromehtml: URI value for the document.location property. CVE-2009-3011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3011): Google Chrome 1.0.154.48 and earlier, 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta does not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: the JavaScript executes outside of the context of the HTTP site.
All our portage versions are >=4.0.208.0, so we are fine on these (the newest vulnerable version indicated is 3.0.193.2 in one CVE, others are for <3.0). Pawel, do you confirm?
Confirmed. Not affected. By the way, the most reliable source of information about vulnerabilities fixed in Chrome is http://googlechromereleases.blogspot.com/
Thanks, closing noglsa.
