Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 460318 (CVE-2013-0902) - <www-client/chromium-25.0.1364.152 multiple vulnerabilities (CVE-2013-{0902,0903,0904,0905,0906,0907,0908,0909,0910,0911})
Summary: <www-client/chromium-25.0.1364.152 multiple vulnerabilities (CVE-2013-{0902,0...
Status: RESOLVED FIXED
Alias: CVE-2013-0902
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-04 19:15 UTC by Mike Gilbert
Modified: 2013-09-25 00:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2013-03-04 19:15:39 UTC
Release notes in URL.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-03-04 19:34:30 UTC
Let's use bundled libsrtp (for bug #459932) for this version bump if possible.
Comment 2 Mike Gilbert gentoo-dev 2013-03-04 19:47:54 UTC
Will do.

I'm getting a build failure due to a missing asm file.

yasm: FATAL: unable to open include file `third_party/x86inc/x86inc.asm'

Can you take a peek and see if there is anything special I need to do, other than excluding it from the bundled library purge?
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-03-04 20:03:39 UTC
(In reply to comment #2)
> yasm: FATAL: unable to open include file `third_party/x86inc/x86inc.asm'

Let's just add it to exclusion list, I think that's what is done for more recent chromium ebuilds.
Comment 4 Mike Gilbert gentoo-dev 2013-03-04 20:32:21 UTC
Please stabilize:

=www-client/chromium-25.0.1364.152
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-05 13:17:35 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-05 13:17:49 UTC
x86 stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-03-06 23:29:01 UTC
CVE-2013-0911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0911):
  Directory traversal vulnerability in Google Chrome before 25.0.1364.152
  allows remote attackers to have an unspecified impact via vectors related to
  databases.

CVE-2013-0910 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0910):
  Google Chrome before 25.0.1364.152 does not properly manage the interaction
  between the browser process and renderer processes during authorization of
  the loading of a plug-in, which makes it easier for remote attackers to
  bypass intended access restrictions via vectors involving a blocked plug-in.

CVE-2013-0909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0909):
  The XSS Auditor in Google Chrome before 25.0.1364.152 allows remote
  attackers to obtain sensitive HTTP Referer information via unspecified
  vectors.

CVE-2013-0908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0908):
  Google Chrome before 25.0.1364.152 does not properly manage bindings of
  extension processes, which has unspecified impact and attack vectors.

CVE-2013-0907 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0907):
  Race condition in Google Chrome before 25.0.1364.152 allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors related to the handling of media threads.

CVE-2013-0906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0906):
  The IndexedDB implementation in Google Chrome before 25.0.1364.152 allows
  remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via unknown vectors.

CVE-2013-0905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0905):
  Use-after-free vulnerability in Google Chrome before 25.0.1364.152 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors involving an SVG animation.

CVE-2013-0904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0904):
  The Web Audio implementation in Google Chrome before 25.0.1364.152 allows
  remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via unknown vectors.

CVE-2013-0903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0903):
  Use-after-free vulnerability in Google Chrome before 25.0.1364.152 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to the handling of browser navigation.

CVE-2013-0902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0902):
  Use-after-free vulnerability in the frame-loader implementation in Google
  Chrome before 25.0.1364.152 allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via unknown vectors.
Comment 8 Sean Amoss gentoo-dev Security 2013-03-17 21:24:50 UTC
Added to existing GLSA draft.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 00:10:40 UTC
This issue was resolved and addressed in
 GLSA 201309-16 at http://security.gentoo.org/glsa/glsa-201309-16.xml
by GLSA coordinator Sean Amoss (ackle).