Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 463426 (CVE-2013-0916) - <www-client/chromium-26.0.1410.43 multiple vulnerabilities (CVE-2013-{0916,0917,0918,0919,0920,0921,0922,0923,0924,0925,0926})
Summary: <www-client/chromium-26.0.1410.43 multiple vulnerabilities (CVE-2013-{0916,09...
Status: RESOLVED FIXED
Alias: CVE-2013-0916
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on: 464682
Blocks:
  Show dependency tree
 
Reported: 2013-03-27 01:59 UTC by Mike Gilbert
Modified: 2013-09-25 00:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2013-03-27 01:59:23 UTC
See URL.
Comment 1 Mike Gilbert gentoo-dev 2013-03-27 02:17:37 UTC
The following packages will need to be stabilized as dependencies.

=dev-lang/v8-3.16.14.9-r1
dev-libs/jsoncpp
dev-libs/re2
>=sci-geosciences/gpsd-3.7
>=media-libs/mesa-9.1
Comment 2 Mike Gilbert gentoo-dev 2013-03-27 02:39:52 UTC
Ok, ebuild is in the tree. I'm not sure how to update the whiteboard while we are waiting for the dependencies to be stabilized.
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-27 10:54:17 UTC
Arches, please test and mark stable:
=www-client/chromium-26.0.1410.43
=dev-lang/v8-3.16.14.9-r1
=dev-libs/jsoncpp-0.5.0-r1
=dev-libs/re2-0_p20130115
Target keywords : "amd64 x86"
Comment 4 Mike Gilbert gentoo-dev 2013-03-27 19:02:15 UTC
I have stable-masked www-client/chromium[gps] due to a regression in sci-geosciences/gpsd-3.7 that may cause a delay in stabilization.
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-01 13:22:55 UTC
(In reply to comment #4)
> I have stable-masked www-client/chromium[gps] due to a regression in
> sci-geosciences/gpsd-3.7 that may cause a delay in stabilization.

+  01 Apr 2013; Agostino Sarubbo <ago@gentoo.org> package.use.stable.mask:                                                                                                          
+  Revert www-client/chromium[gps] stable mask since now                                                                                                                            
+  =sci-geosciences/gpsd-3.7 is stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-04-03 16:29:01 UTC
(In reply to comment #3)
> Arches, please test and mark stable:
> =www-client/chromium-26.0.1410.43
> =dev-lang/v8-3.16.14.9-r1
> =dev-libs/jsoncpp-0.5.0-r1
> =dev-libs/re2-0_p20130115
> Target keywords : "amd64 x86"

Let's go ahead with this. I removed dependency on mesa for chromium-26.x so we can do this security stabilization.

  03 Apr 2013; Pawel Hajdan jr
  -chromium-26.0.1410.33.ebuild, -chromium-26.0.1410.33-r1.ebuild,
  chromium-26.0.1410.43.ebuild:
  Remove dependency on mesa, bug #463430 . Remove old.
Comment 7 Agostino Sarubbo gentoo-dev 2013-04-04 20:25:50 UTC
amd64 and x86 stable. Security, go ahead with the glsa
Comment 8 Sean Amoss gentoo-dev Security 2013-04-06 20:34:13 UTC
Added to - and updated - existing GLSA draft.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:51:05 UTC
CVE-2013-0926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0926):
  Google Chrome before 26.0.1410.43 does not properly handle active content in
  an EMBED element during a copy-and-paste operation, which allows
  user-assisted remote attackers to have an unspecified impact via a crafted
  web site.

CVE-2013-0925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0925):
  Google Chrome before 26.0.1410.43 does not ensure that an extension has the
  tabs (aka APIPermission::kTab) permission before providing a URL to this
  extension, which has unspecified impact and remote attack vectors.

CVE-2013-0924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0924):
  The extension functionality in Google Chrome before 26.0.1410.43 does not
  verify that use of the permissions API is consistent with file permissions,
  which has unspecified impact and attack vectors.

CVE-2013-0923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0923):
  The USB Apps API in Google Chrome before 26.0.1410.43 allows remote
  attackers to cause a denial of service (memory corruption) via unspecified
  vectors.

CVE-2013-0922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0922):
  Google Chrome before 26.0.1410.43 does not properly restrict brute-force
  access attempts against web sites that require HTTP Basic Authentication,
  which has unspecified impact and attack vectors.

CVE-2013-0921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0921):
  The Isolated Sites feature in Google Chrome before 26.0.1410.43 does not
  properly enforce the use of separate processes, which makes it easier for
  remote attackers to bypass intended access restrictions via a crafted web
  site.

CVE-2013-0920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0920):
  Use-after-free vulnerability in the extension bookmarks API in Google Chrome
  before 26.0.1410.43 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors.

CVE-2013-0919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0919):
  Use-after-free vulnerability in Google Chrome before 26.0.1410.43 on Linux
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact by leveraging the presence of an extension that
  creates a pop-up window.

CVE-2013-0918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0918):
  Google Chrome before 26.0.1410.43 does not prevent navigation to developer
  tools in response to a drag-and-drop operation, which allows user-assisted
  remote attackers to have an unspecified impact via a crafted web site.

CVE-2013-0917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0917):
  The URL loader in Google Chrome before 26.0.1410.43 allows remote attackers
  to cause a denial of service (out-of-bounds read) via unspecified vectors.

CVE-2013-0916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0916):
  Use-after-free vulnerability in the Web Audio implementation in Google
  Chrome before 26.0.1410.43 allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via unknown vectors.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 00:10:45 UTC
This issue was resolved and addressed in
 GLSA 201309-16 at http://security.gentoo.org/glsa/glsa-201309-16.xml
by GLSA coordinator Sean Amoss (ackle).