Arch Linux Security Advisory ASA-201504-2 ========================================= Severity: Critical Date : 2015-04-02 CVE-ID : CVE-2015-1233 CVE-2015-1234 Package : chromium Type : remote code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package chromium before version 41.0.2272.118-1 is vulnerable to remote code execution. Resolution ========== Upgrade to 41.0.2272.118-1. # pacman -Syu "chromium>=41.0.2272.118-1" The problem has been fixed upstream in version 41.0.2272.118. Workaround ========== None. Description =========== - CVE-2015-1233 (remote code execution): A combination of V8, Gamepad and IPC bugs can lead to remote code execution outside of the sandbox. - CVE-2015-1234 (buffer overflow): Buffer overflow via a race condition in GPU. Impact ====== A remote attacker can execute arbitrary code on a vulnerable host, bypassing the sandboxing protection. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1233 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1234 http://googlechromereleases.blogspot.fr/2015/04/stable-channel-update.html https://code.google.com/p/chromium/issues/detail?id=468936 https://code.google.com/p/chromium/issues/detail?id=469058 https://codereview.chromium.org/1016193003