Arch Linux Security Advisory ASA-201505-14 ========================================== Severity: Critical Date : 2015-05-21 CVE-ID : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254 CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258 CVE-2015-1259 CVE-2015-1260 CVE-2015-1263 CVE-2015-1264 CVE-2015-1265 Package : chromium Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package chromium before version 43.0.2357.65-1 is vulnerable to multiple issues including but not limited to arbitrary code execution, sandbox protection bypass, same origin policy bypass, denial of service, cross side scripting and man-in-the-middle. Resolution ========== Upgrade to 43.0.2357.65-1. # pacman -Syu "chromium>=43.0.2357.65-1" The problems have been fixed upstream in version 43.0.2357.65. Workaround ========== None. Description =========== - CVE-2015-1251 (arbitrary code execution) Use-after-free vulnerability in the SpeechRecognitionClient implementation in the Speech subsystem allows remote attackers to execute arbitrary code via a crafted document. - CVE-2015-1252 (sandbox protection bypass) It has been discovered that common/partial_circular_buffer.cc does not properly handle wraps, which allows remote attackers to bypass a sandbox protection mechanism or cause a denial of service (out-of-bounds write) via vectors that trigger a write operation with a large amount of data, related to the PartialCircularBuffer::Write and PartialCircularBuffer::DoWrite functions. - CVE-2015-1253 (same origin policy bypass) It has been discovered that core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions. - CVE-2015-1254 (same origin policy bypass) It has been discovered that core/dom/Document.cpp in Blink enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing. - CVE-2015-1255 (denial of service) Use-after-free vulnerability in content/renderer/media/webaudio_capturer_source.cc in the WebAudio implementation allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by leveraging improper handling of a stop action for an audio track. - CVE-2015-1256 (denial of service) Use-after-free vulnerability in the SVG implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that leverages improper handling of a shadow tree for a use element. - CVE-2015-1257 (denial of service) It has been discovered that platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation in Blink does not properly handle an insufficient number of values in an feColorMatrix filter, which allows remote attackers to cause a denial of service (container overflow) or possibly have unspecified other impact via a crafted document. - CVE-2015-1258 (denial of service) Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value, which allows remote attackers to trigger a negative value for a size field, and consequently cause a denial of service or possibly have unspecified other impact, via a crafted frame size in VP9 video data. - CVE-2015-1259 (denial of service) PDFium does not properly initialize memory, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. - CVE-2015-1260 (denial of service) Multiple use-after-free vulnerabilities in content/renderer/media/user_media_client_impl.cc in the WebRTC implementation allow remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that executes upon completion of a getUserMedia request. - CVE-2015-1263 (man-in-the-middle) The Spellcheck API implementation does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file. - CVE-2015-1264 (cross side scripting) Cross-site scripting (XSS) vulnerability allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted data that is improperly handled by the Bookmarks feature. - CVE-2015-1265 (denial of service) Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. Impact ====== A remote attacker is able to execute arbitrary code, bypass the sandbox protection mechanism, bypass the same origin policy, perform cross side scripting, perform a denial of service attack or possibly have unspecified other impact via various vectors. References ========== http://googlechromereleases.blogspot.fr/2015/05/stable-channel-update_19.htm... https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1251 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1252 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1253 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1254 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1255 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1256 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1257 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1258 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1259 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1260 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1263 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1264 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1265