[arch-security] [ASA-201501-21] chromium: multiple issues

Levente Polyak anthraxx at archlinux.org
Sun Jan 25 15:22:36 UTC 2015


Arch Linux Security Advisory ASA-201501-21
==========================================

Severity: High
Date    : 2015-01-25
CVE-ID  : CVE-2014-7923 CVE-2014-7924 CVE-2014-7925 CVE-2014-7926
          CVE-2014-7927 CVE-2014-7928 CVE-2014-7930 CVE-2014-7931
          CVE-2014-7929 CVE-2014-7932 CVE-2014-7933 CVE-2014-7934
          CVE-2014-7935 CVE-2014-7936 CVE-2014-7937 CVE-2014-7938
          CVE-2014-7939 CVE-2014-7940 CVE-2014-7941 CVE-2014-7942
          CVE-2014-7943 CVE-2014-7944 CVE-2014-7945 CVE-2014-7946
          CVE-2014-7947 CVE-2014-7948 CVE-2015-1205
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package chromium before version 40.0.2214.91-1 is vulnerable to
multiple issues including bug not limited to denial of service,
same-origin bypass or possibly have unspecified other impact.

Resolution
==========

Upgrade to 40.0.2214.91-1.

# pacman -Syu "chromium>=40.0.2214.91-1"

The problems have been fixed upstream in version 40.0.2214.91.

Workaround
==========

None.

Description
===========

- CVE-2014-7923 (memory corruption)
The Regular Expressions package in International Components for Unicode
(ICU) 52, allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via vectors
related to a (1) zero-length quantifier or (2) look-behind expression.

- CVE-2014-7924 (use-after-free)
Use-after-free vulnerability in the IndexedDB implementation allows
remote attackers to cause a denial of service or possibly have
unspecified other impact by triggering duplicate BLOB references.

- CVE-2014-7925 (use-after-free)
Use-after-free vulnerability in the WebAudio implementation in Blink
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger an audio-rendering
thread in which AudioNode data is improperly maintained.

- CVE-2014-7926 (memory corruption)
The Regular Expressions package in International Components for Unicode
(ICU) 52 allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via vectors
related to a (1) zero-length quantifier or (2) look-behind expression, a
different vulnerability than CVE-2014-7923.

- CVE-2014-7927 (memory corruption)
The SimplifiedLowering::DoLoadBuffer function in
compiler/simplified-lowering.cc in Google V8 does not properly choose an
integer data type, which allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via crafted JavaScript code.

- CVE-2014-7928 (memory corruption)
hydrogen.cc in Google V8 does not properly handle arrays with holes,
which allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via crafted
JavaScript code that triggers an array copy.

- CVE-2014-7930 (use-after-free)
Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in
the DOM implementation in Blink allows remote attackers to cause a
denial of service or possibly have unspecified other impact via crafted
JavaScript code that triggers improper maintenance of TreeScope data.

- CVE-2014-7931 (memory corruption)
factory.cc in Google V8 allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via crafted JavaScript code that triggers improper maintenance of
backing-store pointers.

- CVE-2014-7929 (use-after-free)
Use-after-free vulnerability in the
HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp in the DOM implementation in Blink
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors involving movement of a SCRIPT
element across documents.

- CVE-2014-7932 (use-after-free)
Use-after-free vulnerability in the Element::detach function in
core/dom/Element.cpp in the DOM implementation in Blink allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors involving pending updates of detached elements.

- CVE-2014-7933 (use-after-free)
Use-after-free vulnerability in the matroska_read_seek function in
libavformat/matroskadec.c in FFmpeg before 2.5.1 allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via a crafted Matroska file that triggers improper maintenance of tracks
data.

- CVE-2014-7934 (use-after-free)
Use-after-free vulnerability in the DOM implementation in Blink allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to unexpected absence of
document data structures.

- CVE-2014-7935 (use-after-free)
Use-after-free vulnerability in browser/speech/tts_message_filter.cc in
the Speech implementation allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors involving
utterances from a closed tab.

- CVE-2014-7936 (use-after-free)
Use-after-free vulnerability in the ZoomBubbleView::Close function in
browser/ui/views/location_bar/zoom_bubble_view.cc in the Views
implementation allows remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted document that
triggers improper maintenance of a zoom bubble.

- CVE-2014-7937 (use-after-free)
Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before
2.4.2 allow remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via crafted
Vorbis I data.

- CVE-2014-7938 (memory corruption)
The Fonts implementation allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via unknown vectors.

- CVE-2014-7939 (same-origin bypass)
When the Harmony proxy in Google V8 is enabled, allows remote attackers
to bypass the Same Origin Policy via crafted JavaScript code with
Proxy.create and console.log calls, related to HTTP responses that lack
an "X-Content-Type-Options: nosniff" header.

- CVE-2014-7940 (uninitialized-value)
The collator implementation in i18n/ucol.cpp in International Components
for Unicode (ICU) 52 does not initialize memory for a data structure,
which allows remote attackers to cause a denial of service or possibly
have unspecified other impact via a crafted character sequence.

- CVE-2014-7941 (out-of-bounds read)
The SelectionOwner::ProcessTarget function in
ui/base/x/selection_owner.cc in the UI implementation uses an incorrect
data type for a certain length value, which allows remote attackers to
cause a denial of service (out-of-bounds read) via crafted X11 data.

- CVE-2014-7942 (uninitialized-value)
The Fonts implementation does not initialize memory for a data
structure, which allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors.

- CVE-2014-7943 (out-of-bounds read)
Skia allows remote attackers to cause a denial of service (out-of-bounds
read) via unspecified vectors.

- CVE-2014-7944 (out-of-bounds read)
The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in
PDFium does not properly handle odd values of image width, which allows
remote attackers to cause a denial of service (out-of-bounds read) via a
crafted PDF document.

- CVE-2014-7945 (out-of-bounds read)
OpenJPEG before r2908, as used in PDFium, allows remote attackers to
cause a denial of service (out-of-bounds read) via a crafted PDF
document, related to j2k.c, jp2.c, and t2.c.

- CVE-2014-7946 (out-of-bounds read)
The RenderTable::simplifiedNormalFlowLayout function in
core/rendering/RenderTable.cpp in Blink skips captions during table
layout in certain situations, which allows remote attackers to cause a
denial of service (out-of-bounds read) via unspecified vectors related
to the Fonts implementation.

- CVE-2014-7947 (out-of-bounds read)
OpenJPEG before r2944, as used in PDFium, allows remote attackers to
cause a denial of service (out-of-bounds read) via a crafted PDF
document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c.

- CVE-2014-7948 (caching error)
The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in
content/browser/appcache/appcache_update_job.cc proceeds with AppCache
caching for SSL sessions even if there is an X.509 certificate error,
which allows man-in-the-middle attackers to spoof HTML5 application
content via a crafted certificate.

- CVE-2015-1205 (denial of service)
Multiple unspecified vulnerabilities allow attackers to cause a
denial-of-service or possibly have other impact via unknown vectors.

Impact
======

A remote attacker is able to perform denial of service, bypass the
same-origin policy or possibly have unspecified other impact.

References
==========

http://googlechromereleases.blogspot.fr/2015/01/stable-update.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7923
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7924
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7925
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7926
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7927
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7928
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7930
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7931
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7929
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7932
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7933
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7934
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7935
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7936
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7937
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7938
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7939
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7940
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7941
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7942
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7943
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7944
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7945
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7946
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7947
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7948
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1205

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150125/038cedb7/attachment.asc>


More information about the arch-security mailing list