[arch-security] [ASA-201505-14] chromium: multiple issues

Levente Polyak anthraxx at archlinux.org
Thu May 21 18:01:08 UTC 2015


Arch Linux Security Advisory ASA-201505-14
==========================================

Severity: Critical
Date    : 2015-05-21
CVE-ID  : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254
          CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258
          CVE-2015-1259 CVE-2015-1260 CVE-2015-1263 CVE-2015-1264
          CVE-2015-1265
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package chromium before version 43.0.2357.65-1 is vulnerable to
multiple issues including but not limited to arbitrary code execution,
sandbox protection bypass, same origin policy bypass, denial of service,
cross side scripting and man-in-the-middle.

Resolution
==========

Upgrade to 43.0.2357.65-1.

# pacman -Syu "chromium>=43.0.2357.65-1"

The problems have been fixed upstream in version 43.0.2357.65.

Workaround
==========

None.

Description
===========

- CVE-2015-1251 (arbitrary code execution)

Use-after-free vulnerability in the SpeechRecognitionClient
implementation in the Speech subsystem allows remote attackers to
execute arbitrary code via a crafted document.

- CVE-2015-1252 (sandbox protection bypass)

It has been discovered that common/partial_circular_buffer.cc does not
properly handle wraps, which allows remote attackers to bypass a sandbox
protection mechanism or cause a denial of service (out-of-bounds write)
via vectors that trigger a write operation with a large amount of data,
related to the PartialCircularBuffer::Write and
PartialCircularBuffer::DoWrite functions.

- CVE-2015-1253 (same origin policy bypass)

It has been discovered that core/html/parser/HTMLConstructionSite.cpp in
the DOM implementation in Blink allows remote attackers to bypass the
Same Origin Policy via crafted JavaScript code that appends a child to a
SCRIPT element, related to the insert and executeReparentTask functions.

- CVE-2015-1254 (same origin policy bypass)

It has been discovered that core/dom/Document.cpp in Blink enables the
inheritance of the designMode attribute, which allows remote attackers
to bypass the Same Origin Policy by leveraging the availability of editing.

- CVE-2015-1255 (denial of service)

Use-after-free vulnerability in
content/renderer/media/webaudio_capturer_source.cc in the WebAudio
implementation allows remote attackers to cause a denial of service
(heap memory corruption) or possibly have unspecified other impact by
leveraging improper handling of a stop action for an audio track.

- CVE-2015-1256 (denial of service)

Use-after-free vulnerability in the SVG implementation in Blink allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted document that leverages improper
handling of a shadow tree for a use element.

- CVE-2015-1257 (denial of service)

It has been discovered that platform/graphics/filters/FEColorMatrix.cpp
in the SVG implementation in Blink does not properly handle an
insufficient number of values in an feColorMatrix filter, which allows
remote attackers to cause a denial of service (container overflow) or
possibly have unspecified other impact via a crafted document.

- CVE-2015-1258 (denial of service)

Google Chrome before 43.0.2357.65 relies on libvpx code that was not
built with an appropriate --size-limit value, which allows remote
attackers to trigger a negative value for a size field, and consequently
cause a denial of service or possibly have unspecified other impact, via
a crafted frame size in VP9 video data.

- CVE-2015-1259 (denial of service)

PDFium does not properly initialize memory, which allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.

- CVE-2015-1260 (denial of service)

Multiple use-after-free vulnerabilities in
content/renderer/media/user_media_client_impl.cc in the WebRTC
implementation allow remote attackers to cause a denial of service or
possibly have unspecified other impact via crafted JavaScript code that
executes upon completion of a getUserMedia request.

- CVE-2015-1263 (man-in-the-middle)

The Spellcheck API implementation does not use an HTTPS session for
downloading a Hunspell dictionary, which allows man-in-the-middle
attackers to deliver incorrect spelling suggestions or possibly have
unspecified other impact via a crafted file.

- CVE-2015-1264 (cross side scripting)

Cross-site scripting (XSS) vulnerability allows user-assisted remote
attackers to inject arbitrary web script or HTML via crafted data that
is improperly handled by the Bookmarks feature.

- CVE-2015-1265 (denial of service)

Multiple unspecified vulnerabilities in Google Chrome before
43.0.2357.65 allow attackers to cause a denial of service or possibly
have other impact via unknown vectors.

Impact
======

A remote attacker is able to execute arbitrary code, bypass the sandbox
protection mechanism, bypass the same origin policy, perform cross side
scripting, perform a denial of service attack or possibly have
unspecified other impact via various vectors.

References
==========

http://googlechromereleases.blogspot.fr/2015/05/stable-channel-update_19.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1251
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1252
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1253
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1254
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1255
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1256
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1257
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1258
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1259
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1260
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1263
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1264
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1265

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150521/537801bf/attachment.asc>


More information about the arch-security mailing list