Advisories ยป MGASA-2015-0123

Updated chromium-browser-stable packages fix security vulnerabilities

Publication date: 01 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1213 , CVE-2015-1214 , CVE-2015-1215 , CVE-2015-1216 , CVE-2015-1217 , CVE-2015-1218 , CVE-2015-1219 , CVE-2015-1220 , CVE-2015-1221 , CVE-2015-1222 , CVE-2015-1223 , CVE-2015-1224 , CVE-2015-1225 , CVE-2015-1226 , CVE-2015-1227 , CVE-2015-1228 , CVE-2015-1229 , CVE-2015-1231 , CVE-2015-1232

Description

Updated chromium-browser packages fix security vulnerabilities:

The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters
implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via vectors that trigger an out-of-bounds write operation
(CVE-2015-1213).

Integer overflow in the SkAutoSTArray implementation in
include/core/SkTemplates.h in the filters implementation in Skia, as used in
Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial
of service or possibly have unspecified other impact via vectors that trigger
a reset action with a large count value, leading to an out-of-bounds write
operation (CVE-2015-1214).

The filters implementation in Skia, as used in Google Chrome before
41.0.2272.76, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via vectors that trigger an
out-of-bounds write operation (CVE-2015-1215).

Use-after-free vulnerability in the V8Window::namedPropertyGetterCustom
function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in
Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers
to cause a denial of service or possibly have unspecified other impact via
vectors that trigger a frame detachment (CVE-2015-1216).

The V8LazyEventListener::prepareListenerObject function in
bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used
in Google Chrome before 41.0.2272.76, does not properly compile listeners,
which allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that leverage "type confusion"
(CVE-2015-1217).

Multiple use-after-free vulnerabilities in the DOM implementation in Blink,
as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause
a denial of service or possibly have unspecified other impact via vectors
that trigger movement of a SCRIPT element to different documents, related to
the HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp and the
SVGScriptElement::didMoveToNewDocument function in
core/svg/SVGScriptElement.cpp (CVE-2015-1218).

Integer overflow in the SkMallocPixelRef::NewAllocate function in
core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before
41.0.2272.76, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via vectors that trigger an attempted
allocation of a large amount of memory during WebGL rendering
(CVE-2015-1219).

Use-after-free vulnerability in the GIFImageReader::parseData function in
platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google
Chrome before 41.0.2272.76, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via a crafted frame size in
a GIF image (CVE-2015-1220).

Use-after-free vulnerability in Blink, as used in Google Chrome before
41.0.2272.76, allows remote attackers to cause a denial of service or
possibly have unspecified other impact by leveraging incorrect ordering of
operations in the Web SQL Database thread relative to Blink's main thread,
related to the shutdown function in web/WebKit.cpp (CVE-2015-1221).

Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap
implementation in
content/browser/service_worker/service_worker_script_cache_map.cc in Google
Chrome before 41.0.2272.76 allow remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors that trigger a
ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the
NotifyStartedCaching and NotifyFinishedCaching functions (CVE-2015-1222).

Multiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in
the DOM implementation in Blink, as used in Google Chrome before
41.0.2272.76, allow remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors that trigger extraneous change
events, as demonstrated by events for invalid input or input to read-only
fields, related to the initializeTypeInParsing and updateType functions
(CVE-2015-1223).

The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc
in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does
not ensure that alpha-plane dimensions are identical to image dimensions,
which allows remote attackers to cause a denial of service (out-of-bounds
read) via crafted VPx video data (CVE-2015-1224).

PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers
to cause a denial of service (out-of-bounds read) via unspecified vectors
(CVE-2015-1225).

The DebuggerFunction::InitAgentHost function in
browser/extensions/api/debugger/debugger_api.cc in Google Chrome before
41.0.2272.76 does not properly restrict what URLs are available as debugger
targets, which allows remote attackers to bypass intended access restrictions
via a crafted extension (CVE-2015-1226).

The DragImage::create function in platform/DragImage.cpp in Blink, as used in
Google Chrome before 41.0.2272.76, does not initialize memory for image
drawing, which allows remote attackers to have an unspecified impact by
triggering a failed image decoding, as demonstrated by an image for which the
default orientation cannot be used (CVE-2015-1227).

The RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp
in Blink, as used in Google Chrome before 41.0.2272.76, does not force a
relayout operation and consequently does not initialize memory for a data
structure, which allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
Cascading Style Sheets (CSS) token sequence (CVE-2015-1228).

net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not
properly handle a 407 (aka Proxy Authentication Required) HTTP status code
accompanied by a Set-Cookie header, which allows remote proxy servers to
conduct cookie-injection attacks via a crafted response (CVE-2015-1229).

Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors (CVE-2015-1231).

Array index error in the MidiManagerUsb::DispatchSendMidiData function in
media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows
remote attackers to cause a denial of service or possibly have unspecified
other impact by leveraging renderer access to provide an invalid port index
that triggers an out-of-bounds write operation (CVE-2015-1232).
                

References

SRPMS

4/core