Advisories ยป MGASA-2015-0288

Updated chromium-browser package fixes security vulnerabilities

Publication date: 27 Jul 2015
Modification date: 27 Jul 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-1271 , CVE-2015-1272 , CVE-2015-1273 , CVE-2015-1274 , CVE-2015-1276 , CVE-2015-1277 , CVE-2015-1278 , CVE-2015-1279 , CVE-2015-1280 , CVE-2015-1281 , CVE-2015-1282 , CVE-2015-1284 , CVE-2015-1285 , CVE-2015-1286 , CVE-2015-1287 , CVE-2015-1288 , CVE-2015-1289

Description

Chromium-browser 44.0.2403.107 fixes several security issues:

PDFium, as used in Google Chrome before 44.0.2403.89, does not properly
handle certain out-of-memory conditions, which allows remote attackers to
cause a denial of service (heap-based buffer overflow) or possibly have
unspecified other impact via a crafted PDF document that triggers a large
memory allocation. (CVE-2015-1271)

Use-after-free vulnerability in the GPU process implementation in Google
Chrome before 44.0.2403.89 allows remote attackers to cause a denial of
service or possibly have unspecified other impact by leveraging the
continued availability of a GPUChannelHost data structure during Blink
shutdown, related to
content/browser/gpu/browser_gpu_channel_host_factory.cc and
content/renderer/render_thread_impl.cc. (CVE-2015-1272)

Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in
PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to
cause a denial of service or possibly have unspecified other impact via
invalid JPEG2000 data in a PDF document. (CVE-2015-1273)

Google Chrome before 44.0.2403.89 does not ensure that the auto-open list
omits all dangerous file types, which makes it easier for remote attackers
to execute arbitrary code by providing a crafted file and leveraging a
user's previous "Always open files of this type" choice, related to
download_commands.cc and download_prefs.cc. (CVE-2015-1274)

Use-after-free vulnerability in
content/browser/indexed_db/indexed_db_backing_store.cc in the IndexedDB
implementation in Google Chrome before 44.0.2403.89 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact by leveraging an abort action before a certain write operation.
(CVE-2015-1276)

Use-after-free vulnerability in the accessibility implementation in Google
Chrome before 44.0.2403.89 allows remote attackers to cause a denial of
service or possibly have unspecified other impact by leveraging lack of
certain validity checks for accessibility-tree data structures.
(CVE-2015-1277)

content/browser/web_contents/web_contents_impl.cc in Google Chrome before
44.0.2403.89 does not ensure that a PDF document's modal dialog is closed
upon navigation to an interstitial page, which allows remote attackers to
spoof URLs via a crafted document, as demonstrated by the alert_dialog.pdf
document. (CVE-2015-1278)

Integer overflow in the CJBig2_Image::expand function in
fxcodec/jbig2/JBig2_Image.cpp in PDFium, as used in Google Chrome before
44.0.2403.89, allows remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other impact via
large height and stride values. (CVE-2015-1279)

SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403.89,
allows remote attackers to cause a denial of service (memory corruption)
or possibly have unspecified other impact by leveraging access to a
renderer process and providing crafted serialized data. (CVE-2015-1280)

core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before
44.0.2403.89, does not properly determine the V8 context of a microtask,
which allows remote attackers to bypass Content Security Policy (CSP)
restrictions by providing an image from an unintended source.
(CVE-2015-1281)

Multiple use-after-free vulnerabilities in
fpdfsdk/src/javascript/Document.cpp in PDFium, as used in Google Chrome
before 44.0.2403.89, allow remote attackers to cause a denial of service
or possibly have unspecified other impact via a crafted PDF document,
related to the (1) Document::delay and (2) Document::DoFieldDelay
functions. (CVE-2015-1282)

The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in
Blink, as used in Google Chrome before 44.0.2403.89, does not properly
check for a page's maximum number of frames, which allows remote attackers
to cause a denial of service (invalid count value and use-after-free) or
possibly have unspecified other impact via crafted JavaScript code that
 makes many createElement calls for IFRAME elements. (CVE-2015-1284)

The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp
in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89,
does not properly choose a truncation point, which makes it easier for
remote attackers to obtain sensitive information via an unspecified
linear-time attack. (CVE-2015-1285)

Cross-site scripting (XSS) vulnerability in the
V8ContextNativeHandler::GetModuleSystem function in
extensions/renderer/v8_context_native_handler.cc in Google Chrome before
44.0.2403.89 allows remote attackers to inject arbitrary web script or
HTML by leveraging the lack of a certain V8 context restriction, aka a
Blink "Universal XSS (UXSS)." (CVE-2015-1286)

Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode
exception that limits the cases in which a Cascading Style Sheets (CSS)
document is required to have the text/css content type, which allows
remote attackers to bypass the Same Origin Policy via a crafted web site,
related to core/fetch/CSSStyleSheetResource.cpp. (CVE-2015-1287)

The Spellcheck API implementation in Google Chrome before 44.0.2403.89
does not use an HTTPS session for downloading a Hunspell dictionary, which
allows man-in-the-middle attackers to deliver incorrect spelling
suggestions or possibly have unspecified other impact via a crafted file,
a related issue to CVE-2015-1263. (CVE-2015-1288)

Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors. (CVE-2015-1289)
                

References

SRPMS

5/core

4/core