Advisories ยป MGASA-2015-0036

Updated chromium-browser-stable packages fix security vulnerabilities

Publication date: 24 Jan 2015
Modification date: 24 Jan 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-7924 , CVE-2014-7925 , CVE-2014-7927 , CVE-2014-7928 , CVE-2014-7929 , CVE-2014-7930 , CVE-2014-7931 , CVE-2014-7932 , CVE-2014-7934 , CVE-2014-7935 , CVE-2014-7936 , CVE-2014-7938 , CVE-2014-7939 , CVE-2014-7941 , CVE-2014-7942 , CVE-2014-7943 , CVE-2014-7946 , CVE-2014-7948 , CVE-2015-1205

Description

Updated chromium-browser packages fix security vulnerabilities:

Use-after-free vulnerability in the IndexedDB implementation in Google Chrome
before 40.0.2214.91 allows remote attackers to cause a denial of service or
possibly have unspecified other impact by triggering duplicate BLOB
references, related to content/browser/indexed_db/indexed_db_callbacks.cc and
content/browser/indexed_db/indexed_db_dispatcher_host.cc (CVE-2014-7924).

Use-after-free vulnerability in the WebAudio implementation in Blink, as used
in Google Chrome before 40.0.2214.91, allows remote attackers to cause a
denial of service or possibly have unspecified other impact via vectors that
trigger an audio-rendering thread in which AudioNode data is improperly
maintained (CVE-2014-7925).

The SimplifiedLowering::DoLoadBuffer function in
compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before
40.0.2214.91, does not properly choose an integer data type, which allows
remote attackers to cause a denial of service (memory corruption) or possibly
have unspecified other impact via crafted JavaScript code (CVE-2014-7927).

hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not
properly handle arrays with holes, which allows remote attackers to cause a
denial of service (memory corruption) or possibly have unspecified other
impact via crafted JavaScript code that triggers an array copy
(CVE-2014-7928).

Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the
DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91,
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via crafted JavaScript code that triggers improper
maintenance of TreeScope data (CVE-2014-7930).

factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows
remote attackers to cause a denial of service (memory corruption) or possibly
have unspecified other impact via crafted JavaScript code that triggers
improper maintenance of backing-store pointers (CVE-2014-7931).

Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument
function in core/html/HTMLScriptElement.cpp in the DOM implementation in
Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers
to cause a denial of service or possibly have unspecified other impact via
vectors involving movement of a SCRIPT element across documents
(CVE-2014-7929).

Use-after-free vulnerability in the Element::detach function in
core/dom/Element.cpp in the DOM implementation in Blink, as used in Google
Chrome before 40.0.2214.91, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors involving
pending updates of detached elements (CVE-2014-7932).

Use-after-free vulnerability in the DOM implementation in Blink, as used in
Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial
of service or possibly have unspecified other impact via vectors related to
unexpected absence of document data structures (CVE-2014-7934).

Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the
Speech implementation in Google Chrome before 40.0.2214.91 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors involving utterances from a closed tab (CVE-2014-7935).

Use-after-free vulnerability in the ZoomBubbleView::Close function in
browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation
in Google Chrome before 40.0.2214.91 allows remote attackers to cause a
denial of service or possibly have unspecified other impact via a crafted
document that triggers improper maintenance of a zoom bubble (CVE-2014-7936).

The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote
attackers to cause a denial of service (memory corruption) or possibly have
unspecified other impact via unknown vectors (CVE-2014-7938).

Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is
enabled, allows remote attackers to bypass the Same Origin Policy via crafted
JavaScript code with Proxy.create and console.log calls, related to HTTP
responses that lack an "X-Content-Type-Options: nosniff" header
(CVE-2014-7939).

The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in
the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect
data type for a certain length value, which allows remote attackers to cause
a denial of service (out-of-bounds read) via crafted X11 data
(CVE-2014-7941).

The Fonts implementation in Google Chrome before 40.0.2214.91 does not
initialize memory for a data structure, which allows remote attackers to
cause a denial of service or possibly have unspecified other impact via
unknown vectors (CVE-2014-7942).

Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers
to cause a denial of service (out-of-bounds read) via unspecified vectors
(CVE-2014-7943).

The RenderTable::simplifiedNormalFlowLayout function in
core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before
40.0.2214.91, skips captions during table layout in certain situations, which
allows remote attackers to cause a denial of service (out-of-bounds read) via
unspecified vectors related to the Fonts implementation (CVE-2014-7946).

The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in
content/browser/appcache/appcache_update_job.cc in Google Chrome before
40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is
an X.509 certificate error, which allows man-in-the-middle attackers to spoof
HTML5 application content via a crafted certificate (CVE-2014-7948).

Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors (CVE-2015-1205).
                

References

SRPMS

4/core