ArchLinux: 201501-21: chromium: multiple issues
Summary
- CVE-2014-7923 (memory corruption)
The Regular Expressions package in International Components for Unicode
(ICU) 52, allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via vectors
related to a (1) zero-length quantifier or (2) look-behind expression.
- CVE-2014-7924 (use-after-free)
Use-after-free vulnerability in the IndexedDB implementation allows
remote attackers to cause a denial of service or possibly have
unspecified other impact by triggering duplicate BLOB references.
- CVE-2014-7925 (use-after-free)
Use-after-free vulnerability in the WebAudio implementation in Blink
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger an audio-rendering
thread in which AudioNode data is improperly maintained.
- CVE-2014-7926 (memory corruption)
The Regular Expressions package in International Components for Unicode
(ICU) 52 allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via vectors
related to a (1) zero-length quantifier or (2) look-behind expression, a
different vulnerability than CVE-2014-7923.
- CVE-2014-7927 (memory corruption)
The SimplifiedLowering::DoLoadBuffer function in
compiler/simplified-lowering.cc in Google V8 does not properly choose an
integer data type, which allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via crafted JavaScript code.
- CVE-2014-7928 (memory corruption)
hydrogen.cc in Google V8 does not properly handle arrays with holes,
which allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via crafted
JavaScript code that triggers an array copy.
- CVE-2014-7930 (use-after-free)
Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in
the DOM implementation in Blink allows remote attackers to cause a
denial of service or possibly have unspecified other impact via crafted
JavaScript code that triggers improper maintenance of TreeScope data.
- CVE-2014-7931 (memory corruption)
factory.cc in Google V8 allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via crafted JavaScript code that triggers improper maintenance of
backing-store pointers.
- CVE-2014-7929 (use-after-free)
Use-after-free vulnerability in the
HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp in the DOM implementation in Blink
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors involving movement of a SCRIPT
element across documents.
- CVE-2014-7932 (use-after-free)
Use-after-free vulnerability in the Element::detach function in
core/dom/Element.cpp in the DOM implementation in Blink allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors involving pending updates of detached elements.
- CVE-2014-7933 (use-after-free)
Use-after-free vulnerability in the matroska_read_seek function in
libavformat/matroskadec.c in FFmpeg before 2.5.1 allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via a crafted Matroska file that triggers improper maintenance of tracks
data.
- CVE-2014-7934 (use-after-free)
Use-after-free vulnerability in the DOM implementation in Blink allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to unexpected absence of
document data structures.
- CVE-2014-7935 (use-after-free)
Use-after-free vulnerability in browser/speech/tts_message_filter.cc in
the Speech implementation allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors involving
utterances from a closed tab.
- CVE-2014-7936 (use-after-free)
Use-after-free vulnerability in the ZoomBubbleView::Close function in
browser/ui/views/location_bar/zoom_bubble_view.cc in the Views
implementation allows remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted document that
triggers improper maintenance of a zoom bubble.
- CVE-2014-7937 (use-after-free)
Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before
2.4.2 allow remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via crafted
Vorbis I data.
- CVE-2014-7938 (memory corruption)
The Fonts implementation allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via unknown vectors.
- CVE-2014-7939 (same-origin bypass)
When the Harmony proxy in Google V8 is enabled, allows remote attackers
to bypass the Same Origin Policy via crafted JavaScript code with
Proxy.create and console.log calls, related to HTTP responses that lack
an "X-Content-Type-Options: nosniff" header.
- CVE-2014-7940 (uninitialized-value)
The collator implementation in i18n/ucol.cpp in International Components
for Unicode (ICU) 52 does not initialize memory for a data structure,
which allows remote attackers to cause a denial of service or possibly
have unspecified other impact via a crafted character sequence.
- CVE-2014-7941 (out-of-bounds read)
The SelectionOwner::ProcessTarget function in
ui/base/x/selection_owner.cc in the UI implementation uses an incorrect
data type for a certain length value, which allows remote attackers to
cause a denial of service (out-of-bounds read) via crafted X11 data.
- CVE-2014-7942 (uninitialized-value)
The Fonts implementation does not initialize memory for a data
structure, which allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors.
- CVE-2014-7943 (out-of-bounds read)
Skia allows remote attackers to cause a denial of service (out-of-bounds
read) via unspecified vectors.
- CVE-2014-7944 (out-of-bounds read)
The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in
PDFium does not properly handle odd values of image width, which allows
remote attackers to cause a denial of service (out-of-bounds read) via a
crafted PDF document.
- CVE-2014-7945 (out-of-bounds read)
OpenJPEG before r2908, as used in PDFium, allows remote attackers to
cause a denial of service (out-of-bounds read) via a crafted PDF
document, related to j2k.c, jp2.c, and t2.c.
- CVE-2014-7946 (out-of-bounds read)
The RenderTable::simplifiedNormalFlowLayout function in
core/rendering/RenderTable.cpp in Blink skips captions during table
layout in certain situations, which allows remote attackers to cause a
denial of service (out-of-bounds read) via unspecified vectors related
to the Fonts implementation.
- CVE-2014-7947 (out-of-bounds read)
OpenJPEG before r2944, as used in PDFium, allows remote attackers to
cause a denial of service (out-of-bounds read) via a crafted PDF
document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c.
- CVE-2014-7948 (caching error)
The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in
content/browser/appcache/appcache_update_job.cc proceeds with AppCache
caching for SSL sessions even if there is an X.509 certificate error,
which allows man-in-the-middle attackers to spoof HTML5 application
content via a crafted certificate.
- CVE-2015-1205 (denial of service)
Multiple unspecified vulnerabilities allow attackers to cause a
denial-of-service or possibly have other impact via unknown vectors.
Resolution
Upgrade to 40.0.2214.91-1.
# pacman -Syu "chromium>=40.0.2214.91-1"
The problems have been fixed upstream in version 40.0.2214.91.
References
https://chromereleases.googleblog.com/2015/01/stable-update.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7923 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7924 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7925 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7926 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7927 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7928 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7930 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7931 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7929 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7932 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7933 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7934 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7935 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7936 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7937 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7938 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7939 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7940 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7941 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7942 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7943 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7944 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7945 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7946 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7947 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7948 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1205
Workaround
None.