Arch Linux Security Advisory ASA-201501-21
=========================================
Severity: High
Date    : 2015-01-25
CVE-ID  : CVE-2014-7923 CVE-2014-7924 CVE-2014-7925 CVE-2014-7926
          CVE-2014-7927 CVE-2014-7928 CVE-2014-7930 CVE-2014-7931
          CVE-2014-7929 CVE-2014-7932 CVE-2014-7933 CVE-2014-7934
          CVE-2014-7935 CVE-2014-7936 CVE-2014-7937 CVE-2014-7938
          CVE-2014-7939 CVE-2014-7940 CVE-2014-7941 CVE-2014-7942
          CVE-2014-7943 CVE-2014-7944 CVE-2014-7945 CVE-2014-7946
          CVE-2014-7947 CVE-2014-7948 CVE-2015-1205
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package chromium before version 40.0.2214.91-1 is vulnerable to
multiple issues including bug not limited to denial of service,
same-origin bypass or possibly have unspecified other impact.

Resolution
=========
Upgrade to 40.0.2214.91-1.

# pacman -Syu "chromium>=40.0.2214.91-1"

The problems have been fixed upstream in version 40.0.2214.91.

Workaround
=========
None.

Description
==========
- CVE-2014-7923 (memory corruption)
The Regular Expressions package in International Components for Unicode
(ICU) 52, allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via vectors
related to a (1) zero-length quantifier or (2) look-behind expression.

- CVE-2014-7924 (use-after-free)
Use-after-free vulnerability in the IndexedDB implementation allows
remote attackers to cause a denial of service or possibly have
unspecified other impact by triggering duplicate BLOB references.

- CVE-2014-7925 (use-after-free)
Use-after-free vulnerability in the WebAudio implementation in Blink
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger an audio-rendering
thread in which AudioNode data is improperly maintained.

- CVE-2014-7926 (memory corruption)
The Regular Expressions package in International Components for Unicode
(ICU) 52 allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via vectors
related to a (1) zero-length quantifier or (2) look-behind expression, a
different vulnerability than CVE-2014-7923.

- CVE-2014-7927 (memory corruption)
The SimplifiedLowering::DoLoadBuffer function in
compiler/simplified-lowering.cc in Google V8 does not properly choose an
integer data type, which allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via crafted JavaScript code.

- CVE-2014-7928 (memory corruption)
hydrogen.cc in Google V8 does not properly handle arrays with holes,
which allows remote attackers to cause a denial of service (memory
corruption) or possibly have unspecified other impact via crafted
JavaScript code that triggers an array copy.

- CVE-2014-7930 (use-after-free)
Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in
the DOM implementation in Blink allows remote attackers to cause a
denial of service or possibly have unspecified other impact via crafted
JavaScript code that triggers improper maintenance of TreeScope data.

- CVE-2014-7931 (memory corruption)
factory.cc in Google V8 allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via crafted JavaScript code that triggers improper maintenance of
backing-store pointers.

- CVE-2014-7929 (use-after-free)
Use-after-free vulnerability in the
HTMLScriptElement::didMoveToNewDocument function in
core/html/HTMLScriptElement.cpp in the DOM implementation in Blink
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors involving movement of a SCRIPT
element across documents.

- CVE-2014-7932 (use-after-free)
Use-after-free vulnerability in the Element::detach function in
core/dom/Element.cpp in the DOM implementation in Blink allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors involving pending updates of detached elements.

- CVE-2014-7933 (use-after-free)
Use-after-free vulnerability in the matroska_read_seek function in
libavformat/matroskadec.c in FFmpeg before 2.5.1 allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via a crafted Matroska file that triggers improper maintenance of tracks
data.

- CVE-2014-7934 (use-after-free)
Use-after-free vulnerability in the DOM implementation in Blink allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to unexpected absence of
document data structures.

- CVE-2014-7935 (use-after-free)
Use-after-free vulnerability in browser/speech/tts_message_filter.cc in
the Speech implementation allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors involving
utterances from a closed tab.

- CVE-2014-7936 (use-after-free)
Use-after-free vulnerability in the ZoomBubbleView::Close function in
browser/ui/views/location_bar/zoom_bubble_view.cc in the Views
implementation allows remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted document that
triggers improper maintenance of a zoom bubble.

- CVE-2014-7937 (use-after-free)
Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before
2.4.2 allow remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via crafted
Vorbis I data.

- CVE-2014-7938 (memory corruption)
The Fonts implementation allows remote attackers to cause a denial of
service (memory corruption) or possibly have unspecified other impact
via unknown vectors.

- CVE-2014-7939 (same-origin bypass)
When the Harmony proxy in Google V8 is enabled, allows remote attackers
to bypass the Same Origin Policy via crafted JavaScript code with
Proxy.create and console.log calls, related to HTTP responses that lack
an "X-Content-Type-Options: nosniff" header.

- CVE-2014-7940 (uninitialized-value)
The collator implementation in i18n/ucol.cpp in International Components
for Unicode (ICU) 52 does not initialize memory for a data structure,
which allows remote attackers to cause a denial of service or possibly
have unspecified other impact via a crafted character sequence.

- CVE-2014-7941 (out-of-bounds read)
The SelectionOwner::ProcessTarget function in
ui/base/x/selection_owner.cc in the UI implementation uses an incorrect
data type for a certain length value, which allows remote attackers to
cause a denial of service (out-of-bounds read) via crafted X11 data.

- CVE-2014-7942 (uninitialized-value)
The Fonts implementation does not initialize memory for a data
structure, which allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors.

- CVE-2014-7943 (out-of-bounds read)
Skia allows remote attackers to cause a denial of service (out-of-bounds
read) via unspecified vectors.

- CVE-2014-7944 (out-of-bounds read)
The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in
PDFium does not properly handle odd values of image width, which allows
remote attackers to cause a denial of service (out-of-bounds read) via a
crafted PDF document.

- CVE-2014-7945 (out-of-bounds read)
OpenJPEG before r2908, as used in PDFium, allows remote attackers to
cause a denial of service (out-of-bounds read) via a crafted PDF
document, related to j2k.c, jp2.c, and t2.c.

- CVE-2014-7946 (out-of-bounds read)
The RenderTable::simplifiedNormalFlowLayout function in
core/rendering/RenderTable.cpp in Blink skips captions during table
layout in certain situations, which allows remote attackers to cause a
denial of service (out-of-bounds read) via unspecified vectors related
to the Fonts implementation.

- CVE-2014-7947 (out-of-bounds read)
OpenJPEG before r2944, as used in PDFium, allows remote attackers to
cause a denial of service (out-of-bounds read) via a crafted PDF
document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c.

- CVE-2014-7948 (caching error)
The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in
content/browser/appcache/appcache_update_job.cc proceeds with AppCache
caching for SSL sessions even if there is an X.509 certificate error,
which allows man-in-the-middle attackers to spoof HTML5 application
content via a crafted certificate.

- CVE-2015-1205 (denial of service)
Multiple unspecified vulnerabilities allow attackers to cause a
denial-of-service or possibly have other impact via unknown vectors.

Impact
=====
A remote attacker is able to perform denial of service, bypass the
same-origin policy or possibly have unspecified other impact.

References
=========
https://chromereleases.googleblog.com/2015/01/stable-update.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7923
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7924
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7925
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7926
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7927
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7928
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7930
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7931
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7929
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7932
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7933
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7934
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7935
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7936
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7937
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7938
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7939
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7940
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7941
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7942
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7943
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7944
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7945
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7946
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7947
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7948
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1205

ArchLinux: 201501-21: chromium: multiple issues

January 25, 2015

Summary

- CVE-2014-7923 (memory corruption) The Regular Expressions package in International Components for Unicode (ICU) 52, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression. - CVE-2014-7924 (use-after-free) Use-after-free vulnerability in the IndexedDB implementation allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references.
- CVE-2014-7925 (use-after-free) Use-after-free vulnerability in the WebAudio implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained.
- CVE-2014-7926 (memory corruption) The Regular Expressions package in International Components for Unicode (ICU) 52 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923.
- CVE-2014-7927 (memory corruption) The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8 does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code.
- CVE-2014-7928 (memory corruption) hydrogen.cc in Google V8 does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy.
- CVE-2014-7930 (use-after-free) Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data.
- CVE-2014-7931 (memory corruption) factory.cc in Google V8 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers.
- CVE-2014-7929 (use-after-free) Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents.
- CVE-2014-7932 (use-after-free) Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements.
- CVE-2014-7933 (use-after-free) Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data.
- CVE-2014-7934 (use-after-free) Use-after-free vulnerability in the DOM implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures.
- CVE-2014-7935 (use-after-free) Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab.
- CVE-2014-7936 (use-after-free) Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble.
- CVE-2014-7937 (use-after-free) Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2 allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data.
- CVE-2014-7938 (memory corruption) The Fonts implementation allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
- CVE-2014-7939 (same-origin bypass) When the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header.
- CVE-2014-7940 (uninitialized-value) The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.
- CVE-2014-7941 (out-of-bounds read) The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data.
- CVE-2014-7942 (uninitialized-value) The Fonts implementation does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
- CVE-2014-7943 (out-of-bounds read) Skia allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
- CVE-2014-7944 (out-of-bounds read) The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document.
- CVE-2014-7945 (out-of-bounds read) OpenJPEG before r2908, as used in PDFium, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c.
- CVE-2014-7946 (out-of-bounds read) The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation.
- CVE-2014-7947 (out-of-bounds read) OpenJPEG before r2944, as used in PDFium, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c.
- CVE-2014-7948 (caching error) The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate.
- CVE-2015-1205 (denial of service) Multiple unspecified vulnerabilities allow attackers to cause a denial-of-service or possibly have other impact via unknown vectors.

Resolution

Upgrade to 40.0.2214.91-1. # pacman -Syu "chromium>=40.0.2214.91-1"
The problems have been fixed upstream in version 40.0.2214.91.

References

https://chromereleases.googleblog.com/2015/01/stable-update.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7923 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7924 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7925 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7926 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7927 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7928 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7930 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7931 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7929 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7932 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7933 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7934 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7935 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7936 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7937 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7938 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7939 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7940 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7941 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7942 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7943 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7944 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7945 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7946 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7947 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7948 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1205

Severity
CVE-2014-7927 CVE-2014-7928 CVE-2014-7930 CVE-2014-7931
CVE-2014-7929 CVE-2014-7932 CVE-2014-7933 CVE-2014-7934
CVE-2014-7935 CVE-2014-7936 CVE-2014-7937 CVE-2014-7938
CVE-2014-7939 CVE-2014-7940 CVE-2014-7941 CVE-2014-7942
CVE-2014-7943 CVE-2014-7944 CVE-2014-7945 CVE-2014-7946
CVE-2014-7947 CVE-2014-7948 CVE-2015-1205
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved