- -------------------------------------------------------------------------
Debian Security Advisory DSA-3238-1                   security@debian.org
http://www.debian.org/security/                           Michael Gilbert
April 26, 2015                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2015-1235 CVE-2015-1236 CVE-2015-1237 CVE-2015-1238
                 CVE-2015-1240 CVE-2015-1241 CVE-2015-1242 CVE-2015-1244
                 CVE-2015-1245 CVE-2015-1246 CVE-2015-1247 CVE-2015-1248
                 CVE-2015-1249 CVE-2015-3333 CVE-2015-3334 CVE-2015-3336

Several vulnerabilities were discovered in the chromium web browser.

CVE-2015-1235

    A Same Origin Policy bypass issue was discovered in the HTML parser.

CVE-2015-1236

    Amitay Dobo discovered a Same Origin Policy bypass in the Web Audio API.

CVE-2015-1237

    Khalil Zhani discovered a use-after-free issue in IPC.

CVE-2015-1238

    cloudfuzzer discovered an out-of-bounds write in the skia library.

CVE-2015-1240

    w3bd3vil discovered an out-of-bounds read in the WebGL implementation.

CVE-2015-1241

    Phillip Moon and Matt Weston discovered a way to trigger local user
    interface actions remotely via a crafted website.

CVE-2015-1242

    A type confusion issue was discovered in the v8 javascript library.

CVE-2015-1244

    Mike Ruddy discovered a way to bypass the HTTP Strict Transport Security
    policy.

CVE-2015-1245

    Khalil Zhani discovered a use-after-free issue in the pdfium library.

CVE-2015-1246

    Atte Kettunen discovered an out-of-bounds read issue in webkit/blink.

CVE-2015-1247

    Jann Horn discovered that "file:" URLs in OpenSearch documents were not
    sanitized, which could allow local files to be read remotely when using
    the OpenSearch feature from a crafted website.

CVE-2015-1248

    Vittorio Gambaletta discovered a way to bypass the SafeBrowsing feature,
    which could allow the remote execution of a downloaded executable file.

CVE-2015-1249

    The chrome 41 development team found various issues from internal
    fuzzing, audits, and other studies.

CVE-2015-3333

    Multiple issues were discovered and fixed in v8 4.2.7.14.

CVE-2015-3334

    It was discovered that remote websites could capture video data from
    attached web cameras without permission.

CVE-2015-3336

    It was discovered that remote websites could cause user interface
    disruptions like window fullscreening and mouse pointer locking.

For the stable distribution (jessie), these problems have been fixed in
version 42.0.2311.90-1~deb8u1.

For the testing (stretch) and unstable (sid) distributions, these problems
have been fixed in version 42.0.2311.90-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Debian: DSA-3238-1: chromium-browser security update

April 27, 2015
Several vulnerabilities were discovered in the chromium web browser

Summary

CVE-2015-1235

A Same Origin Policy bypass issue was discovered in the HTML parser.

CVE-2015-1236

Amitay Dobo discovered a Same Origin Policy bypass in the Web Audio API.

CVE-2015-1237

Khalil Zhani discovered a use-after-free issue in IPC.

CVE-2015-1238

cloudfuzzer discovered an out-of-bounds write in the skia library.

CVE-2015-1240

w3bd3vil discovered an out-of-bounds read in the WebGL implementation.

CVE-2015-1241

Phillip Moon and Matt Weston discovered a way to trigger local user
interface actions remotely via a crafted website.

CVE-2015-1242

A type confusion issue was discovered in the v8 javascript library.

CVE-2015-1244

Mike Ruddy discovered a way to bypass the HTTP Strict Transport Security
policy.

CVE-2015-1245

Khalil Zhani discovered a use-after-free issue in the pdfium library.

CVE-2015-1246

Atte Kettunen discovered an out-of-bounds read issue in webkit/blink.

CVE-2015-1247

Jann Horn discovered that "file:" URLs in OpenSearch documents were not
sanitized, which could allow local files to be read remotely when using
the OpenSearch feature from a crafted website.

CVE-2015-1248

Vittorio Gambaletta discovered a way to bypass the SafeBrowsing feature,
which could allow the remote execution of a downloaded executable file.

CVE-2015-1249

The chrome 41 development team found various issues from internal
fuzzing, audits, and other studies.

CVE-2015-3333

Multiple issues were discovered and fixed in v8 4.2.7.14.

CVE-2015-3334

It was discovered that remote websites could capture video data from
attached web cameras without permission.

CVE-2015-3336

It was discovered that remote websites could cause user interface
disruptions like window fullscreening and mouse pointer locking.

For the stable distribution (jessie), these problems have been fixed in
version 42.0.2311.90-1~deb8u1.

For the testing (stretch) and unstable (sid) distributions, these problems
have been fixed in version 42.0.2311.90-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Severity
Several vulnerabilities were discovered in the chromium web browser.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved