- -------------------------------------------------------------------------
Debian Security Advisory DSA-3267-1                   security@debian.org
http://www.debian.org/security/                           Michael Gilbert
May 22, 2015                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254
                 CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258
                 CVE-2015-1259 CVE-2015-1260 CVE-2015-1261 CVE-2015-1262
                 CVE-2015-1263 CVE-2015-1264 CVE-2015-1265

Several vulnerabilities were discovered in the chromium web browser.

CVE-2015-1251

    SkyLined discovered a use-after-free issue in speech recognition.

CVE-2015-1252

    An out-of-bounds write issue was discovered that could be used to
    escape from the sandbox.

CVE-2015-1253

    A cross-origin bypass issue was discovered in the DOM parser.

CVE-2015-1254

    A cross-origin bypass issue was discovered in the DOM editing feature.

CVE-2015-1255

    Khalil Zhani discovered a use-after-free issue in WebAudio.

CVE-2015-1256

    Atte Kettunen discovered a use-after-free issue in the SVG
    implementation.

CVE-2015-1257

    miaubiz discovered an overflow issue in the SVG implementation.

CVE-2015-1258

    cloudfuzzer discovered an invalid size parameter used in the
    libvpx library.

CVE-2015-1259

    Atte Kettunen discovered an uninitialized memory issue in the
    pdfium library.

CVE-2015-1260

    Khalil Zhani discovered multiple use-after-free issues in chromium's
    interface to the WebRTC library.

CVE-2015-1261

    Juho Nurminen discovered a URL bar spoofing issue.

CVE-2015-1262

    miaubiz discovered the use of an uninitialized class member in
    font handling.

CVE-2015-1263

    Mike Ruddy discovered that downloading the spellcheck dictionary
    was not done over HTTPS.

CVE-2015-1264

    K0r3Ph1L discovered a cross-site scripting issue that could be
    triggered by bookmarking a site.

CVE-2015-1265

    The chrome 43 development team found and fixed various issues
    during internal auditing.  Also multiple issues were fixed in
    the libv8 library, version 4.3.61.21.

For the stable distribution (jessie), these problems have been fixed in
version 43.0.2357.65-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 43.0.2357.65-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Debian: DSA-3267-1: chromium-browser security update

May 22, 2015
Several vulnerabilities were discovered in the chromium web browser

Summary

CVE-2015-1251

SkyLined discovered a use-after-free issue in speech recognition.

CVE-2015-1252

An out-of-bounds write issue was discovered that could be used to
escape from the sandbox.

CVE-2015-1253

A cross-origin bypass issue was discovered in the DOM parser.

CVE-2015-1254

A cross-origin bypass issue was discovered in the DOM editing feature.

CVE-2015-1255

Khalil Zhani discovered a use-after-free issue in WebAudio.

CVE-2015-1256

Atte Kettunen discovered a use-after-free issue in the SVG
implementation.

CVE-2015-1257

miaubiz discovered an overflow issue in the SVG implementation.

CVE-2015-1258

cloudfuzzer discovered an invalid size parameter used in the
libvpx library.

CVE-2015-1259

Atte Kettunen discovered an uninitialized memory issue in the
pdfium library.

CVE-2015-1260

Khalil Zhani discovered multiple use-after-free issues in chromium's
interface to the WebRTC library.

CVE-2015-1261

Juho Nurminen discovered a URL bar spoofing issue.

CVE-2015-1262

miaubiz discovered the use of an uninitialized class member in
font handling.

CVE-2015-1263

Mike Ruddy discovered that downloading the spellcheck dictionary
was not done over HTTPS.

CVE-2015-1264

K0r3Ph1L discovered a cross-site scripting issue that could be
triggered by bookmarking a site.

CVE-2015-1265

The chrome 43 development team found and fixed various issues
during internal auditing. Also multiple issues were fixed in
the libv8 library, version 4.3.61.21.

For the stable distribution (jessie), these problems have been fixed in
version 43.0.2357.65-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 43.0.2357.65-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Severity
Several vulnerabilities were discovered in the chromium web browser.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved