Discover Government News

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201111-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: Chromium, V8: Multiple vulnerabilities
     Date: November 01, 2011
     Bugs: #351525, #353626, #354121, #356933, #357963, #358581,
           #360399, #363629, #365125, #366335, #367013, #368649,
           #370481, #373451, #373469, #377475, #377629, #380311,
           #380897, #381713, #383251, #385649, #388461
       ID: 201111-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been reported in Chromium and V8, some of
which may allow execution of arbitrary code and local root privilege
escalation.

Background
=========
Chromium is an open-source web browser project. V8 is Google's open
source JavaScript engine.

Affected packages
================
    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  www-client/chromium       < 15.0.874.102         >= 15.0.874.102 
  2  dev-lang/v8                < 3.5.10.22              >= 3.5.10.22 
    -------------------------------------------------------------------
     2 affected packages
    -------------------------------------------------------------------

Description
==========
Multiple vulnerabilities have been discovered in Chromium and V8.
Please review the CVE identifiers and release notes referenced below
for details.

Impact
=====
A local attacker could gain root privileges (CVE-2011-1444, fixed in
chromium-11.0.696.57).

A context-dependent attacker could entice a user to open a specially
crafted web site or JavaScript program using Chromium or V8, possibly
resulting in the execution of arbitrary code with the privileges of the
process, or a Denial of Service condition. The attacker also could
obtain cookies and other sensitive information, conduct
man-in-the-middle attacks, perform address bar spoofing, bypass the
same origin policy, perform Cross-Site Scripting attacks, or bypass
pop-up blocks.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All Chromium users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-client/chromium-15.0.874.102"

All V8 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.5.10.22"

References
=========
[  1 ] CVE-2011-2345
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2345
[  2 ] CVE-2011-2346
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2346
[  3 ] CVE-2011-2347
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2347
[  4 ] CVE-2011-2348
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2348
[  5 ] CVE-2011-2349
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2349
[  6 ] CVE-2011-2350
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2350
[  7 ] CVE-2011-2351
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2351
[  8 ] CVE-2011-2834
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834
[  9 ] CVE-2011-2835
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2835
[ 10 ] CVE-2011-2837
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2837
[ 11 ] CVE-2011-2838
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2838
[ 12 ] CVE-2011-2839
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2839
[ 13 ] CVE-2011-2840
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2840
[ 14 ] CVE-2011-2841
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2841
[ 15 ] CVE-2011-2843
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2843
[ 16 ] CVE-2011-2844
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2844
[ 17 ] CVE-2011-2845
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2845
[ 18 ] CVE-2011-2846
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2846
[ 19 ] CVE-2011-2847
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2847
[ 20 ] CVE-2011-2848
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2848
[ 21 ] CVE-2011-2849
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2849
[ 22 ] CVE-2011-2850
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2850
[ 23 ] CVE-2011-2851
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2851
[ 24 ] CVE-2011-2852
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2852
[ 25 ] CVE-2011-2853
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2853
[ 26 ] CVE-2011-2854
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2854
[ 27 ] CVE-2011-2855
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2855
[ 28 ] CVE-2011-2856
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2856
[ 29 ] CVE-2011-2857
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2857
[ 30 ] CVE-2011-2858
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2858
[ 31 ] CVE-2011-2859
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2859
[ 32 ] CVE-2011-2860
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2860
[ 33 ] CVE-2011-2861
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2861
[ 34 ] CVE-2011-2862
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2862
[ 35 ] CVE-2011-2864
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2864
[ 36 ] CVE-2011-2874
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2874
[ 37 ] CVE-2011-3234
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3234
[ 38 ] CVE-2011-3873
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3873
[ 39 ] CVE-2011-3875
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3875
[ 40 ] CVE-2011-3876
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3876
[ 41 ] CVE-2011-3877
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3877
[ 42 ] CVE-2011-3878
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3878
[ 43 ] CVE-2011-3879
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3879
[ 44 ] CVE-2011-3880
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3880
[ 45 ] CVE-2011-3881
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3881
[ 46 ] CVE-2011-3882
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3882
[ 47 ] CVE-2011-3883
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3883
[ 48 ] CVE-2011-3884
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3884
[ 49 ] CVE-2011-3885
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3885
[ 50 ] CVE-2011-3886
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3886
[ 51 ] CVE-2011-3887
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3887
[ 52 ] CVE-2011-3888
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3888
[ 53 ] CVE-2011-3889
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3889
[ 54 ] CVE-2011-3890
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3890
[ 55 ] CVE-2011-3891
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3891
[ 56 ] Release Notes 10.0.648.127
       http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
[ 57 ] Release Notes 10.0.648.133
       https://chromereleases.googleblog.com/2011/03/stable-and-beta-channel-updates.html
[ 58 ] Release Notes 10.0.648.205
       https://chromereleases.googleblog.com/2011/04/stable-channel-update.html
[ 59 ] Release Notes 11.0.696.57
       https://chromereleases.googleblog.com/2011/04/chrome-stable-update.html
[ 60 ] Release Notes 11.0.696.65
       https://chromereleases.googleblog.com/2011/05/beta-and-stable-channel-update.html
[ 61 ] Release Notes 11.0.696.68
       http://googlechromereleases.blogspot.com/2011/05/stable-channel-update.html
[ 62 ] Release Notes 11.0.696.71
       http://googlechromereleases.blogspot.com/2011/05/stable-channel-update_24.html
[ 63 ] Release Notes 12.0.742.112
       https://chromereleases.googleblog.com/2011/06/stable-channel-update_28.html
[ 64 ] Release Notes 12.0.742.91
       http://googlechromereleases.blogspot.com/2011/06/chrome-stable-release.html
[ 65 ] Release Notes 13.0.782.107
       http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html
[ 66 ] Release Notes 13.0.782.215
       https://chromereleases.googleblog.com/2011/08/stable-channel-update_22.html
[ 67 ] Release Notes 13.0.782.220
       http://googlechromereleases.blogspot.com/2011/09/stable-channel-update.html
[ 68 ] Release Notes 14.0.835.163
       http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html
[ 69 ] Release Notes 14.0.835.202
       https://chromereleases.googleblog.com/2011/10/stable-channel-update.html
[ 70 ] Release Notes 15.0.874.102
       https://chromereleases.googleblog.com/2011/10/chrome-stable-release.html
[ 71 ] Release Notes 8.0.552.237
       http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html
[ 72 ] Release Notes 9.0.597.107
       https://chromereleases.googleblog.com/2011/02/stable-channel-update_28.html
[ 73 ] Release Notes 9.0.597.84
       http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
[ 74 ] Release Notes 9.0.597.94
       http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201111-01

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5/

Gentoo: GLSA-201111-01: Chromium, V8: Multiple vulnerabilities

Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code and local root privilege escalation

Summary

Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details.

Resolution

All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/chromium-15.0.874.102"
All V8 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.5.10.22"

References

[ 1 ] CVE-2011-2345 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2345 [ 2 ] CVE-2011-2346 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2346 [ 3 ] CVE-2011-2347 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2347 [ 4 ] CVE-2011-2348 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2348 [ 5 ] CVE-2011-2349 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2349 [ 6 ] CVE-2011-2350 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2350 [ 7 ] CVE-2011-2351 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2351 [ 8 ] CVE-2011-2834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834 [ 9 ] CVE-2011-2835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2835 [ 10 ] CVE-2011-2837 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2837 [ 11 ] CVE-2011-2838 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2838 [ 12 ] CVE-2011-2839 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2839 [ 13 ] CVE-2011-2840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2840 [ 14 ] CVE-2011-2841 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2841 [ 15 ] CVE-2011-2843 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2843 [ 16 ] CVE-2011-2844 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2844 [ 17 ] CVE-2011-2845 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2845 [ 18 ] CVE-2011-2846 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2846 [ 19 ] CVE-2011-2847 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2847 [ 20 ] CVE-2011-2848 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2848 [ 21 ] CVE-2011-2849 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2849 [ 22 ] CVE-2011-2850 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2850 [ 23 ] CVE-2011-2851 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2851 [ 24 ] CVE-2011-2852 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2852 [ 25 ] CVE-2011-2853 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2853 [ 26 ] CVE-2011-2854 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2854 [ 27 ] CVE-2011-2855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2855 [ 28 ] CVE-2011-2856 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2856 [ 29 ] CVE-2011-2857 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2857 [ 30 ] CVE-2011-2858 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2858 [ 31 ] CVE-2011-2859 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2859 [ 32 ] CVE-2011-2860 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2860 [ 33 ] CVE-2011-2861 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2861 [ 34 ] CVE-2011-2862 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2862 [ 35 ] CVE-2011-2864 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2864 [ 36 ] CVE-2011-2874 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2874 [ 37 ] CVE-2011-3234 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3234 [ 38 ] CVE-2011-3873 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3873 [ 39 ] CVE-2011-3875 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3875 [ 40 ] CVE-2011-3876 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3876 [ 41 ] CVE-2011-3877 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3877 [ 42 ] CVE-2011-3878 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3878 [ 43 ] CVE-2011-3879 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3879 [ 44 ] CVE-2011-3880 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3880 [ 45 ] CVE-2011-3881 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3881 [ 46 ] CVE-2011-3882 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3882 [ 47 ] CVE-2011-3883 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3883 [ 48 ] CVE-2011-3884 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3884 [ 49 ] CVE-2011-3885 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3885 [ 50 ] CVE-2011-3886 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3886 [ 51 ] CVE-2011-3887 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3887 [ 52 ] CVE-2011-3888 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3888 [ 53 ] CVE-2011-3889 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3889 [ 54 ] CVE-2011-3890 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3890 [ 55 ] CVE-2011-3891 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3891 [ 56 ] Release Notes 10.0.648.127 http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html [ 57 ] Release Notes 10.0.648.133 https://chromereleases.googleblog.com/2011/03/stable-and-beta-channel-updates.html [ 58 ] Release Notes 10.0.648.205 https://chromereleases.googleblog.com/2011/04/stable-channel-update.html [ 59 ] Release Notes 11.0.696.57 https://chromereleases.googleblog.com/2011/04/chrome-stable-update.html [ 60 ] Release Notes 11.0.696.65 https://chromereleases.googleblog.com/2011/05/beta-and-stable-channel-update.html [ 61 ] Release Notes 11.0.696.68 http://googlechromereleases.blogspot.com/2011/05/stable-channel-update.html [ 62 ] Release Notes 11.0.696.71 http://googlechromereleases.blogspot.com/2011/05/stable-channel-update_24.html [ 63 ] Release Notes 12.0.742.112 https://chromereleases.googleblog.com/2011/06/stable-channel-update_28.html [ 64 ] Release Notes 12.0.742.91 http://googlechromereleases.blogspot.com/2011/06/chrome-stable-release.html [ 65 ] Release Notes 13.0.782.107 http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html [ 66 ] Release Notes 13.0.782.215 https://chromereleases.googleblog.com/2011/08/stable-channel-update_22.html [ 67 ] Release Notes 13.0.782.220 http://googlechromereleases.blogspot.com/2011/09/stable-channel-update.html [ 68 ] Release Notes 14.0.835.163 http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html [ 69 ] Release Notes 14.0.835.202 https://chromereleases.googleblog.com/2011/10/stable-channel-update.html [ 70 ] Release Notes 15.0.874.102 https://chromereleases.googleblog.com/2011/10/chrome-stable-release.html [ 71 ] Release Notes 8.0.552.237 http://googlechromereleases.blogspot.com/2011/01/chrome-stable-release.html [ 72 ] Release Notes 9.0.597.107 https://chromereleases.googleblog.com/2011/02/stable-channel-update_28.html [ 73 ] Release Notes 9.0.597.84 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html [ 74 ] Release Notes 9.0.597.94 http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201111-01

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
Severity: High
Title: Chromium, V8: Multiple vulnerabilities
Date: November 01, 2011
Bugs: #351525, #353626, #354121, #356933, #357963, #358581,
ID: 201111-01

Synopsis

Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code and local root privilege escalation.

Background

Chromium is an open-source web browser project. V8 is Google's open source JavaScript engine.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium < 15.0.874.102 >= 15.0.874.102 2 dev-lang/v8 < 3.5.10.22 >= 3.5.10.22 ------------------------------------------------------------------- 2 affected packages -------------------------------------------------------------------

Impact

===== A local attacker could gain root privileges (CVE-2011-1444, fixed in chromium-11.0.696.57). A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker also could obtain cookies and other sensitive information, conduct man-in-the-middle attacks, perform address bar spoofing, bypass the same origin policy, perform Cross-Site Scripting attacks, or bypass pop-up blocks.

Workaround

There is no known workaround at this time.

Related News