Gentoo: GLSA-201403-01: Chromium, V8: Multiple vulnerabilities
Summary
Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details.
Resolution
All chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/chromium-33.0.1750.146"
Gentoo has discontinued support for separate V8 package. We recommend
that users unmerge V8:
# emerge --unmerge "dev-lang/v8"
References
[ 1 ] CVE-2013-2906 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2906 [ 2 ] CVE-2013-2907 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2907 [ 3 ] CVE-2013-2908 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2908 [ 4 ] CVE-2013-2909 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2909 [ 5 ] CVE-2013-2910 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2910 [ 6 ] CVE-2013-2911 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2911 [ 7 ] CVE-2013-2912 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2912 [ 8 ] CVE-2013-2913 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2913 [ 9 ] CVE-2013-2915 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2915 [ 10 ] CVE-2013-2916 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2916 [ 11 ] CVE-2013-2917 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2917 [ 12 ] CVE-2013-2918 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2918 [ 13 ] CVE-2013-2919 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2919 [ 14 ] CVE-2013-2920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2920 [ 15 ] CVE-2013-2921 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2921 [ 16 ] CVE-2013-2922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2922 [ 17 ] CVE-2013-2923 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2923 [ 18 ] CVE-2013-2925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2925 [ 19 ] CVE-2013-2926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2926 [ 20 ] CVE-2013-2927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2927 [ 21 ] CVE-2013-2928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2928 [ 22 ] CVE-2013-2931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2931 [ 23 ] CVE-2013-6621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6621 [ 24 ] CVE-2013-6622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6622 [ 25 ] CVE-2013-6623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6623 [ 26 ] CVE-2013-6624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6624 [ 27 ] CVE-2013-6625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6625 [ 28 ] CVE-2013-6626 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6626 [ 29 ] CVE-2013-6627 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6627 [ 30 ] CVE-2013-6628 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6628 [ 31 ] CVE-2013-6632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6632 [ 32 ] CVE-2013-6634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6634 [ 33 ] CVE-2013-6635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6635 [ 34 ] CVE-2013-6636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6636 [ 35 ] CVE-2013-6637 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6637 [ 36 ] CVE-2013-6638 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6638 [ 37 ] CVE-2013-6639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6639 [ 38 ] CVE-2013-6640 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6640 [ 39 ] CVE-2013-6641 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6641 [ 40 ] CVE-2013-6643 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6643 [ 41 ] CVE-2013-6644 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6644 [ 42 ] CVE-2013-6645 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6645 [ 43 ] CVE-2013-6646 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6646 [ 44 ] CVE-2013-6649 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6649 [ 45 ] CVE-2013-6650 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6650 [ 46 ] CVE-2013-6652 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6652 [ 47 ] CVE-2013-6653 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6653 [ 48 ] CVE-2013-6654 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6654 [ 49 ] CVE-2013-6655 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6655 [ 50 ] CVE-2013-6656 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6656 [ 51 ] CVE-2013-6657 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6657 [ 52 ] CVE-2013-6658 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6658 [ 53 ] CVE-2013-6659 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6659 [ 54 ] CVE-2013-6660 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6660 [ 55 ] CVE-2013-6661 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6661 [ 56 ] CVE-2013-6663 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6663 [ 57 ] CVE-2013-6664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6664 [ 58 ] CVE-2013-6665 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6665 [ 59 ] CVE-2013-6666 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6666 [ 60 ] CVE-2013-6667 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6667 [ 61 ] CVE-2013-6668 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6668 [ 62 ] CVE-2013-6802 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6802 [ 63 ] CVE-2014-1681 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1681
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201403-01
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
Synopsis
Multiple vulnerabilities have been reported in Chromium and V8, worst of which may allow execution of arbitrary code.
Background
Chromium is an open-source web browser project. V8 is Google's open source JavaScript engine.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium < 33.0.1750.146 >= 33.0.1750.146 2 dev-lang/v8 < 3.20.17.13 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 2 affected packages
Impact
===== A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Furthermore, a remote attacker may be able to bypass security restrictions or have other unspecified impact.
Workaround
There is no known workaround at this time.