Arch Linux Security Advisory ASA-201505-14
=========================================
Severity: Critical
Date    : 2015-05-21
CVE-ID  : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254
          CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258
          CVE-2015-1259 CVE-2015-1260 CVE-2015-1263 CVE-2015-1264
          CVE-2015-1265
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package chromium before version 43.0.2357.65-1 is vulnerable to
multiple issues including but not limited to arbitrary code execution,
sandbox protection bypass, same origin policy bypass, denial of service,
cross side scripting and man-in-the-middle.

Resolution
=========
Upgrade to 43.0.2357.65-1.

# pacman -Syu "chromium>=43.0.2357.65-1"

The problems have been fixed upstream in version 43.0.2357.65.

Workaround
=========
None.

Description
==========
- CVE-2015-1251 (arbitrary code execution)

Use-after-free vulnerability in the SpeechRecognitionClient
implementation in the Speech subsystem allows remote attackers to
execute arbitrary code via a crafted document.

- CVE-2015-1252 (sandbox protection bypass)

It has been discovered that common/partial_circular_buffer.cc does not
properly handle wraps, which allows remote attackers to bypass a sandbox
protection mechanism or cause a denial of service (out-of-bounds write)
via vectors that trigger a write operation with a large amount of data,
related to the PartialCircularBuffer::Write and
PartialCircularBuffer::DoWrite functions.

- CVE-2015-1253 (same origin policy bypass)

It has been discovered that core/html/parser/HTMLConstructionSite.cpp in
the DOM implementation in Blink allows remote attackers to bypass the
Same Origin Policy via crafted JavaScript code that appends a child to a
SCRIPT element, related to the insert and executeReparentTask functions.

- CVE-2015-1254 (same origin policy bypass)

It has been discovered that core/dom/Document.cpp in Blink enables the
inheritance of the designMode attribute, which allows remote attackers
to bypass the Same Origin Policy by leveraging the availability of editing.

- CVE-2015-1255 (denial of service)

Use-after-free vulnerability in
content/renderer/media/webaudio_capturer_source.cc in the WebAudio
implementation allows remote attackers to cause a denial of service
(heap memory corruption) or possibly have unspecified other impact by
leveraging improper handling of a stop action for an audio track.

- CVE-2015-1256 (denial of service)

Use-after-free vulnerability in the SVG implementation in Blink allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted document that leverages improper
handling of a shadow tree for a use element.

- CVE-2015-1257 (denial of service)

It has been discovered that platform/graphics/filters/FEColorMatrix.cpp
in the SVG implementation in Blink does not properly handle an
insufficient number of values in an feColorMatrix filter, which allows
remote attackers to cause a denial of service (container overflow) or
possibly have unspecified other impact via a crafted document.

- CVE-2015-1258 (denial of service)

Google Chrome before 43.0.2357.65 relies on libvpx code that was not
built with an appropriate --size-limit value, which allows remote
attackers to trigger a negative value for a size field, and consequently
cause a denial of service or possibly have unspecified other impact, via
a crafted frame size in VP9 video data.

- CVE-2015-1259 (denial of service)

PDFium does not properly initialize memory, which allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.

- CVE-2015-1260 (denial of service)

Multiple use-after-free vulnerabilities in
content/renderer/media/user_media_client_impl.cc in the WebRTC
implementation allow remote attackers to cause a denial of service or
possibly have unspecified other impact via crafted JavaScript code that
executes upon completion of a getUserMedia request.

- CVE-2015-1263 (man-in-the-middle)

The Spellcheck API implementation does not use an HTTPS session for
downloading a Hunspell dictionary, which allows man-in-the-middle
attackers to deliver incorrect spelling suggestions or possibly have
unspecified other impact via a crafted file.

- CVE-2015-1264 (cross side scripting)

Cross-site scripting (XSS) vulnerability allows user-assisted remote
attackers to inject arbitrary web script or HTML via crafted data that
is improperly handled by the Bookmarks feature.

- CVE-2015-1265 (denial of service)

Multiple unspecified vulnerabilities in Google Chrome before
43.0.2357.65 allow attackers to cause a denial of service or possibly
have other impact via unknown vectors.

Impact
=====
A remote attacker is able to execute arbitrary code, bypass the sandbox
protection mechanism, bypass the same origin policy, perform cross side
scripting, perform a denial of service attack or possibly have
unspecified other impact via various vectors.

References
=========
https://chromereleases.googleblog.com/2015/05/stable-channel-update_19.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1251
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1252
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1253
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1254
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1255
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1256
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1257
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1258
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1259
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1260
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1263
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1264
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1265

ArchLinux: 201505-14: chromium: multiple issues

May 21, 2015

Summary

- CVE-2015-1251 (arbitrary code execution) Use-after-free vulnerability in the SpeechRecognitionClient implementation in the Speech subsystem allows remote attackers to execute arbitrary code via a crafted document.
- CVE-2015-1252 (sandbox protection bypass)
It has been discovered that common/partial_circular_buffer.cc does not properly handle wraps, which allows remote attackers to bypass a sandbox protection mechanism or cause a denial of service (out-of-bounds write) via vectors that trigger a write operation with a large amount of data, related to the PartialCircularBuffer::Write and PartialCircularBuffer::DoWrite functions.
- CVE-2015-1253 (same origin policy bypass)
It has been discovered that core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions.
- CVE-2015-1254 (same origin policy bypass)
It has been discovered that core/dom/Document.cpp in Blink enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing.
- CVE-2015-1255 (denial of service)
Use-after-free vulnerability in content/renderer/media/webaudio_capturer_source.cc in the WebAudio implementation allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by leveraging improper handling of a stop action for an audio track.
- CVE-2015-1256 (denial of service)
Use-after-free vulnerability in the SVG implementation in Blink allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that leverages improper handling of a shadow tree for a use element.
- CVE-2015-1257 (denial of service)
It has been discovered that platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation in Blink does not properly handle an insufficient number of values in an feColorMatrix filter, which allows remote attackers to cause a denial of service (container overflow) or possibly have unspecified other impact via a crafted document.
- CVE-2015-1258 (denial of service)
Google Chrome before 43.0.2357.65 relies on libvpx code that was not built with an appropriate --size-limit value, which allows remote attackers to trigger a negative value for a size field, and consequently cause a denial of service or possibly have unspecified other impact, via a crafted frame size in VP9 video data.
- CVE-2015-1259 (denial of service)
PDFium does not properly initialize memory, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
- CVE-2015-1260 (denial of service)
Multiple use-after-free vulnerabilities in content/renderer/media/user_media_client_impl.cc in the WebRTC implementation allow remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that executes upon completion of a getUserMedia request.
- CVE-2015-1263 (man-in-the-middle)
The Spellcheck API implementation does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file.
- CVE-2015-1264 (cross side scripting)
Cross-site scripting (XSS) vulnerability allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted data that is improperly handled by the Bookmarks feature.
- CVE-2015-1265 (denial of service)
Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

Resolution

Upgrade to 43.0.2357.65-1. # pacman -Syu "chromium>=43.0.2357.65-1"
The problems have been fixed upstream in version 43.0.2357.65.

References

https://chromereleases.googleblog.com/2015/05/stable-channel-update_19.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1251 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1252 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1253 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1254 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1255 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1256 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1257 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1258 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1259 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1260 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1263 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1264 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1265

Severity
CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258
CVE-2015-1259 CVE-2015-1260 CVE-2015-1263 CVE-2015-1264
CVE-2015-1265
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved