[gentoo-announce] [ GLSA 201202-01 ] Chromium: Multiple vulnerabilities - gentoo-announce

From:	Tim Sammut <underling@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201202-01 ] Chromium: Multiple vulnerabilities
Date:	Sat, 18 Feb 2012 19:05:44
Message-Id:	`4F3FE5EA.2030702@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201202-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Chromium: Multiple vulnerabilities

9

     Date: February 18, 2012

10

     Bugs: #402841, #404067

11

       ID: 201202-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been reported in Chromium, some of which

19

may allow execution of arbitrary code.

20

21

Background

22

==========

23

24

Chromium is an open source web browser project.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  www-client/chromium       < 17.0.963.56           >= 17.0.963.56

33

34

Description

35

===========

36

37

Multiple vulnerabilities have been discovered in Chromium. Please

38

review the CVE identifiers and release notes referenced below for

39

details.

40

41

Impact

42

======

43

44

A remote attacker could entice a user to open a specially crafted web

45

site using Chromium, possibly resulting in the execution of arbitrary

46

code with the privileges of the process, a Denial of Service condition,

47

information leak (clipboard contents), bypass of the Same Origin

48

Policy, or escape from NativeClient's sandbox.

49

50

A remote attacker could also entice the user to perform a set of UI

51

actions (drag and drop) to trigger an URL bar spoofing vulnerability.

52

53

Workaround

54

==========

55

56

There is no known workaround at this time.

57

58

Resolution

59

==========

60

61

All Chromium users should upgrade to the latest version:

62

63

  # emerge --sync

64

  # emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.56"

65

66

References

67

==========

68

69

[  1 ] CVE-2011-3016

70

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3016

71

[  2 ] CVE-2011-3017

72

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3017

73

[  3 ] CVE-2011-3018

74

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3018

75

[  4 ] CVE-2011-3019

76

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3019

77

[  5 ] CVE-2011-3020

78

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3020

79

[  6 ] CVE-2011-3021

80

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3021

81

[  7 ] CVE-2011-3022

82

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3022

83

[  8 ] CVE-2011-3023

84

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3023

85

[  9 ] CVE-2011-3024

86

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3024

87

[ 10 ] CVE-2011-3025

88

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3025

89

[ 11 ] CVE-2011-3027

90

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3027

91

[ 12 ] CVE-2011-3953

92

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3953

93

[ 13 ] CVE-2011-3954

94

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3954

95

[ 14 ] CVE-2011-3955

96

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3955

97

[ 15 ] CVE-2011-3956

98

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3956

99

[ 16 ] CVE-2011-3957

100

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3957

101

[ 17 ] CVE-2011-3958

102

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3958

103

[ 18 ] CVE-2011-3959

104

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3959

105

[ 19 ] CVE-2011-3960

106

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3960

107

[ 20 ] CVE-2011-3961

108

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3961

109

[ 21 ] CVE-2011-3962

110

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3962

111

[ 22 ] CVE-2011-3963

112

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3963

113

[ 23 ] CVE-2011-3964

114

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3964

115

[ 24 ] CVE-2011-3965

116

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3965

117

[ 25 ] CVE-2011-3966

118

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3966

119

[ 26 ] CVE-2011-3967

120

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3967

121

[ 27 ] CVE-2011-3968

122

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3968

123

[ 28 ] CVE-2011-3969

124

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3969

125

[ 29 ] CVE-2011-3970

126

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3970

127

[ 30 ] CVE-2011-3971

128

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3971

129

[ 31 ] CVE-2011-3972

130

       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3972

131

[ 32 ] Release Notes 17.0.963.46

132

133

http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html

134

[ 33 ] Release Notes 17.0.963.56

135

136

http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html

137

138

Availability

139

============

140

141

This GLSA and any updates to it are available for viewing at

142

the Gentoo Security Website:

143

144

 http://security.gentoo.org/glsa/glsa-201202-01.xml

145

146

Concerns?

147

=========

148

149

Security is a primary focus of Gentoo Linux and ensuring the

150

confidentiality and security of our users' machines is of utmost

151

importance to us. Any security concerns should be addressed to

152

security@g.o or alternatively, you may file a bug at

153

https://bugs.gentoo.org.

154

155

License

156

=======

157

158

Copyright 2012 Gentoo Foundation, Inc; referenced text

159

belongs to its owner(s).

160

161

The contents of this document are licensed under the

162

Creative Commons - Attribution / Share Alike license.

163

164

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201202-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Chromium: Multiple vulnerabilities
9	Date: February 18, 2012
10	Bugs: #402841, #404067
11	ID: 201202-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been reported in Chromium, some of which
19	may allow execution of arbitrary code.
20
21	Background
22	==========
23
24	Chromium is an open source web browser project.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 www-client/chromium < 17.0.963.56 >= 17.0.963.56
33
34	Description
35	===========
36
37	Multiple vulnerabilities have been discovered in Chromium. Please
38	review the CVE identifiers and release notes referenced below for
39	details.
40
41	Impact
42	======
43
44	A remote attacker could entice a user to open a specially crafted web
45	site using Chromium, possibly resulting in the execution of arbitrary
46	code with the privileges of the process, a Denial of Service condition,
47	information leak (clipboard contents), bypass of the Same Origin
48	Policy, or escape from NativeClient's sandbox.
49
50	A remote attacker could also entice the user to perform a set of UI
51	actions (drag and drop) to trigger an URL bar spoofing vulnerability.
52
53	Workaround
54	==========
55
56	There is no known workaround at this time.
57
58	Resolution
59	==========
60
61	All Chromium users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.56"
65
66	References
67	==========
68
69	[ 1 ] CVE-2011-3016
70	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3016
71	[ 2 ] CVE-2011-3017
72	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3017
73	[ 3 ] CVE-2011-3018
74	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3018
75	[ 4 ] CVE-2011-3019
76	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3019
77	[ 5 ] CVE-2011-3020
78	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3020
79	[ 6 ] CVE-2011-3021
80	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3021
81	[ 7 ] CVE-2011-3022
82	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3022
83	[ 8 ] CVE-2011-3023
84	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3023
85	[ 9 ] CVE-2011-3024
86	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3024
87	[ 10 ] CVE-2011-3025
88	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3025
89	[ 11 ] CVE-2011-3027
90	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3027
91	[ 12 ] CVE-2011-3953
92	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3953
93	[ 13 ] CVE-2011-3954
94	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3954
95	[ 14 ] CVE-2011-3955
96	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3955
97	[ 15 ] CVE-2011-3956
98	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3956
99	[ 16 ] CVE-2011-3957
100	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3957
101	[ 17 ] CVE-2011-3958
102	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3958
103	[ 18 ] CVE-2011-3959
104	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3959
105	[ 19 ] CVE-2011-3960
106	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3960
107	[ 20 ] CVE-2011-3961
108	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3961
109	[ 21 ] CVE-2011-3962
110	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3962
111	[ 22 ] CVE-2011-3963
112	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3963
113	[ 23 ] CVE-2011-3964
114	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3964
115	[ 24 ] CVE-2011-3965
116	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3965
117	[ 25 ] CVE-2011-3966
118	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3966
119	[ 26 ] CVE-2011-3967
120	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3967
121	[ 27 ] CVE-2011-3968
122	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3968
123	[ 28 ] CVE-2011-3969
124	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3969
125	[ 29 ] CVE-2011-3970
126	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3970
127	[ 30 ] CVE-2011-3971
128	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3971
129	[ 31 ] CVE-2011-3972
130	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3972
131	[ 32 ] Release Notes 17.0.963.46
132
133	http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html
134	[ 33 ] Release Notes 17.0.963.56
135
136	http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
137
138	Availability
139	============
140
141	This GLSA and any updates to it are available for viewing at
142	the Gentoo Security Website:
143
144	http://security.gentoo.org/glsa/glsa-201202-01.xml
145
146	Concerns?
147	=========
148
149	Security is a primary focus of Gentoo Linux and ensuring the
150	confidentiality and security of our users' machines is of utmost
151	importance to us. Any security concerns should be addressed to
152	security@g.o or alternatively, you may file a bug at
153	https://bugs.gentoo.org.
154
155	License
156	=======
157
158	Copyright 2012 Gentoo Foundation, Inc; referenced text
159	belongs to its owner(s).
160
161	The contents of this document are licensed under the
162	Creative Commons - Attribution / Share Alike license.
163
164	http://creativecommons.org/licenses/by-sa/2.5