Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Mikle Kolyada <zlogene@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201403-01 ] Chromium, V8: Multiple vulnerabilities
Date: Wed, 05 Mar 2014 11:20:23
Message-Id: 53170946.2080804@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201403-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Chromium, V8: Multiple vulnerabilities
9 Date: March 05, 2014
10 Bugs: #486742, #488148, #491128, #491326, #493364, #498168,
11 #499502, #501948, #503372
12 ID: 201403-01
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been reported in Chromium and V8, worst
20 of which may allow execution of arbitrary code.
21
22 Background
23 ==========
24
25 Chromium is an open-source web browser project. V8 is Google's open
26 source JavaScript engine.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 www-client/chromium < 33.0.1750.146 >= 33.0.1750.146
35 2 dev-lang/v8 < 3.20.17.13 Vulnerable!
36 -------------------------------------------------------------------
37 NOTE: Certain packages are still vulnerable. Users should migrate
38 to another package if one is available or wait for the
39 existing packages to be marked stable by their
40 architecture maintainers.
41 -------------------------------------------------------------------
42 2 affected packages
43
44 Description
45 ===========
46
47 Multiple vulnerabilities have been discovered in Chromium and V8.
48 Please review the CVE identifiers and release notes referenced below
49 for details.
50
51 Impact
52 ======
53
54 A context-dependent attacker could entice a user to open a specially
55 crafted web site or JavaScript program using Chromium or V8, possibly
56 resulting in the execution of arbitrary code with the privileges of the
57 process or a Denial of Service condition. Furthermore, a remote
58 attacker may be able to bypass security restrictions or have other
59 unspecified impact.
60
61 Workaround
62 ==========
63
64 There is no known workaround at this time.
65
66 Resolution
67 ==========
68
69 All chromium users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose ">=www-client/chromium-33.0.1750.146"
73
74 Gentoo has discontinued support for separate V8 package. We recommend
75 that users unmerge V8:
76
77 # emerge --unmerge "dev-lang/v8"
78
79 References
80 ==========
81
82 [ 1 ] CVE-2013-2906
83 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2906
84 [ 2 ] CVE-2013-2907
85 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2907
86 [ 3 ] CVE-2013-2908
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2908
88 [ 4 ] CVE-2013-2909
89 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2909
90 [ 5 ] CVE-2013-2910
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2910
92 [ 6 ] CVE-2013-2911
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2911
94 [ 7 ] CVE-2013-2912
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2912
96 [ 8 ] CVE-2013-2913
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2913
98 [ 9 ] CVE-2013-2915
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2915
100 [ 10 ] CVE-2013-2916
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2916
102 [ 11 ] CVE-2013-2917
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2917
104 [ 12 ] CVE-2013-2918
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2918
106 [ 13 ] CVE-2013-2919
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2919
108 [ 14 ] CVE-2013-2920
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2920
110 [ 15 ] CVE-2013-2921
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2921
112 [ 16 ] CVE-2013-2922
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2922
114 [ 17 ] CVE-2013-2923
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2923
116 [ 18 ] CVE-2013-2925
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2925
118 [ 19 ] CVE-2013-2926
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2926
120 [ 20 ] CVE-2013-2927
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2927
122 [ 21 ] CVE-2013-2928
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2928
124 [ 22 ] CVE-2013-2931
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2931
126 [ 23 ] CVE-2013-6621
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6621
128 [ 24 ] CVE-2013-6622
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6622
130 [ 25 ] CVE-2013-6623
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6623
132 [ 26 ] CVE-2013-6624
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6624
134 [ 27 ] CVE-2013-6625
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6625
136 [ 28 ] CVE-2013-6626
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6626
138 [ 29 ] CVE-2013-6627
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6627
140 [ 30 ] CVE-2013-6628
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6628
142 [ 31 ] CVE-2013-6632
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6632
144 [ 32 ] CVE-2013-6634
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6634
146 [ 33 ] CVE-2013-6635
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6635
148 [ 34 ] CVE-2013-6636
149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6636
150 [ 35 ] CVE-2013-6637
151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6637
152 [ 36 ] CVE-2013-6638
153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6638
154 [ 37 ] CVE-2013-6639
155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6639
156 [ 38 ] CVE-2013-6640
157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6640
158 [ 39 ] CVE-2013-6641
159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6641
160 [ 40 ] CVE-2013-6643
161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6643
162 [ 41 ] CVE-2013-6644
163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6644
164 [ 42 ] CVE-2013-6645
165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6645
166 [ 43 ] CVE-2013-6646
167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6646
168 [ 44 ] CVE-2013-6649
169 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6649
170 [ 45 ] CVE-2013-6650
171 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6650
172 [ 46 ] CVE-2013-6652
173 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6652
174 [ 47 ] CVE-2013-6653
175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6653
176 [ 48 ] CVE-2013-6654
177 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6654
178 [ 49 ] CVE-2013-6655
179 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6655
180 [ 50 ] CVE-2013-6656
181 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6656
182 [ 51 ] CVE-2013-6657
183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6657
184 [ 52 ] CVE-2013-6658
185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6658
186 [ 53 ] CVE-2013-6659
187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6659
188 [ 54 ] CVE-2013-6660
189 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6660
190 [ 55 ] CVE-2013-6661
191 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6661
192 [ 56 ] CVE-2013-6663
193 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6663
194 [ 57 ] CVE-2013-6664
195 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6664
196 [ 58 ] CVE-2013-6665
197 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6665
198 [ 59 ] CVE-2013-6666
199 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6666
200 [ 60 ] CVE-2013-6667
201 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6667
202 [ 61 ] CVE-2013-6668
203 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6668
204 [ 62 ] CVE-2013-6802
205 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6802
206 [ 63 ] CVE-2014-1681
207 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1681
208
209 Availability
210 ============
211
212 This GLSA and any updates to it are available for viewing at
213 the Gentoo Security Website:
214
215 http://security.gentoo.org/glsa/glsa-201403-01.xml
216
217 Concerns?
218 =========
219
220 Security is a primary focus of Gentoo Linux and ensuring the
221 confidentiality and security of our users' machines is of utmost
222 importance to us. Any security concerns should be addressed to
223 security@g.o or alternatively, you may file a bug at
224 https://bugs.gentoo.org.
225
226 License
227 =======
228
229 Copyright 2014 Gentoo Foundation, Inc; referenced text
230 belongs to its owner(s).
231
232 The contents of this document are licensed under the
233 Creative Commons - Attribution / Share Alike license.
234
235 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups