Security Information / 2014 / Security Information -- DSA-3039-1 chromium-browser

Debian Security Advisory

DSA-3039-1 chromium-browser -- security update

Date Reported:

28 Sep 2014

Affected Packages:

chromium-browser

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-3160, CVE-2014-3162, CVE-2014-3165, CVE-2014-3166, CVE-2014-3167, CVE-2014-3168, CVE-2014-3169, CVE-2014-3170, CVE-2014-3171, CVE-2014-3172, CVE-2014-3173, CVE-2014-3174, CVE-2014-3175, CVE-2014-3176, CVE-2014-3177, CVE-2014-3178, CVE-2014-3179.

More information:

Several vulnerabilities were discovered in the chromium web browser.

• CVE-2014-3160

  Christian Schneider discovered a same origin bypass issue in SVG file resource fetching.

• CVE-2014-3162

  The Google Chrome development team addressed multiple issues with potential security impact for chromium 36.0.1985.125.

• CVE-2014-3165

  Colin Payne discovered a use-after-free issue in the Web Sockets implementation.

• CVE-2014-3166

  Antoine Delignat-Lavaud discovered an information leak in the SPDY protocol implementation.

• CVE-2014-3167

  The Google Chrome development team addressed multiple issues with potential security impact for chromium 36.0.1985.143.

• CVE-2014-3168

  cloudfuzzer discovered a use-after-free issue in SVG image file handling.

• CVE-2014-3169

  Andrzej Dyjak discovered a use-after-free issue in the Webkit/Blink Document Object Model implementation.

• CVE-2014-3170

  Rob Wu discovered a way to spoof the url of chromium extensions.

• CVE-2014-3171

  cloudfuzzer discovered a use-after-free issue in chromium's v8 bindings.

• CVE-2014-3172

  Eli Grey discovered a way to bypass access restrictions using chromium's Debugger extension API.

• CVE-2014-3173

  jmuizelaar discovered an uninitialized read issue in WebGL.

• CVE-2014-3174

  Atte Kettunen discovered an uninitialized read issue in Web Audio.

• CVE-2014-3175

  The Google Chrome development team addressed multiple issues with potential security impact for chromium 37.0.2062.94.

• CVE-2014-3176

  lokihardt@asrt discovered a combination of flaws that can lead to remote code execution outside of chromium's sandbox.

• CVE-2014-3177

  lokihardt@asrt discovered a combination of flaws that can lead to remote code execution outside of chromium's sandbox.

• CVE-2014-3178

  miaubiz discovered a use-after-free issue in the Document Object Model implementation in Blink/Webkit.

• CVE-2014-3179

  The Google Chrome development team addressed multiple issues with potential security impact for chromium 37.0.2062.120.

For the stable distribution (wheezy), these problems have been fixed in version 37.0.2062.120-1~deb7u1.

For the testing (jessie) and unstable (sid) distributions, these problems have been fixed in version 37.0.2062.120-1.

We recommend that you upgrade your chromium-browser packages.