[gentoo-announce] [ GLSA 201403-01 ] Chromium, V8: Multiple vulnerabilities

news · March 5, 2014

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201403-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal

Title: Chromium, V8: Multiple vulnerabilities

Date: March 05, 2014

Bugs: #486742, #488148, #491128, #491326, #493364, #498168,

#499502, #501948, #503372

ID: 201403-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis

========

Multiple vulnerabilities have been reported in Chromium and V8, worst

of which may allow execution of arbitrary code.

Background

==========

Chromium is an open-source web browser project. V8 is Google's open

source JavaScript engine.

Affected packages

=================

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 www-client/chromium < 33.0.1750.146 >= 33.0.1750.146

2 dev-lang/v8 < 3.20.17.13 Vulnerable!

-------------------------------------------------------------------

NOTE: Certain packages are still vulnerable. Users should migrate

to another package if one is available or wait for the

existing packages to be marked stable by their

architecture maintainers.

-------------------------------------------------------------------

2 affected packages

Description

===========

Multiple vulnerabilities have been discovered in Chromium and V8.

Please review the CVE identifiers and release notes referenced below

for details.

Impact

======

A context-dependent attacker could entice a user to open a specially

crafted web site or JavaScript program using Chromium or V8, possibly

resulting in the execution of arbitrary code with the privileges of the

process or a Denial of Service condition. Furthermore, a remote

attacker may be able to bypass security restrictions or have other

unspecified impact.

Workaround

==========

There is no known workaround at this time.

Resolution

==========

All chromium users should upgrade to the latest version:

# emerge --sync

# emerge --ask --oneshot --verbose ">=www-client/chromium-33.0.1750.146"

Gentoo has discontinued support for separate V8 package. We recommend

that users unmerge V8:

# emerge --unmerge "dev-lang/v8"

References

==========

[ 1 ] CVE-2013-2906

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2906

[ 2 ] CVE-2013-2907

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2907

[ 3 ] CVE-2013-2908

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2908

[ 4 ] CVE-2013-2909

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2909

[ 5 ] CVE-2013-2910

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2910

[ 6 ] CVE-2013-2911

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2911

[ 7 ] CVE-2013-2912

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2912

[ 8 ] CVE-2013-2913

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2913

[ 9 ] CVE-2013-2915

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2915

[ 10 ] CVE-2013-2916

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2916

[ 11 ] CVE-2013-2917

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2917

[ 12 ] CVE-2013-2918

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2918

[ 13 ] CVE-2013-2919

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2919

[ 14 ] CVE-2013-2920

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2920

[ 15 ] CVE-2013-2921

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2921

[ 16 ] CVE-2013-2922

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2922

[ 17 ] CVE-2013-2923

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2923

[ 18 ] CVE-2013-2925

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2925

[ 19 ] CVE-2013-2926

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2926

[ 20 ] CVE-2013-2927

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2927

[ 21 ] CVE-2013-2928

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2928

[ 22 ] CVE-2013-2931

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2931

[ 23 ] CVE-2013-6621

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6621

[ 24 ] CVE-2013-6622

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6622

[ 25 ] CVE-2013-6623

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6623

[ 26 ] CVE-2013-6624

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6624

[ 27 ] CVE-2013-6625

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6625

[ 28 ] CVE-2013-6626

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6626

[ 29 ] CVE-2013-6627

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6627

[ 30 ] CVE-2013-6628

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6628

[ 31 ] CVE-2013-6632

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6632

[ 32 ] CVE-2013-6634

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6634

[ 33 ] CVE-2013-6635

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6635

[ 34 ] CVE-2013-6636

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6636

[ 35 ] CVE-2013-6637

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6637

[ 36 ] CVE-2013-6638

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6638

[ 37 ] CVE-2013-6639

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6639

[ 38 ] CVE-2013-6640

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6640

[ 39 ] CVE-2013-6641

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6641

[ 40 ] CVE-2013-6643

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6643

[ 41 ] CVE-2013-6644

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6644

[ 42 ] CVE-2013-6645

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6645

[ 43 ] CVE-2013-6646

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6646

[ 44 ] CVE-2013-6649

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6649

[ 45 ] CVE-2013-6650

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6650

[ 46 ] CVE-2013-6652

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6652

[ 47 ] CVE-2013-6653

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6653

[ 48 ] CVE-2013-6654

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6654

[ 49 ] CVE-2013-6655

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6655

[ 50 ] CVE-2013-6656

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6656

[ 51 ] CVE-2013-6657

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6657

[ 52 ] CVE-2013-6658

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6658

[ 53 ] CVE-2013-6659

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6659

[ 54 ] CVE-2013-6660

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6660

[ 55 ] CVE-2013-6661

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6661

[ 56 ] CVE-2013-6663

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6663

[ 57 ] CVE-2013-6664

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6664

[ 58 ] CVE-2013-6665

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6665

[ 59 ] CVE-2013-6666

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6666

[ 60 ] CVE-2013-6667

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6667

[ 61 ] CVE-2013-6668

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6668

[ 62 ] CVE-2013-6802

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6802

[ 63 ] CVE-2014-1681

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1681

Availability

============

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201403-01.xml

Concerns?

=========

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

License

=======

belongs to its owner(s).

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Sign In

[gentoo-announce] [ GLSA 201403-01 ] Chromium, V8: Multiple vulnerabilities

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity