Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0441-1 Final 1 1 2015-03-01T16:32:47Z current 2015-03-01T16:32:47Z 2015-03-01T16:32:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium chromium was updated to version 40.0.2214.111 to fix 31 vulnerabilities. These security issues were fixed: - CVE-2015-1209: Use-after-free in DOM (bnc#916841). - CVE-2015-1210: Cross-origin-bypass in V8 bindings (bnc#916843). - CVE-2015-1211: Privilege escalation using service workers (bnc#916838). - CVE-2015-1212: Various fixes from internal audits, fuzzing and other initiatives (bnc#916840). - CVE-2014-7923: Memory corruption in ICU (bnc#914468). - CVE-2014-7924: Use-after-free in IndexedDB (bnc#914468). - CVE-2014-7925: Use-after-free in WebAudio (bnc#914468). - CVE-2014-7926: Memory corruption in ICU (bnc#914468). - CVE-2014-7927: Memory corruption in V8 (bnc#914468). - CVE-2014-7928: Memory corruption in V8 (bnc#914468). - CVE-2014-7930: Use-after-free in DOM (bnc#914468). - CVE-2014-7931: Memory corruption in V8 (bnc#914468). - CVE-2014-7929: Use-after-free in DOM (bnc#914468). - CVE-2014-7932: Use-after-free in DOM (bnc#914468). - CVE-2014-7933: Use-after-free in FFmpeg (bnc#914468). - CVE-2014-7934: Use-after-free in DOM (bnc#914468). - CVE-2014-7935: Use-after-free in Speech (bnc#914468). - CVE-2014-7936: Use-after-free in Views (bnc#914468). - CVE-2014-7937: Use-after-free in FFmpeg (bnc#914468). - CVE-2014-7938: Memory corruption in Fonts (bnc#914468). - CVE-2014-7939: Same-origin-bypass in V8 (bnc#914468). - CVE-2014-7940: Uninitialized-value in ICU (bnc#914468). - CVE-2014-7941: Out-of-bounds read in UI (bnc#914468). - CVE-2014-7942: Uninitialized-value in Fonts (bnc#914468). - CVE-2014-7943: Out-of-bounds read in Skia - CVE-2014-7944: Out-of-bounds read in PDFium - CVE-2014-7945: Out-of-bounds read in PDFium - CVE-2014-7946: Out-of-bounds read in Fonts - CVE-2014-7947: Out-of-bounds read in PDFium - CVE-2014-7948: Caching error in AppCache - CVE-2015-1205: Various fixes from internal audits, fuzzing and other initiatives These non-security issues were fixed: - Fix using 'echo' command in chromium-browser.sh script The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html E-Mail link for openSUSE-SU-2015:0441-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings chromedriver-40.0.2214.111-68.2 chromium-40.0.2214.111-68.2 chromium-desktop-gnome-40.0.2214.111-68.2 chromium-desktop-kde-40.0.2214.111-68.2 chromium-ffmpegsumo-40.0.2214.111-68.2 The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression. CVE-2014-7923 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7923.html CVE-2014-7923 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc. CVE-2014-7924 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7924.html CVE-2014-7924 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained. CVE-2014-7925 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7925.html CVE-2014-7925 https://bugzilla.suse.com/914468 SUSE Bug 914468 The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier. CVE-2014-7926 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7926.html CVE-2014-7926 https://bugzilla.suse.com/914468 SUSE Bug 914468 The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. CVE-2014-7927 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7927.html CVE-2014-7927 https://bugzilla.suse.com/914468 SUSE Bug 914468 hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy. CVE-2014-7928 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7928.html CVE-2014-7928 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents. CVE-2014-7929 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7929.html CVE-2014-7929 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data. CVE-2014-7930 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7930.html CVE-2014-7930 https://bugzilla.suse.com/914468 SUSE Bug 914468 factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers. CVE-2014-7931 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7931.html CVE-2014-7931 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements. CVE-2014-7932 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7932.html CVE-2014-7932 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. CVE-2014-7933 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7933.html CVE-2014-7933 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures. CVE-2014-7934 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7934.html CVE-2014-7934 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab. CVE-2014-7935 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7935.html CVE-2014-7935 https://bugzilla.suse.com/914468 SUSE Bug 914468 Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble. CVE-2014-7936 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7936.html CVE-2014-7936 https://bugzilla.suse.com/914468 SUSE Bug 914468 Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. CVE-2014-7937 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7937.html CVE-2014-7937 https://bugzilla.suse.com/914468 SUSE Bug 914468 The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2014-7938 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7938.html CVE-2014-7938 https://bugzilla.suse.com/914468 SUSE Bug 914468 Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header. CVE-2014-7939 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7939.html CVE-2014-7939 https://bugzilla.suse.com/914468 SUSE Bug 914468 The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. CVE-2014-7940 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7940.html CVE-2014-7940 https://bugzilla.suse.com/914468 SUSE Bug 914468 The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data. CVE-2014-7941 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7941.html CVE-2014-7941 https://bugzilla.suse.com/914468 SUSE Bug 914468 The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2014-7942 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7942.html CVE-2014-7942 https://bugzilla.suse.com/914468 SUSE Bug 914468 Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. CVE-2014-7943 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7943.html CVE-2014-7943 https://bugzilla.suse.com/914468 SUSE Bug 914468 The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. CVE-2014-7944 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7944.html CVE-2014-7944 https://bugzilla.suse.com/914468 SUSE Bug 914468 OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. CVE-2014-7945 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7945.html CVE-2014-7945 https://bugzilla.suse.com/914468 SUSE Bug 914468 The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation. CVE-2014-7946 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7946.html CVE-2014-7946 https://bugzilla.suse.com/914468 SUSE Bug 914468 OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. CVE-2014-7947 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7947.html CVE-2014-7947 https://bugzilla.suse.com/914468 SUSE Bug 914468 The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate. CVE-2014-7948 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2014-7948.html CVE-2014-7948 https://bugzilla.suse.com/914468 SUSE Bug 914468 Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2015-1205 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2015-1205.html CVE-2015-1205 https://bugzilla.suse.com/914468 SUSE Bug 914468 https://bugzilla.suse.com/915529 SUSE Bug 915529 https://bugzilla.suse.com/915530 SUSE Bug 915530 https://bugzilla.suse.com/915533 SUSE Bug 915533 https://bugzilla.suse.com/915534 SUSE Bug 915534 https://bugzilla.suse.com/915535 SUSE Bug 915535 Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor. CVE-2015-1209 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2015-1209.html CVE-2015-1209 https://bugzilla.suse.com/914468 SUSE Bug 914468 https://bugzilla.suse.com/916841 SUSE Bug 916841 The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. CVE-2015-1210 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2015-1210.html CVE-2015-1210 https://bugzilla.suse.com/914468 SUSE Bug 914468 https://bugzilla.suse.com/916843 SUSE Bug 916843 The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI. CVE-2015-1211 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2015-1211.html CVE-2015-1211 https://bugzilla.suse.com/914468 SUSE Bug 914468 https://bugzilla.suse.com/916838 SUSE Bug 916838 Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2015-1212 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html https://www.suse.com/security/cve/CVE-2015-1212.html CVE-2015-1212 https://bugzilla.suse.com/914468 SUSE Bug 914468 https://bugzilla.suse.com/916840 SUSE Bug 916840 https://bugzilla.suse.com/920825 SUSE Bug 920825