{"id":"MGASA-2015-0036","summary":"Updated chromium-browser-stable packages fix security vulnerabilities","details":"Updated chromium-browser packages fix security vulnerabilities:\n\nUse-after-free vulnerability in the IndexedDB implementation in Google Chrome\nbefore 40.0.2214.91 allows remote attackers to cause a denial of service or\npossibly have unspecified other impact by triggering duplicate BLOB\nreferences, related to content/browser/indexed_db/indexed_db_callbacks.cc and\ncontent/browser/indexed_db/indexed_db_dispatcher_host.cc (CVE-2014-7924).\n\nUse-after-free vulnerability in the WebAudio implementation in Blink, as used\nin Google Chrome before 40.0.2214.91, allows remote attackers to cause a\ndenial of service or possibly have unspecified other impact via vectors that\ntrigger an audio-rendering thread in which AudioNode data is improperly\nmaintained (CVE-2014-7925).\n\nThe SimplifiedLowering::DoLoadBuffer function in\ncompiler/simplified-lowering.cc in Google V8, as used in Google Chrome before\n40.0.2214.91, does not properly choose an integer data type, which allows\nremote attackers to cause a denial of service (memory corruption) or possibly\nhave unspecified other impact via crafted JavaScript code (CVE-2014-7927).\n\nhydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not\nproperly handle arrays with holes, which allows remote attackers to cause a\ndenial of service (memory corruption) or possibly have unspecified other\nimpact via crafted JavaScript code that triggers an array copy\n(CVE-2014-7928).\n\nUse-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the\nDOM implementation in Blink, as used in Google Chrome before 40.0.2214.91,\nallows remote attackers to cause a denial of service or possibly have\nunspecified other impact via crafted JavaScript code that triggers improper\nmaintenance of TreeScope data (CVE-2014-7930).\n\nfactory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows\nremote attackers to cause a denial of service (memory corruption) or possibly\nhave unspecified other impact via crafted JavaScript code that triggers\nimproper maintenance of backing-store pointers (CVE-2014-7931).\n\nUse-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument\nfunction in core/html/HTMLScriptElement.cpp in the DOM implementation in\nBlink, as used in Google Chrome before 40.0.2214.91, allows remote attackers\nto cause a denial of service or possibly have unspecified other impact via\nvectors involving movement of a SCRIPT element across documents\n(CVE-2014-7929).\n\nUse-after-free vulnerability in the Element::detach function in\ncore/dom/Element.cpp in the DOM implementation in Blink, as used in Google\nChrome before 40.0.2214.91, allows remote attackers to cause a denial of\nservice or possibly have unspecified other impact via vectors involving\npending updates of detached elements (CVE-2014-7932).\n\nUse-after-free vulnerability in the DOM implementation in Blink, as used in\nGoogle Chrome before 40.0.2214.91, allows remote attackers to cause a denial\nof service or possibly have unspecified other impact via vectors related to\nunexpected absence of document data structures (CVE-2014-7934).\n\nUse-after-free vulnerability in browser/speech/tts_message_filter.cc in the\nSpeech implementation in Google Chrome before 40.0.2214.91 allows remote\nattackers to cause a denial of service or possibly have unspecified other\nimpact via vectors involving utterances from a closed tab (CVE-2014-7935).\n\nUse-after-free vulnerability in the ZoomBubbleView::Close function in\nbrowser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation\nin Google Chrome before 40.0.2214.91 allows remote attackers to cause a\ndenial of service or possibly have unspecified other impact via a crafted\ndocument that triggers improper maintenance of a zoom bubble (CVE-2014-7936).\n\nThe Fonts implementation in Google Chrome before 40.0.2214.91 allows remote\nattackers to cause a denial of service (memory corruption) or possibly have\nunspecified other impact via unknown vectors (CVE-2014-7938).\n\nGoogle Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is\nenabled, allows remote attackers to bypass the Same Origin Policy via crafted\nJavaScript code with Proxy.create and console.log calls, related to HTTP\nresponses that lack an \"X-Content-Type-Options: nosniff\" header\n(CVE-2014-7939).\n\nThe SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in\nthe UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect\ndata type for a certain length value, which allows remote attackers to cause\na denial of service (out-of-bounds read) via crafted X11 data\n(CVE-2014-7941).\n\nThe Fonts implementation in Google Chrome before 40.0.2214.91 does not\ninitialize memory for a data structure, which allows remote attackers to\ncause a denial of service or possibly have unspecified other impact via\nunknown vectors (CVE-2014-7942).\n\nSkia, as used in Google Chrome before 40.0.2214.91, allows remote attackers\nto cause a denial of service (out-of-bounds read) via unspecified vectors\n(CVE-2014-7943).\n\nThe RenderTable::simplifiedNormalFlowLayout function in\ncore/rendering/RenderTable.cpp in Blink, as used in Google Chrome before\n40.0.2214.91, skips captions during table layout in certain situations, which\nallows remote attackers to cause a denial of service (out-of-bounds read) via\nunspecified vectors related to the Fonts implementation (CVE-2014-7946).\n\nThe AppCacheUpdateJob::URLFetcher::OnResponseStarted function in\ncontent/browser/appcache/appcache_update_job.cc in Google Chrome before\n40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is\nan X.509 certificate error, which allows man-in-the-middle attackers to spoof\nHTML5 application content via a crafted certificate (CVE-2014-7948).\n\nMultiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91\nallow attackers to cause a denial of service or possibly have other impact\nvia unknown vectors (CVE-2015-1205).\n","modified":"2026-04-16T06:24:26.699294532Z","published":"2015-01-24T14:32:04Z","upstream":["CVE-2014-7924","CVE-2014-7925","CVE-2014-7927","CVE-2014-7928","CVE-2014-7929","CVE-2014-7930","CVE-2014-7931","CVE-2014-7932","CVE-2014-7934","CVE-2014-7935","CVE-2014-7936","CVE-2014-7938","CVE-2014-7939","CVE-2014-7941","CVE-2014-7942","CVE-2014-7943","CVE-2014-7946","CVE-2014-7948","CVE-2015-1205"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0036.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15105"},{"type":"WEB","url":"http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_25.html"},{"type":"WEB","url":"http://googlechromereleases.blogspot.com/2014/12/stable-channel-update.html"},{"type":"WEB","url":"http://googlechromereleases.blogspot.com/2015/01/stable-channel-update.html"},{"type":"WEB","url":"http://googlechromereleases.blogspot.com/2015/01/stable-update.html"}],"affected":[{"package":{"name":"chromium-browser-stable","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/chromium-browser-stable?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"40.0.2214.91-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0036.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}