- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201403-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium, V8: Multiple vulnerabilities Date: March 05, 2014 Bugs: #486742, #488148, #491128, #491326, #493364, #498168, #499502, #501948, #503372 ID: 201403-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium and V8, worst of which may allow execution of arbitrary code. Background ========== Chromium is an open-source web browser project. V8 is Google's open source JavaScript engine. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium < 33.0.1750.146 >= 33.0.1750.146 2 dev-lang/v8 < 3.20.17.13 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Furthermore, a remote attacker may be able to bypass security restrictions or have other unspecified impact. Workaround ========== There is no known workaround at this time. Resolution ========== All chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/chromium-33.0.1750.1= 46" Gentoo has discontinued support for separate V8 package. We recommend that users unmerge V8: # emerge --unmerge "dev-lang/v8" References ========== [ 1 ] CVE-2013-2906 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2906 [ 2 ] CVE-2013-2907 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2907 [ 3 ] CVE-2013-2908 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2908 [ 4 ] CVE-2013-2909 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2909 [ 5 ] CVE-2013-2910 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2910 [ 6 ] CVE-2013-2911 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2911 [ 7 ] CVE-2013-2912 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2912 [ 8 ] CVE-2013-2913 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2913 [ 9 ] CVE-2013-2915 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2915 [ 10 ] CVE-2013-2916 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2916 [ 11 ] CVE-2013-2917 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2917 [ 12 ] CVE-2013-2918 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2918 [ 13 ] CVE-2013-2919 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2919 [ 14 ] CVE-2013-2920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2920 [ 15 ] CVE-2013-2921 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2921 [ 16 ] CVE-2013-2922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2922 [ 17 ] CVE-2013-2923 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2923 [ 18 ] CVE-2013-2925 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2925 [ 19 ] CVE-2013-2926 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2926 [ 20 ] CVE-2013-2927 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2927 [ 21 ] CVE-2013-2928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2928 [ 22 ] CVE-2013-2931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2931 [ 23 ] CVE-2013-6621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6621 [ 24 ] CVE-2013-6622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6622 [ 25 ] CVE-2013-6623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6623 [ 26 ] CVE-2013-6624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6624 [ 27 ] CVE-2013-6625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6625 [ 28 ] CVE-2013-6626 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6626 [ 29 ] CVE-2013-6627 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6627 [ 30 ] CVE-2013-6628 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6628 [ 31 ] CVE-2013-6632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6632 [ 32 ] CVE-2013-6634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6634 [ 33 ] CVE-2013-6635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6635 [ 34 ] CVE-2013-6636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6636 [ 35 ] CVE-2013-6637 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6637 [ 36 ] CVE-2013-6638 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6638 [ 37 ] CVE-2013-6639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6639 [ 38 ] CVE-2013-6640 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6640 [ 39 ] CVE-2013-6641 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6641 [ 40 ] CVE-2013-6643 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6643 [ 41 ] CVE-2013-6644 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6644 [ 42 ] CVE-2013-6645 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6645 [ 43 ] CVE-2013-6646 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6646 [ 44 ] CVE-2013-6649 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6649 [ 45 ] CVE-2013-6650 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6650 [ 46 ] CVE-2013-6652 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6652 [ 47 ] CVE-2013-6653 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6653 [ 48 ] CVE-2013-6654 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6654 [ 49 ] CVE-2013-6655 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6655 [ 50 ] CVE-2013-6656 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6656 [ 51 ] CVE-2013-6657 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6657 [ 52 ] CVE-2013-6658 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6658 [ 53 ] CVE-2013-6659 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6659 [ 54 ] CVE-2013-6660 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6660 [ 55 ] CVE-2013-6661 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6661 [ 56 ] CVE-2013-6663 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6663 [ 57 ] CVE-2013-6664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6664 [ 58 ] CVE-2013-6665 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6665 [ 59 ] CVE-2013-6666 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6666 [ 60 ] CVE-2013-6667 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6667 [ 61 ] CVE-2013-6668 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6668 [ 62 ] CVE-2013-6802 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6802 [ 63 ] CVE-2014-1681 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1681 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201403-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5