Debian DSA-2706-1 : chromium-browser - several vulnerabilities

Critical Nessus Plugin ID 66852

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the Chromium web browser.

- CVE-2013-2855 The Developer Tools API in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

- CVE-2013-2856 Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of input.

- CVE-2013-2857 Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of images.

- CVE-2013-2858 Use-after-free vulnerability in the HTML5 Audio implementation in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

- CVE-2013-2859 Chromium before 27.0.1453.110 allows remote attackers to bypass the Same Origin Policy and trigger namespace pollution via unspecified vectors.

- CVE-2013-2860 Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving access to a database API by a worker process.

- CVE-2013-2861 Use-after-free vulnerability in the SVG implementation in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

- CVE-2013-2862 Skia, as used in Chromium before 27.0.1453.110, does not properly handle GPU acceleration, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

- CVE-2013-2863 Chromium before 27.0.1453.110 does not properly handle SSL sockets, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

- CVE-2013-2865 Multiple unspecified vulnerabilities in Chromium before 27.0.1453.110 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (wheezy), these problems have been fixed in version 27.0.1453.110-1~deb7u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2013-2855

https://security-tracker.debian.org/tracker/CVE-2013-2856

https://security-tracker.debian.org/tracker/CVE-2013-2857

https://security-tracker.debian.org/tracker/CVE-2013-2858

https://security-tracker.debian.org/tracker/CVE-2013-2859

https://security-tracker.debian.org/tracker/CVE-2013-2860

https://security-tracker.debian.org/tracker/CVE-2013-2861

https://security-tracker.debian.org/tracker/CVE-2013-2862

https://security-tracker.debian.org/tracker/CVE-2013-2863

https://security-tracker.debian.org/tracker/CVE-2013-2865

https://packages.debian.org/source/wheezy/chromium-browser

https://www.debian.org/security/2013/dsa-2706

Plugin Details

Severity: Critical

ID: 66852

File Name: debian_DSA-2706.nasl

Version: 1.10

Type: local

Agent: unix

Published: 2013/06/11

Updated: 2020/03/12

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 5.9

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/06/10

Reference Information

CVE: CVE-2013-2855, CVE-2013-2856, CVE-2013-2857, CVE-2013-2858, CVE-2013-2859, CVE-2013-2860, CVE-2013-2861, CVE-2013-2862, CVE-2013-2863, CVE-2013-2865

BID: 60395, 60396, 60397, 60398, 60399, 60400, 60401, 60403, 60404, 60405

DSA: 2706