openSUSE Security Update : chromium (openSUSE-SU-2014:0601-1)

High Nessus Plugin ID 75340

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

This chromium version update fixes the following security and non-security issues :

 - Add patch chromium-fix-arm-skia-memset.patch to resolve a linking issue on ARM with regards to missing symbols.

 - Add patch arm_use_gold.patch to use the right gold binaries on ARM. Hopefully this resolves the build issues with running out of memory

 - bnc#872805: Update to Chromium 34.0.1847.116

 - Responsive Images and Unprefixed Web Audio

 - Import supervised users onto new computers

 - A number of new apps/extension APIs

- Lots of under the hood changes for stability and performance

- Security fixes :

 - CVE-2014-1716: UXSS in V8

 - CVE-2014-1717: OOB access in V8

 - CVE-2014-1718: Integer overflow in compositor

 - CVE-2014-1719: Use-after-free in web workers

 - CVE-2014-1720: Use-after-free in DOM

 - CVE-2014-1721: Memory corruption in V8

 - CVE-2014-1722: Use-after-free in rendering

 - CVE-2014-1723: Url confusion with RTL characters

 - CVE-2014-1724: Use-after-free in speech

 - CVE-2014-1725: OOB read with window property

 - CVE-2014-1726: Local cross-origin bypass

 - CVE-2014-1727: Use-after-free in forms

 - CVE-2014-1728: Various fixes from internal audits, fuzzing and other initiatives

 - CVE-2014-1729: Multiple vulnerabilities in V8

- No longer build against system libraries as that Chromium works a lot better and crashes less on websites than with system libs

 - Added package depot_tools.tar.gz as that the chromium build now requires it during the initial build phase. It just contains some utilities and nothing from it is being installed.

 - If people want to install newer versions of the ffmpeg library then let them. This is what they want.

 - Remove the buildscript from the sources

Solution

Update the affected chromium packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=872805

https://lists.opensuse.org/opensuse-updates/2014-05/msg00012.html

Plugin Details

Severity: High

ID: 75340

File Name: openSUSE-2014-330.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2014/06/13

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:chromedriver, p-cpe:/a:novell:opensuse:chromedriver-debuginfo, p-cpe:/a:novell:opensuse:chromium, p-cpe:/a:novell:opensuse:chromium-debuginfo, p-cpe:/a:novell:opensuse:chromium-debugsource, p-cpe:/a:novell:opensuse:chromium-desktop-gnome, p-cpe:/a:novell:opensuse:chromium-desktop-kde, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo-debuginfo, p-cpe:/a:novell:opensuse:chromium-suid-helper, p-cpe:/a:novell:opensuse:chromium-suid-helper-debuginfo, cpe:/o:novell:opensuse:12.3, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/04/22

Reference Information

CVE: CVE-2014-1716, CVE-2014-1717, CVE-2014-1718, CVE-2014-1719, CVE-2014-1720, CVE-2014-1721, CVE-2014-1722, CVE-2014-1723, CVE-2014-1724, CVE-2014-1725, CVE-2014-1726, CVE-2014-1727, CVE-2014-1728, CVE-2014-1729

BID: 66704