Višestruki propusti programskog paketa chromium

U radu programskog paketa chromium otkriveno je osam sigurnosnih propusta. Udaljeni napadač može ih iskoristiti za izvođenje napada uskraćivanjem usluge ili umetanje proizvoljnog HTML i skriptnog koda.

Paket:	chromium 11.x
Operacijski sustavi:	openSUSE 12.1, openSUSE 12.2
Problem:	neodgovarajuće rukovanje memorijom, pogreška u programskoj komponenti, XSS
Iskorištavanje:	udaljeno
Posljedica:	umetanje HTML i skriptnog koda, uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-2865, CVE-2012-2866, CVE-2012-2867, CVE-2012-2868, CVE-2012-2869, CVE-2012-2870, CVE-2012-2871, CVE-2012-2872
Izvorni ID preporuke:	openSUSE-SU-2012:1215-1
Izvor:	SUSE

Problem:
Nedostaci su posljedica pogrešaka u SPDY implementaciji, nepravilnog učitavanja URL adresa te pogrešaka u komponentama libxml2 i libxslt.
Posljedica:
Probleme je moguće iskoristiti za izvođenje DoS napada te umetanje HTML i skriptnog koda.
Rješenje:
Kako bi se zaštitili, korisnicima se savjetuje korištenje odgovarajuće programske nadogradnje.

Izvorni tekst preporuke

   openSUSE Security Update: chromium: update to 21.0.1180.88
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2012:1215-1
Rating:             important
References:         #778005 
Cross-References:   CVE-2012-2865 CVE-2012-2866 CVE-2012-2867
                    CVE-2012-2868 CVE-2012-2869 CVE-2012-2870
                    CVE-2012-2871 CVE-2012-2872
Affected Products:
                    openSUSE 12.2
                    openSUSE 12.1
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:

   Chromium was updated to 21.0.1180.88 to fix various bugs
   and security issues. Security fixes and rewards:

   Please see the Chromium security
   page<http://sites.google.com/a/chromium.org/dev/Home/chromiu
   m-security>for more detail. Note that the referenced bugs
   may be kept private until a majority of our users are up to
   date with the fix.


   - [$500]
   [121347<https://code.google.com/p/chromium/issues/detail?id=
   121347>] Medium CVE-2012-2865: Out-of-bounds read in line
   breaking. Credit to miaubiz.
   - [$1000]
   [134897<https://code.google.com/p/chromium/issues/detail?id=
   134897>] High CVE-2012-2866: Bad cast with run-ins. Credit
   to miaubiz.
   - [135485
   <https://code.google.com/p/chromium/issues/detail?id=135485>
   ] Low CVE-2012-2867: Browser crash with SPDY.
   - [$500]
   [136881<https://code.google.com/p/chromium/issues/detail?id=
   136881>] Medium CVE-2012-2868: Race condition with workers
   and XHR. Credit to miaubiz.
   - [137778
   <https://code.google.com/p/chromium/issues/detail?id=137778>
   ] High CVE-2012-2869: Avoid stale buffer in URL loading.
   Credit to Fermin Serna of the Google Security Team.
   - [138672
   <https://code.google.com/p/chromium/issues/detail?id=138672>
   ] [ 140368
   <https://code.google.com/p/chromium/issues/detail?id=140368>
   ] LowCVE-2012-2870: Lower severity memory management issues
   in XPath. Credit to Nicolas Gregoire.
   - [$1000]
   [138673<https://code.google.com/p/chromium/issues/detail?id=
   138673>] High CVE-2012-2871: Bad cast in XSL transforms.
   Credit to Nicolas Gregoire.
   - [$500]
   [142956<https://code.google.com/p/chromium/issues/detail?id=
   142956>] Medium CVE-2012-2872: XSS in SSL interstitial.
   Credit to Emmanuel Bronshtein.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.2:

      zypper in -t patch openSUSE-2012-619

   - openSUSE 12.1:

      zypper in -t patch openSUSE-2012-619

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.2 (i586 x86_64):

      chromedriver-23.0.1255.0-1.14.1
      chromedriver-debuginfo-23.0.1255.0-1.14.1
      chromium-23.0.1255.0-1.14.1
      chromium-debuginfo-23.0.1255.0-1.14.1
      chromium-debugsource-23.0.1255.0-1.14.1
      chromium-desktop-gnome-23.0.1255.0-1.14.1
      chromium-desktop-kde-23.0.1255.0-1.14.1
      chromium-suid-helper-23.0.1255.0-1.14.1
      chromium-suid-helper-debuginfo-23.0.1255.0-1.14.1

   - openSUSE 12.1 (i586 x86_64):

      chromedriver-23.0.1255.0-1.34.1
      chromedriver-debuginfo-23.0.1255.0-1.34.1
      chromium-23.0.1255.0-1.34.1
      chromium-debuginfo-23.0.1255.0-1.34.1
      chromium-debugsource-23.0.1255.0-1.34.1
      chromium-desktop-gnome-23.0.1255.0-1.34.1
      chromium-desktop-kde-23.0.1255.0-1.34.1
      chromium-suid-helper-23.0.1255.0-1.34.1
      chromium-suid-helper-debuginfo-23.0.1255.0-1.34.1


References:

   http://support.novell.com/security/cve/CVE-2012-2865.html
   http://support.novell.com/security/cve/CVE-2012-2866.html
   http://support.novell.com/security/cve/CVE-2012-2867.html
   http://support.novell.com/security/cve/CVE-2012-2868.html
   http://support.novell.com/security/cve/CVE-2012-2869.html
   http://support.novell.com/security/cve/CVE-2012-2870.html
   http://support.novell.com/security/cve/CVE-2012-2871.html
   http://support.novell.com/security/cve/CVE-2012-2872.html
   https://bugzilla.novell.com/778005

-- 
To unsubscribe, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
For additional commands, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

Višestruki propusti programskog paketa chromium

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Višestruki propusti programskog paketa chromium

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti