Security Information / 2013 / Security Information -- DSA-2706-1 chromium-browser

Debian Security Advisory

DSA-2706-1 chromium-browser -- several vulnerabilities

Date Reported:

10 Jun 2013

Affected Packages:

chromium-browser

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-2855, CVE-2013-2856, CVE-2013-2857, CVE-2013-2858, CVE-2013-2859, CVE-2013-2860, CVE-2013-2861, CVE-2013-2862, CVE-2013-2863, CVE-2013-2865.

More information:

Several vulnerabilities have been discovered in the Chromium web browser.

• CVE-2013-2855

  The Developer Tools API in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

• CVE-2013-2856

  Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of input.

• CVE-2013-2857

  Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of images.

• CVE-2013-2858

  Use-after-free vulnerability in the HTML5 Audio implementation in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

• CVE-2013-2859

  Chromium before 27.0.1453.110 allows remote attackers to bypass the Same Origin Policy and trigger namespace pollution via unspecified vectors.

• CVE-2013-2860

  Use-after-free vulnerability in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving access to a database API by a worker process.

• CVE-2013-2861

  Use-after-free vulnerability in the SVG implementation in Chromium before 27.0.1453.110 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

• CVE-2013-2862

  Skia, as used in Chromium before 27.0.1453.110, does not properly handle GPU acceleration, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

• CVE-2013-2863

  Chromium before 27.0.1453.110 does not properly handle SSL sockets, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

• CVE-2013-2865

  Multiple unspecified vulnerabilities in Chromium before 27.0.1453.110 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

For the stable distribution (wheezy), these problems have been fixed in version 27.0.1453.110-1~deb7u1.

For the testing distribution (jessie), these problems have been fixed in version 27.0.1453.110-1.

For the unstable distribution (sid), these problems have been fixed in version 27.0.1453.110-1.

We recommend that you upgrade your chromium-browser packages.