openSUSE-SU-2013:0454-1: moderate: chromium: updated to 27.0.1425

14 Mar 2013

      openSUSE Security Update: chromium: updated to 27.0.1425
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:0454-1
Rating:             moderate
References:         #804986 
Cross-References:   CVE-2013-0879 CVE-2013-0880 CVE-2013-0881
                    CVE-2013-0882 CVE-2013-0883 CVE-2013-0884
                    CVE-2013-0885 CVE-2013-0886 CVE-2013-0887
                    CVE-2013-0888 CVE-2013-0889 CVE-2013-0890
                    CVE-2013-0891 CVE-2013-0892 CVE-2013-0893
                    CVE-2013-0894 CVE-2013-0895 CVE-2013-0896
                    CVE-2013-0897 CVE-2013-0898 CVE-2013-0899
                    CVE-2013-0900
Affected Products:
                    openSUSE 12.2
                    openSUSE 12.1
______________________________________________________________________________

   An update that fixes 22 vulnerabilities is now available.

Description:

   chromium was updated to version 27.0.1425 having both
   stability and security fixes:

   * Bug and stability fixes:
   - Fixed crash after clicking through malware warning.
   (Issue: 173986)
   - Fixed broken command line to create extensions with
   locale info (Issue: 176187)
   - Hosted apps in Chrome will always be opened from app
   launcher.  (Issue: 176267)
   - Added modal confirmation dialog to the enterprise
   profile  sign-in flow. (Issue: 171236)
   - Fixed a crash with autofill. (Issues: 175454, 176576)
   - Fixed issues with sign-in.  (Issues: 175672, 175819,
   175541, 176190)
   - Fixed spurious profile shortcuts created with a
   system-level  install. (Issue: 177047)
   - Fixed the background tab flashing with certain
   themes.  (Issue: 175426)
   * Security Fixes: (bnc#804986)
   - High CVE-2013-0879: Memory corruption with web audio
   node
   - High CVE-2013-0880: Use-after-free in database
   handling
   - Medium CVE-2013-0881: Bad read in Matroska handling
   - High CVE-2013-0882: Bad memory access with excessive
   SVG  parameters.
   - Medium CVE-2013-0883: Bad read in Skia.
   - Low CVE-2013-0884: Inappropriate load of NaCl.
   - Medium CVE-2013-0885: Too many API permissions
   granted to web  store
   - Medium CVE-2013-0886: Incorrect NaCl signal handling.
   - Low CVE-2013-0887: Developer tools process has too
   many  permissions and places too much trust in the
   connected server
   - Medium CVE-2013-0888: Out-of-bounds read in Skia
   - Low CVE-2013-0889: Tighten user gesture check for
   dangerous  file downloads.
   - High CVE-2013-0890: Memory safety issues across the
   IPC layer.
   - High CVE-2013-0891: Integer overflow in blob handling.
   - Medium CVE-2013-0892: Lower severity issues across
   the IPC layer
   - Medium CVE-2013-0893: Race condition in media
   handling.
   - High CVE-2013-0894: Buffer overflow in vorbis
   decoding.
   - High CVE-2013-0895: Incorrect path handling in file
   copying.
   - High CVE-2013-0896: Memory management issues in
   plug-in message  handling
   - Low CVE-2013-0897: Off-by-one read in PDF
   - High CVE-2013-0898: Use-after-free in URL handling
   - Low CVE-2013-0899: Integer overflow in Opus handling
   - Medium CVE-2013-0900: Race condition in ICU
   * Make adjustment for autodetecting of the PepperFlash
   library.  The package with the PepperFlash hopefully
   will be soon  available through packman

   - Update to 26.0.1411
   * Bug and stability fixes

   -  Update to 26.0.1403
   * Bug and stability fixes

   - Using system libxml2 requires system libxslt.
   - Using system MESA does not work in i586 for some reason.

   - Also use system MESA, factory version seems adecuate now.
   - Always use system libxml2.

   - Restrict the usage of system libraries instead of the
   bundled  ones to new products, too much hassle otherwise.

   - Also link kerberos and libgps directly, do not dlopen
   them.

   - Avoid using dlopen on system libraries, rpm or the
   package Manager do not handle this at all. tested for a
   few weeks and implemented with a macro so it can be
   easily disabled if problems arise.
   - Use SOME system libraries instead of the bundled ones,
   tested for several weeks and implemented with a macro
   for easy enable/Disable in case of trouble.

   - Update to 26.0.1393
   * Bug and stability fixes

   * Security fixes
   - Update to 26.0.1375
   * Bug and stability fixes

   - Update to 26.0.1371
   * Bug and stability fixes

   - Update to 26.0.1367
   * Bug and stability fixes

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.2:

      zypper in -t patch openSUSE-2013-203

   - openSUSE 12.1:

      zypper in -t patch openSUSE-2013-203

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE 12.2 (i586 x86_64):

      chromedriver-27.0.1425.0-1.35.1
      chromedriver-debuginfo-27.0.1425.0-1.35.1
      chromium-27.0.1425.0-1.35.1
      chromium-debuginfo-27.0.1425.0-1.35.1
      chromium-debugsource-27.0.1425.0-1.35.1
      chromium-desktop-gnome-27.0.1425.0-1.35.1
      chromium-desktop-kde-27.0.1425.0-1.35.1
      chromium-ffmpegsumo-27.0.1425.0-1.35.1
      chromium-ffmpegsumo-debuginfo-27.0.1425.0-1.35.1
      chromium-suid-helper-27.0.1425.0-1.35.1
      chromium-suid-helper-debuginfo-27.0.1425.0-1.35.1

   - openSUSE 12.1 (i586 x86_64):

      chromedriver-27.0.1425.0-1.55.1
      chromedriver-debuginfo-27.0.1425.0-1.55.1
      chromium-27.0.1425.0-1.55.1
      chromium-debuginfo-27.0.1425.0-1.55.1
      chromium-debugsource-27.0.1425.0-1.55.1
      chromium-desktop-gnome-27.0.1425.0-1.55.1
      chromium-desktop-kde-27.0.1425.0-1.55.1
      chromium-ffmpegsumo-27.0.1425.0-1.55.1
      chromium-ffmpegsumo-debuginfo-27.0.1425.0-1.55.1
      chromium-suid-helper-27.0.1425.0-1.55.1
      chromium-suid-helper-debuginfo-27.0.1425.0-1.55.1

References:

   http://support.novell.com/security/cve/CVE-2013-0879.html
   http://support.novell.com/security/cve/CVE-2013-0880.html
   http://support.novell.com/security/cve/CVE-2013-0881.html
   http://support.novell.com/security/cve/CVE-2013-0882.html
   http://support.novell.com/security/cve/CVE-2013-0883.html
   http://support.novell.com/security/cve/CVE-2013-0884.html
   http://support.novell.com/security/cve/CVE-2013-0885.html
   http://support.novell.com/security/cve/CVE-2013-0886.html
   http://support.novell.com/security/cve/CVE-2013-0887.html
   http://support.novell.com/security/cve/CVE-2013-0888.html
   http://support.novell.com/security/cve/CVE-2013-0889.html
   http://support.novell.com/security/cve/CVE-2013-0890.html
   http://support.novell.com/security/cve/CVE-2013-0891.html
   http://support.novell.com/security/cve/CVE-2013-0892.html
   http://support.novell.com/security/cve/CVE-2013-0893.html
   http://support.novell.com/security/cve/CVE-2013-0894.html
   http://support.novell.com/security/cve/CVE-2013-0895.html
   http://support.novell.com/security/cve/CVE-2013-0896.html
   http://support.novell.com/security/cve/CVE-2013-0897.html
   http://support.novell.com/security/cve/CVE-2013-0898.html
   http://support.novell.com/security/cve/CVE-2013-0899.html
   http://support.novell.com/security/cve/CVE-2013-0900.html
   https://bugzilla.novell.com/804986

opensuse-security＠opensuse.org

tags

participants (1)