CERT-MU
AD-2011-61
Google Chrome Prior to 13.0.782.215 Multiple Security Vulnerabilities Original issue date: August 22, 2011 Updated: December 19, 2011
Severity Rating: High
Overview
Multiple vulnerabilities have been identified in Google Chrome. These vulnerabilities can be exploited to cause execution of arbitrary code in the context of the browser, cause denial of service, perform spoofing attacks and bypass security restrictions. Google Chrome has issued an update to address these vulnerabilities
Description
Multiple vulnerabilities have been identified in Google Chrome and these vulnerabilities can be exploited to cause execution of arbitrary code in the context of the browser, cause denial of service, perform spoofing attacks and bypass security restrictions. The issues identified are as follows:
- A use-after-free vulnerability arises in Google Chrome and it can allow remote attackers to cause a denial of service or have other impact via vectors involving custom fonts.
- Google Chrome is vulnerable to an error that allows remote attackers to bypass the Same Origin Policy via vectors related to empty origins.
- A use-after-free vulnerability occurs that allow remote attackers to cause a denial of service or have other impact via vectors related to text searching.
- Google Chrome does not properly handle vertex data and this allows remote attackers to execute arbitrary code or cause a denial of service condition via unspecified vectors.
- A double free vulnerability in libxml2 exists in Google Chrome that allows remote attackers to cause a denial of service or have other impact via a crafted XPath expression .
- On Windows Google Chrome does not properly parse URLs located on the command line, which has unspecified impact and attack vectors.
- A use-after-free vulnerability occurs in Google Chrome and it allows remote attackers to cause a denial of service or have an unspecified impact via vectors involving a line box.
- A use-after-free vulnerability occurs in Google Chrome and this allows remote attackers to cause a denial of service or have other impact via vectors involving counter nodes.
- A vulnerability occurs in Google V8 and it allows remote attackers to cause a denial of service or have other impact via unknown vectors that trigger an out-of-bounds write.
- The PDF implementation in Google Chrome on Linux does not properly use the memset library function. This can allow remote attackers to cause a denial of service or have other unspecified impact via unknown vectors.
Affected Systems
- Red Hat Enterprise Linux Workstation Optional 6
- Red Hat Enterprise Linux Workstation 6
- Red Hat Enterprise Linux Server Optional 6
- Red Hat Enterprise Linux Server 6
- Red Hat Enterprise Linux HPC Node Optional 6
- Mandriva Linux Mandrake 2011
- Mandriva Linux Mandrake 2010.1 x86_64
- Mandriva Linux Mandrake 2010.1
- Mandriva Linux Mandrake 2009.0 x86_64
- Google Chrome 6.0.472 55
- Google Chrome 6.0.472 55
- Google Chrome 5.0.375 99
- Google Chrome 5.0.375 99
- Google Chrome 5.0.375 86
List of other affected system is available on: http://www.securityfocus.com/bid/49279 Solution Users are advised to apply updates. More information about the update is available on:
http://www.securityfocus.com/bid/49279/solution CVE Information
CVE-2011-2806
CVE-2011-2821
CVE-2011-2822
CVE-2011-2823
CVE-2011-2824
CVE-2011-2825
CVE-2011-2826
CVE-2011-2827
CVE-2011-2828
CVE-2011-2829
CVE-2011-2839 References Security Focus
http://www.securityfocus.com/bid/49279/info
Google Chrome Releases
http://googlechromereleases.blogspot.com/2011/08/stable-channel
Avaya Support
http://support.avaya.com/css/P8/documents/100153798 Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
E-mail:
Postal
address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis
|
