ID

VAR-201103-0039

CVE

CVE-2011-1121

TITLE

Google Chrome Vulnerable to integer overflow

DESCRIPTION

Integer overflow in Google Chrome before 9.0.597.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a TEXTAREA element. Google Chrome is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible. Chrome versions prior to 9.0.597.107 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2189-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano March 10, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1108 CVE-2011-1109 CVE-2011-1113 CVE-2011-1114 CVE-2011-1115 CVE-2011-1121 CVE-2011-1122 Several vulnerabilities were discovered in the Chromium browser. In addition, this upload fixes the following issues (they don't have a CVE id yet): Out-of-bounds read in text searching [69640] Memory corruption in SVG fonts. [72134] Memory corruption with counter nodes. [69628] Stale node in box layout. [70027] Cross-origin error message leak with workers. [73746] For the stable distribution (squeeze), these problems have been fixed in version 6.0.472.63~r59945-5+squeeze3 For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed version 10.0.648.127~r76697-1 We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk15CPIACgkQNxpp46476apOTwCeO/u1tj/KiXId1WdLPSp7zCuA i9QAn2wh3voXsFmlxWwB1wooTlO7JajG =zEFn -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43519 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43519/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43519 RELEASE DATE: 2011-03-20 DISCUSS ADVISORY: http://secunia.com/advisories/43519/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43519/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43519 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Google Chrome, where some have an unknown impact while others can be exploited to conduct spoofing attacks, disclose sensitive information, and potentially compromise a user's system. 1) An unspecified error related to the URL bar can be exploited to conduct spoofing attacks. 2) An unspecified error exists in the handling of JavaScript dialogs. 3) An error when handling stylesheet nodes can lead to a stale pointer. 4) An error when handling key frame rules can lead to a stale pointer. 5) An unspecified error exists in the handling of form controls. 6) An unspecified error exists while rendering SVG content. 7) An unspecified error in pickle deserialization can be exploited to cause out-of-bounds reads. This vulnerability affects 64-bit builds for Linux only. 8) An unspecified error in table handling can lead to a stale node. 9) An unspecified error in table rendering can lead to a stale pointer. 10) An unspecified error in SVG animations can lead to a stale pointer. 11) An unspecified error when handling XHTML can lead to a stale node. 12) An unspecified error exists in the textarea handling. 13) An unspecified error when handling device orientation can lead to a stale pointer. 14) An unspecified error in WebGL can be exploited to cause out-of-bounds reads. 15) An integer overflow exists in the textarea handling. 16) An unspecified error in WebGL can be exploited to cause out-of-bounds reads. 17) An unspecified error can lead to exposure of internal extension functions. 18) A use-after-free error exists within the handling of blocked plug-ins. 19) An unspecified error when handling layouts can lead to a stale pointer. SOLUTION: Update to version 9.0.597.107. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Jordi Chancel. 2) Sergey Radchenko. 3, 4, 13) Sergey Glazunov. 5) Stefan van Zanden. 6) Slawomir Blazek. 7) Evgeniy Stepanov, Chromium development community. 8, 9, 19) Martin Barbella. 10, 14, 15) miaubiz. 11, 12) wushi, team509. 17) Tavis Ormandy, Google Security Team. 18) Chamal de Silva. ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-10-11-1 iTunes 10.5 iTunes 10.5 is now available and addresses the following: CoreFoundation Available for: Windows 7, Vista, XP SP2 or later Impact: A man-in-the-middle attack may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006. CVE-ID CVE-2011-0259 : Apple ColorSync Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreAudio Available for: Windows 7, Vista, XP SP2 or later Impact: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio stream encoded with the advanced audio code. This issue does not affect OS X Lion systems. CVE-ID CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day Initiative CoreMedia Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of H.264 encoded movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006. CVE-ID CVE-2011-3219 : Damian Put working with TippingPoint's Zero Day Initiative ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A reentrancy issue existed in ImageIO's handling of TIFF images. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP WebKit Available for: Windows 7, Vista, XP SP2 or later Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution. A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. CVE-ID CVE-2011-1774 : Nicolas Gregoire of Agarri iTunes 10.5 may be obtained from: http://www.apple.com/itunes/download/ For Windows XP / Vista / Windows 7: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 1205cda4ce9a32db2fe02cf9f2cf2c0bf7d47bdb For 64-bit Windows XP / Vista / Windows 7: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: ab400ad27a537613b3b5306ea026763a93d57fdf Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOlHiHAAoJEGnF2JsdZQee3qwH/0lwVfV3mYVgDxPYfnJlPVF/ 2LNjJjmafyNdzSoOOyL9bn5QZqdDlvHCkjgpsq+yX7//8bF/kN7qj3jNBh2qMFCa cTqIpRnJP5G1GwCdWCep6ZS9NNcv7pADcuoLrHJAHyFE+BlTSNJPkiD3noJiBBuQ j6CZl5If05rDY7fhspQ6zTlJ7NzzyTIrGM1aJXur2wawVhEALO56gb7+GzGeORax zU0Jafu9OL8naPfXOFRCvqGXyGBEW0VeWzGqaudDvui1LA5djp6B5AknuE4Xlotq fXPtwmylQ3B4OaBkoavqPI/UwKkQe0Bn/EsTHf4Pxeo+11CLwRg+JgLCanXRpqw= =12aV -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. 2) An error within CFNetwork when using the NTLM authentication protocol can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. 3) An error exists within CFNetwork when handling SSL certificates, which does not properly verify disabled root certificates. This can lead to certificates signed by the disabled root certificates being validated. For more information see vulnerability #7 in: SA45054 7) An error exists within ICU (International Components for Unicode). For more information see vulnerability #9 in: SA45054 9) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error within WebKit when handling TIFF images can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 11) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 12) An off-by-one error within libxml when handling certain XML data can be exploited to cause a heap-based buffer overflow. 13) An error in the "AutoFill web forms" feature can be exploited to disclose certain information from the user's Address Book by tricking a user into visiting a specially crafted web page. 14) A cross-origin error when handling certain fonts in Java Applets can lead to certain text being displayed on other sites. 15) Multiple unspecified errors in the WebKit component can be exploited to corrupt memory. 16) An error within WebKit when handling libxslt configurations can be exploited to create arbitrary files. 20) An error within the handling of DOM history objects can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 22) A weakness in WebKit can lead to remote DNS prefetching For more information see vulnerability #6 in: SA42312 23) A use-after-free error within WebKit when processing MathML markup tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 24) An error within WebKit when parsing a frameset element can be exploited to cause a heap-based buffer overflow. 25) A use-after-free error within WebKit when handling XHTML tags can result in an invalid tag pointer being dereferenced when a user views a specially crafted web page. 26) A use-after-free error within WebKit when handling SVG tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. PROVIDED AND/OR DISCOVERED BY: 10) Juan Pablo Lopez Yacubian via iDefense 4) binaryproof via ZDI 8) Dominic Chell, NGS Secure 23, 25, 26) wushi, team509 via iDefense 24) Jose A. Vazquez via iDefense The vendor credits: 1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal Poole, Matasano Security 2) Takehiro Takahashi, IBM X-Force Research 3) An anonymous reporter 5) Harry Sintonen 6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 7) David Bienvenu, Mozilla 9) Cyril CATTIAUX, Tessi Technologies 11) Chris Evans, Google Chrome Security Team 12) Billy Rios, Google Security Team 13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman 14) Joshua Smith, Kaon Interactive 16) Nicolas Gregoire, Agarri 17) Daniel Divricean, divricean.ro 18) Jobert Abma, Online24 19) Sergey Glazunov 20) Jordi Chancel 21) Jason Hullinger 22) Mike Cardwell, Cardwell IT The vendor provides a bundled list of credits for vulnerabilities in #15: * David Weston, Microsoft and Microsoft Vulnerability Research (MSVR) * Yong Li, Research In Motion * SkyLined, Google Chrome Security Team * Abhishek Arya (Inferno), Google Chrome Security Team * Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team * J23 via ZDI * Rob King via ZDI * wushi, team509 via ZDI * wushi of team509 * Adam Barth, Google Chrome Security Team * Richard Keen * An anonymous researcher via ZDI * Rik Cabanier, Adobe Systems * Martin Barbella * Sergey Glazunov * miaubiz * Andreas Kling, Nokia * Marek Majkowski via iDefense * John Knottenbelt, Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4808 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-228/ NGS Secure: http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities

AFFECTED PRODUCTS