Google Chrome: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0079
     A number of vulnerabilities have been identified in Google Chrome
                             19 September 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-3234 CVE-2011-2875 CVE-2011-2874
                      CVE-2011-2864 CVE-2011-2862 CVE-2011-2861
                      CVE-2011-2860 CVE-2011-2859 CVE-2011-2858
                      CVE-2011-2857 CVE-2011-2856 CVE-2011-2855
                      CVE-2011-2854 CVE-2011-2853 CVE-2011-2852
                      CVE-2011-2851 CVE-2011-2850 CVE-2011-2849
                      CVE-2011-2848 CVE-2011-2847 CVE-2011-2846
                      CVE-2011-2844 CVE-2011-2843 CVE-2011-2842
                      CVE-2011-2841 CVE-2011-2840 CVE-2011-2839
                      CVE-2011-2838 CVE-2011-2837 CVE-2011-2836
                      CVE-2011-2835 CVE-2011-2834 
Member content until: Wednesday, October 19 2011
Reference:            ASB-2011.0068

OVERVIEW

        A number of vulnerabilities have been identified in Google Chrome
        prior to version 14.0.835.163. [1]


IMPACT

        The vendor has provided the following details regarding these
        vulnerabilities:
        
        "[49377] High CVE-2011-2835: Race condition in the certificate cache. Credit to Ryan Sleevi of the Chromium development community.
        [51464] Low CVE-2011-2836: Infobar the Windows Media Player plug-in to avoid click-free access to the system Flash. Credit to electronixtar.
        [Linux only] [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to wbrana.
        [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when loading plug-ins. Credit to Michal Zalewski of the Google Security Team.
        [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit to Kostya Serebryany of the Chromium development community.
        [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual user interaction. Credit to kuzzcc.
        [$500] [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to Mario Gomes.
        [Mac only] [80680] Low CVE-2011-2842: Insecure lock file handling in the Mac installer. Credit to Aaron Sigel of vtty.com.
        [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers. Credit to Kostya Serebryany of the Chromium development community.
        [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit to Mario Gomes.
        [$1000] [89219] High CVE-2011-2846: Use-after-free in unload event handling. Credit to Arthur Gerkis.
        [$1000] [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to miaubiz.
        [$500] [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit to Jordi Chancel.
        [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets. Credit to Arthur Gerkis.
        [$500] [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit to miaubiz.
        [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters. Credit to miaubiz.
        [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling. Credit to Google Chrome Security Team (Inferno).
        [$500] [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler.
        [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit to Google Chrome Security Team (SkyLined).
        [$1000] [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style handing. Credit to Sławomir Błażek, and independent later discoveries by miaubiz and Google Chrome Security Team (Inferno).
        [$1000] [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to Arthur Gerkis.
        [$2000] [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel Divricean.
        [$1000] [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit to miaubiz.
        [$1000] [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
        [93497] Medium CVE-2011-2859: Incorrect permissions assigned to non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm of Recurity Labs.
        [$1000] [93587] High CVE-2011-2860: Use-after-free in table style handling. Credit to miaubiz.
        [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki Helin of OUSPG.
        [$2337] [93906] High CVE-2011-2862: Unintended access to v8 built-in objects. Credit to Sergey Glazunov.
        [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan characters. Credit to Google Chrome Security Team (Inferno).
        [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays. Credit to Google Chrome Security Team (Inferno).
        [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a session. Credit to Nishant Yadant of VMware and Craig Chamberlain (@randomuserid).
        [$1000] [95920] High CVE-2011-2875: Type confusion in v8 object sealing. Credit to Christian Holler." [1]


MITIGATION

        The vendor recommends upgrading to the latest version of Google Chrome
        to correct these issues. [1]


REFERENCES

        [1] Stable Channel Update
            http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnbL/+4yVqjM2NGpAQK6KRAAqi6opGzUQezp8MKMZ35eZXsSE8qWLDPm
Pr1mJpGysIusurLz3M+npPu8Qp8xvt0u0D6JFdtBPbs4CTzC8kVVp4l8cceI8aro
4Bn3LO044QDsJF9Ra4QlzBZrz3slM9ysuSDZDh+IOopkBS1WChNYwfW5q1+aPyoJ
jDERJwsEAxwXUj8O6eYaaQElknaHj2gvCswvJCgbXkz2iE43rcNivMfowD1DAc3c
RINlQFzh4uF5o8uHApZpyJ2sEOf7lH+GI5TH+SYbwVSXQQXM2eA1NmbHMM0Bqx+R
gIaPxOhn7g7i2ElNcWrtQ80ph6FcES+uGMJypoSkfaIctq5L832cCPk2HkDgtNwf
wFt6QHAWi6ZOyxn/dQ7+nt3uXFubqGV2zznjE7IZjYpQE2yzXtAWWuKEQDJC/Ijk
2sJF8F+fteC7wUYHReslfOn/GBPD80nZJnzXNEFiliM3VPjtgnEK5JCs9Zmm0ydh
LEzsd6XhJ4Vi+VLFvTfcszy2za9CdQ4pmpphxG+n0oefqy6ekx5dco4tcRKad+nb
r/63nwe6hy8i++D04LdyLkO3ZanlSkc9FGA2KPrNbRrVrPg+ehaXm2HuP7dmBlob
oDihq2ef7naDvdv2jT8GzKqyeeigWRdw2XOBo0mHJ4eXK6Fo352MP4DrDq8nnlBh
lvnWwe/4XUc=
=VS1S
-----END PGP SIGNATURE-----