-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0994
                     chromium-browser security update
                               19 July 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium-browser
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2880 CVE-2013-2879 CVE-2013-2878
                   CVE-2013-2877 CVE-2013-2876 CVE-2013-2875
                   CVE-2013-2873 CVE-2013-2871 CVE-2013-2870
                   CVE-2013-2869 CVE-2013-2868 CVE-2013-2867
                   CVE-2013-2853  

Reference:         ASB-2013.0083

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2724

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2724-1                   security@debian.org
http://www.debian.org/security/                           Michael Gilbert
July 17, 2013                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : chromium-browser
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-2853 CVE-2013-2867 CVE-2013-2868 CVE-2013-2869
                 CVE-2013-2870 CVE-2013-2871 CVE-2013-2873 CVE-2013-2875
                 CVE-2013-2876 CVE-2013-2877 CVE-2013-2878 CVE-2013-2879
                 CVE-2013-2880

Several vulnerabilities have been discovered in the Chromium web browser.

CVE-2013-2853

    The HTTPS implementation does not ensure that headers are terminated
    by \r\n\r\n (carriage return, newline, carriage return, newline).

CVE-2013-2867

    Chrome does not properly prevent pop-under windows.

CVE-2013-2868

    common/extensions/sync_helper.cc proceeds with sync operations for
    NPAPI extensions without checking for a certain plugin permission
    setting.

CVE-2013-2869

    Denial of service (out-of-bounds read) via a crafted JPEG2000
    image.

CVE-2013-2870

    Use-after-free vulnerability in network sockets.

CVE-2013-2871

    Use-after-free vulnerability in input handling.

CVE-2013-2873

    Use-after-free vulnerability in resource loading.

CVE-2013-2875

    Out-of-bounds read in SVG file handling.

CVE-2013-2876

    Chrome does not properly enforce restrictions on the capture of
    screenshots by extensions, which could lead to information
    disclosure from previous page visits.

CVE-2013-2877

    Out-of-bounds read in XML file handling.

CVE-2013-2878

    Out-of-bounds read in text handling.

CVE-2013-2879

    The circumstances in which a renderer process can be considered a
    trusted process for sign-in and subsequent sync operations were
    not propertly checked.

CVE-2013-2880

    The chrome 28 development team found various issues from internal
    fuzzing, audits, and other studies.

For the stable distribution (wheezy), these problems have been fixed in
version 28.0.1500.71-1~deb7u1.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 28.0.1500.71-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCgAGBQJR5z1ZAAoJELjWss0C1vRzXNcgALd1S9ITVHdzvjtnyZ9j2o8c
WThFzzbsuq5NQdmvd05rgVE9DM4gZqw+iDDraeDPkNwG6u5v3DsjwQubRBCcsRT8
cPMVuV2hromqAmd5ghqbWQ4w4/I73JDJbrnGszJPL/SCKx7/6XYFl6HOgr3rNUxz
FCODDsahUPo/BJ39QImC2nLqaI0B+81CTMzna0oMRDXrAsHHo74U8o8Uf5W6W5ux
Lnxdw/mB+Ebh+2X73K4+xCHzzC5UEH7YR2VH2Ljex4D9SWdKUEk16Wb7qDXUuZ5D
Y30WQ7NRmZWfzrAHi510+I4gVyBY6F1n5wlb81jUcm6fk/Mgo17fe1DSaXn2TQf5
ikFvRaXVS+fT/RIhteyTJsGmIudFOmTt38vzH5sjMc3NV8o5EORA8GtE4q22ewiI
wyFYN4wFQgp684XHntcALnEOXGVM2Q9W+bfdqvKWQFYustzNjoHIlj0bEV1e+Ifg
2jhvE1hu5xj/UoIfUniqd1XwIx/bPMdk6Z8Ltb0D1cyHJ48H6VdAI2JQY7a3Xusq
1Aqk9DyIFdp+iR5FT+Ume03ucpwbnSx5qJxdGqb7tbmeNShY9xgyWZhRimrVt44c
hA+wqHXIBeK5Rq4+0RCfWTlTje61ZlGFzmxUVIBweFWXzHHMBDSIzMv944O6tQQx
oNHl2GinPZKs3H7ETIagV64qnB/829spKbktnBRJ4PMyOHMzVLs8r/ohL1VJMbKr
0rdnv/YHS+dMiFHI9L8S+oY/F7kkUVh+t3UvEXvMNhb9Y4xuT3jRzh89yT9btMTb
NABbqp0ADY5gVMqM8W5zfYklyD/kf+iyU233JArS6j3YZxJsZGfsUycmq118vygJ
WItOsInHTEsa53oCwMM9wrk96lFO44HqZ2ssyWK+Oi9CN8vihr10dirnk8hhXQrs
nwQiqxRUhPdVSrCYUM19k78lfPcR3fXzydiC9gPp3jD/7XxG7PWEfz4I8zVG1IFt
j/3BeWE6nJoK+G95ZrNeUdBSBdIM2JUjcFdsUJCAy+HWdOhJnRu6/CZsRjvND/H3
AATuIMBkfjj0sHeYN6MeUaaeVo3+QH3tJ+EbSiY2X8LIb97dTCa/lV0CZnA6ZpQw
IAPcfCajfPSQ0RmmwNm4bm+a+oRwalDnbjkOEWDIJmo74jpefgyDqYUVKKO8HVF0
uBsB7kvJwg6MyR6QMRj+6Ema0j5cbuXx8AVQtU2pGEqFTHTYL0DkYdojevegFqwM
giaO8ILAcR6C0BI8IrWSMde49piy4n8GHnAUhkVU5waJTiU5vTAv9yORkfFQEpfb
ZRIebEJdbxXbiyVdTVI/zmEf36kxLGUNge8sPreeQv8lGTkMxWNrPEeaDFSWk1s=
=gQNK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUeiCDhLndAQH1ShLAQIOWg//czJsYMDfeIxqj0+AIyt86uPY18JPpZAw
U8Z9D3Zruew/aYkMLKCU7YXs7QZdYrymWCor9p5dbtUHl6kopxCAUlp4V1X+idhQ
U+ypJT9/1fvyby0EqfXs1Vh3FcyMaKu6ZX7dUrkaeIFSG/NHj2BWeDUOxfszoFoQ
AAuFAQ3M20A9nDvp2yUxaZcDaM3eVsif8KEQ3q/n7tBu76DOmIB/VZjZb/Dl2dQz
dz6ovrchiBq1hx0svXoNUMLY9e4vENsJTmghCAKK3EcLKCUVFJwTz2DyjZvIVo67
zvix0kdOMjn9Jq3hxWyu0+bhY9jEcWIOZeVyG9qEuSlexdbJ0wVCjlh0zgfE+oak
09InGMr67EVHVX/KqS1h80WG5fwLDv2MEKTDE3jeJshVz0us9CS8zH8yWIpyxGFF
D2evnL3GNKFqiZyxGiPNpZnkrDLKN6TimtmF96Qvxy+fANnTRJUmwZWVx5OEUIQI
uX5e2uNk41xgfqBZNff5LomdTPGgXYLuEMAlDRaoZFT0CzdWUrVzvf9PLnPfLDLm
R5nAewcivPKNi8ujnlntaRDFbdd7/er0iGGDnXhzJcg5Qh89ssjOhoAiwFXmI0dW
ZqnkB9+G0BxLNcXvA21lQ64cOH6Zp9I9mKsCTNdAKbha12HItn9JzWh/nj0PzwJm
jrgH5HMBt90=
=Y8FX
-----END PGP SIGNATURE-----