CVE-2012-1845
Publication date 22 March 2012
Last updated 24 July 2024
Ubuntu priority
Use-after-free vulnerability in Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the DEP and ASLR protection mechanisms, and execute arbitrary code, via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary affected product may be clarified later; it was not identified by the researcher, who reportedly stated “it really doesn’t matter if it’s third-party code.”
Status
Package | Ubuntu Release | Status |
---|---|---|
chromium-browser | 12.10 quantal | Ignored end of life, was deferred |
12.04 LTS precise | Ignored end of life, was deferred | |
11.10 oneiric | Ignored end of life, was deferred | |
11.04 natty | Ignored end of life | |
10.10 maverick | Ignored end of life | |
10.04 LTS lucid | Ignored end of life, was deferred | |
8.04 LTS hardy | Not in release |
Notes
jdstrand
VUPEN won’t release the exploit to Google to fix it, and access to the exploit is behind a paywall, so there is nothing to do. Marking deferred for now. Will re-open if new information is available.
References
Other references
- http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588
- http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/
- http://twitter.com/vupen/statuses/177576000761237505
- http://pwn2own.zerodayinitiative.com/status.html
- https://www.cve.org/CVERecord?id=CVE-2012-1845