CVE-2014-3188
Published: 8 October 2014
Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and Google V8, which allows remote attackers to execute arbitrary code via vectors involving JSON data, related to improper parsing of an escaped index by ParseJsonObject in json-parser.h.
Notes
Author | Note |
---|---|
seth-arnold | I didn't find a json-parser.h or ParseJsonObject via codesearch |
mikesalvatore | The Ubuntu Security Team does not support libv8 |
Priority
Status
Package | Release | Status |
---|---|---|
chromium-browser Launchpad, Ubuntu, Debian |
artful |
Released
(38.0.2125.111-0ubuntu1.1103)
|
bionic |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
cosmic |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Ignored
|
|
trusty |
Released
(38.0.2125.111-0ubuntu0.14.04.1.1061)
|
|
upstream |
Released
(38.0.2125.101)
|
|
utopic |
Released
(38.0.2125.111-0ubuntu0.14.10.1.1103)
|
|
vivid |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
wily |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
xenial |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
yakkety |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
zesty |
Released
(38.0.2125.111-0ubuntu1.1103)
|
|
libv8 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
libv8-3.14 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Ignored
(libv8 not supported)
|
|
cosmic |
Ignored
(end of life)
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [libv8 not supported])
|
|
upstream |
Needed
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Ignored
(libv8 not supported)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
oxide-qt Launchpad, Ubuntu, Debian |
artful |
Released
(1.2.5-0ubuntu1)
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Released
(1.2.5-0ubuntu0.14.10.1)
|
|
upstream |
Released
(1.2.5)
|
|
utopic |
Released
(1.2.5-0ubuntu1)
|
|
vivid |
Released
(1.2.5-0ubuntu1)
|
|
wily |
Released
(1.2.5-0ubuntu1)
|
|
xenial |
Released
(1.2.5-0ubuntu1)
|
|
yakkety |
Released
(1.2.5-0ubuntu1)
|
|
zesty |
Released
(1.2.5-0ubuntu1)
|
References
- https://crbug.com/416449
- https://code.google.com/p/v8/source/detail?r=24125
- http://googlechromereleases.blogspot.com/2014/10/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2014/10/stable-channel-update-for-chrome-os.html
- https://ubuntu.com/security/notices/USN-2345-1
- https://www.cve.org/CVERecord?id=CVE-2014-3188
- NVD
- Launchpad
- Debian