1. Ubuntu Security Notices
  2. USN-2326-1

USN-2326-1: Oxide vulnerabilities

Publication date

2 September 2014

Overview

Several security issues were fixed in Oxide.

Releases

Packages

  • oxide-qt - Web browser engine library for Qt (QML plugin)

Details

A use-after-free was discovered in the SVG implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2014-3168)

A use-after-free was discovered in the DOM implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2014-3169)

A use-after-free was discovered in V8. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via renderer crash, or execute...

A use-after-free was discovered in the SVG implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2014-3168)

A use-after-free was discovered in the DOM implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2014-3169)

A use-after-free was discovered in V8. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via renderer crash, or execute arbitrary
code with the privileges of the sandboxed render process. (CVE-2014-3171)

It was discovered that WebGL clear calls did not interact properly with
the state of a draw buffer. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service. (CVE-2014-3173)

A threading issue was discovered in the Web Audio API during attempts to
update biquad filter coefficients. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service. (CVE-2014-3174)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial of
service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2014-3175)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
14.04 trusty liboxideqtcore0 –  1.1.2-0ubuntu0.14.04.1
oxideqt-codecs –  1.1.2-0ubuntu0.14.04.1
oxideqt-codecs-extra –  1.1.2-0ubuntu0.14.04.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›