VulDB: Google Chrome up to 19.0.1084.57 Matroska Container buffer overflow
General
scipID: 5609
Affected: Google Chrome up to 19.0.1084.57
Published: 06/26/2012 (Jüri Aedla)
Risk: 
critical
Entry: 89.5% complete
Created: 06/27/2012
Updated: 09/03/2012
Summary
A vulnerability was found in Google Chrome up to 19.0.1084.57 and classified as critical. This issue affects an unknown function of the component Matroska Container. The manipulation with an unknown input leads to a buffer overflow vulnerability. Impacted is confidentiality, integrity, and availability.
The weakness was shared 06/26/2012 by Jüri Aedla as 132779. The advisory is shared for download at code.google.com. The vendor cooperated in the coordination of the public release. The identification of this vulnerability is CVE-2012-2834 since 05/19/2012. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available.
Upgrading to version 20.0.1132.43 eliminates this vulnerability. The upgrade is hosted for download at google.com. The problem might be mitigated by replacing the product with Mozilla Firefox, Microsoft Internet Explorer, Opera as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the vulnerability database at OSVDB (83250). googlechromereleases.blogspot.de is providing further details.CVSS
Base Score: 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) [?]
| Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Local | High | Multiple | None | None | None |
| Adjacent | Medium | Single | Partial | Partial | Partial |
| Network | Low | None | Complete | Complete | Complete |
Exploiting
Class: Buffer overflow
Local: No
Remote: Yes
Availability: No
Countermeasures
Recommended: Upgrade
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Upgrade: Chrome 20.0.1132.43
Alternative: Mozilla Firefox, Microsoft Internet Explorer, Opera
Timeline
05/19/2012 | CVE assigned
06/26/2012 | Vendor acknowledged
06/26/2012 | Advisory disclosed
06/26/2012 | Countermeasure disclosed
06/27/2012 | OSVDB entry created
06/27/2012 | VulDB entry created
09/03/2012 | VulDB entry updated
Sources
Advisory: 132779
Researcher: Jüri Aedla
Coordinated: Yes
OSVDB: 83250
CVE: CVE-2012-2834 (mitre.org) (nist.org) (cvedetails.com)
Misc.: googlechromereleases.blogspot.de
