The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Chrome | * | 35.0.1916.113 (including) | |
| Chrome | 35.0.1916.0 (including) | 35.0.1916.0 (including) | |
| Chrome | 35.0.1916.1 (including) | 35.0.1916.1 (including) | |
| Chrome | 35.0.1916.2 (including) | 35.0.1916.2 (including) | |
| Chrome | 35.0.1916.3 (including) | 35.0.1916.3 (including) | |
| Chrome | 35.0.1916.4 (including) | 35.0.1916.4 (including) | |
| Chrome | 35.0.1916.5 (including) | 35.0.1916.5 (including) | |
| Chrome | 35.0.1916.6 (including) | 35.0.1916.6 (including) | |
| Chrome | 35.0.1916.7 (including) | 35.0.1916.7 (including) | |
| Chrome | 35.0.1916.8 (including) | 35.0.1916.8 (including) | |
| Chrome | 35.0.1916.9 (including) | 35.0.1916.9 (including) | |
| Chrome | 35.0.1916.10 (including) | 35.0.1916.10 (including) | |
| Chrome | 35.0.1916.11 (including) | 35.0.1916.11 (including) | |
| Chrome | 35.0.1916.13 (including) | 35.0.1916.13 (including) | |
| Chrome | 35.0.1916.14 (including) | 35.0.1916.14 (including) | |
| Chrome | 35.0.1916.15 (including) | 35.0.1916.15 (including) | |
| Chrome | 35.0.1916.17 (including) | 35.0.1916.17 (including) | |
| Chrome | 35.0.1916.18 (including) | 35.0.1916.18 (including) | |
| Chrome | 35.0.1916.19 (including) | 35.0.1916.19 (including) | |
| Chrome | 35.0.1916.20 (including) | 35.0.1916.20 (including) | |
| Chrome | 35.0.1916.21 (including) | 35.0.1916.21 (including) | |
| Chrome | 35.0.1916.22 (including) | 35.0.1916.22 (including) | |
| Chrome | 35.0.1916.23 (including) | 35.0.1916.23 (including) | |
| Chrome | 35.0.1916.27 (including) | 35.0.1916.27 (including) | |
| Chrome | 35.0.1916.31 (including) | 35.0.1916.31 (including) | |
| Chrome | 35.0.1916.32 (including) | 35.0.1916.32 (including) | |
| Chrome | 35.0.1916.33 (including) | 35.0.1916.33 (including) | |
| Chrome | 35.0.1916.34 (including) | 35.0.1916.34 (including) | |
| Chrome | 35.0.1916.35 (including) | 35.0.1916.35 (including) | |
| Chrome | 35.0.1916.36 (including) | 35.0.1916.36 (including) | |
| Chrome | 35.0.1916.37 (including) | 35.0.1916.37 (including) | |
| Chrome | 35.0.1916.38 (including) | 35.0.1916.38 (including) | |
| Chrome | 35.0.1916.39 (including) | 35.0.1916.39 (including) | |
| Chrome | 35.0.1916.40 (including) | 35.0.1916.40 (including) | |
| Chrome | 35.0.1916.41 (including) | 35.0.1916.41 (including) | |
| Chrome | 35.0.1916.42 (including) | 35.0.1916.42 (including) | |
| Chrome | 35.0.1916.43 (including) | 35.0.1916.43 (including) | |
| Chrome | 35.0.1916.44 (including) | 35.0.1916.44 (including) | |
| Chrome | 35.0.1916.45 (including) | 35.0.1916.45 (including) | |
| Chrome | 35.0.1916.46 (including) | 35.0.1916.46 (including) | |
| Chrome | 35.0.1916.47 (including) | 35.0.1916.47 (including) | |
| Chrome | 35.0.1916.48 (including) | 35.0.1916.48 (including) | |
| Chrome | 35.0.1916.49 (including) | 35.0.1916.49 (including) | |
| Chrome | 35.0.1916.51 (including) | 35.0.1916.51 (including) | |
| Chrome | 35.0.1916.52 (including) | 35.0.1916.52 (including) | |
| Chrome | 35.0.1916.54 (including) | 35.0.1916.54 (including) | |
| Chrome | 35.0.1916.56 (including) | 35.0.1916.56 (including) | |
| Chrome | 35.0.1916.57 (including) | 35.0.1916.57 (including) | |
| Chrome | 35.0.1916.59 (including) | 35.0.1916.59 (including) | |
| Chrome | 35.0.1916.61 (including) | 35.0.1916.61 (including) | |
| Chrome | 35.0.1916.68 (including) | 35.0.1916.68 (including) | |
| Chrome | 35.0.1916.69 (including) | 35.0.1916.69 (including) | |
| Chrome | 35.0.1916.71 (including) | 35.0.1916.71 (including) | |
| Chrome | 35.0.1916.72 (including) | 35.0.1916.72 (including) | |
| Chrome | 35.0.1916.74 (including) | 35.0.1916.74 (including) | |
| Chrome | 35.0.1916.77 (including) | 35.0.1916.77 (including) | |
| Chrome | 35.0.1916.80 (including) | 35.0.1916.80 (including) | |
| Chrome | 35.0.1916.82 (including) | 35.0.1916.82 (including) | |
| Chrome | 35.0.1916.84 (including) | 35.0.1916.84 (including) | |
| Chrome | 35.0.1916.85 (including) | 35.0.1916.85 (including) | |
| Chrome | 35.0.1916.86 (including) | 35.0.1916.86 (including) | |
| Chrome | 35.0.1916.88 (including) | 35.0.1916.88 (including) | |
| Chrome | 35.0.1916.90 (including) | 35.0.1916.90 (including) | |
| Chrome | 35.0.1916.92 (including) | 35.0.1916.92 (including) | |
| Chrome | 35.0.1916.93 (including) | 35.0.1916.93 (including) | |
| Chrome | 35.0.1916.95 (including) | 35.0.1916.95 (including) | |
| Chrome | 35.0.1916.96 (including) | 35.0.1916.96 (including) | |
| Chrome | 35.0.1916.98 (including) | 35.0.1916.98 (including) | |
| Chrome | 35.0.1916.99 (including) | 35.0.1916.99 (including) | |
| Chrome | 35.0.1916.101 (including) | 35.0.1916.101 (including) | |
| Chrome | 35.0.1916.103 (including) | 35.0.1916.103 (including) | |
| Chrome | 35.0.1916.104 (including) | 35.0.1916.104 (including) | |
| Chrome | 35.0.1916.105 (including) | 35.0.1916.105 (including) | |
| Chrome | 35.0.1916.106 (including) | 35.0.1916.106 (including) | |
| Chrome | 35.0.1916.107 (including) | 35.0.1916.107 (including) | |
| Chrome | 35.0.1916.108 (including) | 35.0.1916.108 (including) | |
| Chrome | 35.0.1916.109 (including) | 35.0.1916.109 (including) | |
| Chrome | 35.0.1916.110 (including) | 35.0.1916.110 (including) | |
| Chrome | 35.0.1916.111 (including) | 35.0.1916.111 (including) | |
| Chrome | 35.0.1916.112 (including) | 35.0.1916.112 (including) | |
| Chromium-browser | Ubuntu | devel | * |
| Chromium-browser | Ubuntu | lucid | * |
| Chromium-browser | Ubuntu | precise | * |
| Chromium-browser | Ubuntu | saucy | * |
| Chromium-browser | Ubuntu | trusty | * |
| Chromium-browser | Ubuntu | upstream | * |
| Oxide-qt | Ubuntu | devel | * |
| Oxide-qt | Ubuntu | trusty | * |
| Oxide-qt | Ubuntu | upstream | * |
References
- http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
- http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2014-06/msg00023.html
- http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
- http://secunia.com/advisories/58920
- http://secunia.com/advisories/59155
- http://secunia.com/advisories/60372
- http://security.gentoo.org/glsa/glsa-201408-16.xml
- http://support.apple.com/kb/HT6596
- http://www.debian.org/security/2014/dsa-2939
- http://www.securitytracker.com/id/1030270
- http://www.ubuntu.com/usn/USN-2937-1
- https://code.google.com/p/chromium/issues/detail?id=331168
- https://src.chromium.org/viewvc/blink?revision=170625\u0026view=revision
- http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
- http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2014-06/msg00023.html
- http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
- http://secunia.com/advisories/58920
- http://secunia.com/advisories/59155
- http://secunia.com/advisories/60372
- http://security.gentoo.org/glsa/glsa-201408-16.xml
- http://support.apple.com/kb/HT6596
- http://www.debian.org/security/2014/dsa-2939
- http://www.securitytracker.com/id/1030270
- http://www.ubuntu.com/usn/USN-2937-1
- https://code.google.com/p/chromium/issues/detail?id=331168
- https://src.chromium.org/viewvc/blink?revision=170625\u0026view=revision