CVE-2012-1845

Priority
Medium
Description
Use-after-free vulnerability in Google Chrome 17.0.963.66 and earlier
allows remote attackers to bypass the DEP and ASLR protection mechanisms,
and execute arbitrary code, via unspecified vectors, as demonstrated by
VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary
affected product may be clarified later; it was not identified by the
researcher, who reportedly stated "it really doesn't matter if it's
third-party code."
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1845
http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588
http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/
http://twitter.com/vupen/statuses/177576000761237505
http://pwn2own.zerodayinitiative.com/status.html
Notes
jdstrand> VUPEN won't release the exploit to Google to fix it, and access to
the exploit is behind a paywall, so there is nothing to do. Marking deferred
for now. Will re-open if new information is available.
Package
Source: chromium-browser (LP Ubuntu Debian)
Upstream:needed
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):deferred
Ubuntu 11.10 (Oneiric Ocelot):deferred
Ubuntu 12.04 LTS (Precise Pangolin):deferred
Ubuntu 12.10 (Quantal Quetzal):deferred
Ubuntu 13.04 (Raring Ringtail):deferred
More Information

Valid XHTML 1.0 Strict

Updated: 2013-01-14 18:14:34 UTC (commit 6275)