chromium: multiple issues

• CVE-2015-1251 (arbitrary code execution)

Use-after-free vulnerability in the SpeechRecognitionClient
implementation in the Speech subsystem allows remote attackers to
execute arbitrary code via a crafted document.

• CVE-2015-1252 (sandbox protection bypass)

It has been discovered that common/partial_circular_buffer.cc does not
properly handle wraps, which allows remote attackers to bypass a sandbox
protection mechanism or cause a denial of service (out-of-bounds write)
via vectors that trigger a write operation with a large amount of data,
related to the PartialCircularBuffer::Write and
PartialCircularBuffer::DoWrite functions.

• CVE-2015-1253 (same origin policy bypass)

It has been discovered that core/html/parser/HTMLConstructionSite.cpp in
the DOM implementation in Blink allows remote attackers to bypass the
Same Origin Policy via crafted JavaScript code that appends a child to a
SCRIPT element, related to the insert and executeReparentTask functions.

• CVE-2015-1254 (same origin policy bypass)

It has been discovered that core/dom/Document.cpp in Blink enables the
inheritance of the designMode attribute, which allows remote attackers
to bypass the Same Origin Policy by leveraging the availability of editing.

• CVE-2015-1255 (denial of service)

Use-after-free vulnerability in
content/renderer/media/webaudio_capturer_source.cc in the WebAudio
implementation allows remote attackers to cause a denial of service
(heap memory corruption) or possibly have unspecified other impact by
leveraging improper handling of a stop action for an audio track.

• CVE-2015-1256 (denial of service)

Use-after-free vulnerability in the SVG implementation in Blink allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted document that leverages improper
handling of a shadow tree for a use element.

• CVE-2015-1257 (denial of service)

It has been discovered that platform/graphics/filters/FEColorMatrix.cpp
in the SVG implementation in Blink does not properly handle an
insufficient number of values in an feColorMatrix filter, which allows
remote attackers to cause a denial of service (container overflow) or
possibly have unspecified other impact via a crafted document.

• CVE-2015-1258 (denial of service)

Google Chrome before 43.0.2357.65 relies on libvpx code that was not
built with an appropriate --size-limit value, which allows remote
attackers to trigger a negative value for a size field, and consequently
cause a denial of service or possibly have unspecified other impact, via
a crafted frame size in VP9 video data.

• CVE-2015-1259 (denial of service)

PDFium does not properly initialize memory, which allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.

• CVE-2015-1260 (denial of service)

Multiple use-after-free vulnerabilities in
content/renderer/media/user_media_client_impl.cc in the WebRTC
implementation allow remote attackers to cause a denial of service or
possibly have unspecified other impact via crafted JavaScript code that
executes upon completion of a getUserMedia request.

• CVE-2015-1263 (man-in-the-middle)

The Spellcheck API implementation does not use an HTTPS session for
downloading a Hunspell dictionary, which allows man-in-the-middle
attackers to deliver incorrect spelling suggestions or possibly have
unspecified other impact via a crafted file.

• CVE-2015-1264 (cross side scripting)

Cross-site scripting (XSS) vulnerability allows user-assisted remote
attackers to inject arbitrary web script or HTML via crafted data that
is improperly handled by the Bookmarks feature.

• CVE-2015-1265 (denial of service)

Multiple unspecified vulnerabilities in Google Chrome before
43.0.2357.65 allow attackers to cause a denial of service or possibly
have other impact via unknown vectors.