The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.
googlechromereleases.blogspot.com/2014/07/stable-channel-update.html
secunia.com/advisories/60061
secunia.com/advisories/60372
security.gentoo.org/glsa/glsa-201408-16.xml
www.debian.org/security/2014/dsa-3039
www.securityfocus.com/bid/68677
code.google.com/p/chromium/issues/detail?id=380885
src.chromium.org/viewvc/blink?revision=176084&view=revision