Advisories ยป MGASA-2016-0127

Updated chromium-browser-stable packages fix security vulnerability

Publication date: 31 Mar 2016
Modification date: 31 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1622 , CVE-2016-1623 , CVE-2016-1624 , CVE-2016-1625 , CVE-2016-1626 , CVE-2016-1627 , CVE-2016-1628 , CVE-2016-1629 , CVE-2016-1630 , CVE-2016-1631 , CVE-2016-1632 , CVE-2016-1633 , CVE-2016-1634 , CVE-2016-1635 , CVE-2016-1636 , CVE-2016-1637 , CVE-2016-1638 , CVE-2016-1639 , CVE-2016-1640 , CVE-2016-1641 , CVE-2016-1642 , CVE-2016-1643 , CVE-2016-1644 , CVE-2016-1645 , CVE-2016-1646 , CVE-2016-1647 , CVE-2016-1648 , CVE-2016-1649 , CVE-2016-1650

Description

Chromium-browser-stable 49.0.2623.108 fixes security issues:

Multiple security issues were found in upstream chromium 49.0.2623.87: an
out-of-bounds read problem in V8 (CVE-2016-1646), use-after-free bugs in
Navigation (CVE-2016-1647) and Extensions (CVE-2016-1648); a buffer
overflow in libANGLE (CVE-2016-1649), various security issues found in
internal audits, fuzzing, and other initiatives (CVE-2016-1650);  multiple
vulnerabilities in V8 were fixed in 4.9.385.33.

The ImageInputType::ensurePrimaryContent function in
WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in
Google Chrome before 49.0.2623.87, does not properly maintain the user
agent shadow DOM, which allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors that
leverage "type confusion." (CVE-2016-1643)

WebKit/Source/core/layout/LayoutObject.cpp in Blink, as used in Google
Chrome before 49.0.2623.87, does not properly restrict relayout
scheduling, which allows remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via a crafted
HTML document. (CVE-2016-1644)

Multiple integer signedness errors in the opj_j2k_update_image_data
function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before
49.0.2623.87, allow remote attackers to cause a denial of service
(incorrect cast and out-of-bounds write) or possibly have unspecified
other impact via crafted JPEG 2000 data. (CVE-2016-1645)

The ContainerNode::parserRemoveChild function in
WebKit/Source/core/dom/ContainerNode.cpp in Blink, as used in Google
Chrome before 49.0.2623.75, mishandles widget updates, which makes it
easier for remote attackers to bypass the Same Origin Policy via a
crafted web site. (CVE-2016-1630)

The PPB_Flash_MessageLoop_Impl::InternalRun function in
content/renderer/pepper/ppb_flash_message_loop_impl.cc in the Pepper
plugin in Google Chrome before 49.0.2623.75 mishandles nested message
loops, which allows remote attackers to bypass the Same Origin Policy via
a crafted web site. (CVE-2016-1631)

The Extensions subsystem in Google Chrome before 49.0.2623.75 does not
properly maintain own properties, which allows remote attackers to bypass
intended access restrictions via crafted JavaScript code that triggers an
incorrect cast, related to extensions/renderer/v8_helpers.h and
gin/converter.h. (CVE-2016-1632)

Use-after-free vulnerability in Blink, as used in Google Chrome before
49.0.2623.75, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors.
(CVE-2016-1633)

Use-after-free vulnerability in the StyleResolver::appendCSSStyleSheet
function in WebKit/Source/core/css/resolver/StyleResolver.cpp in Blink, as
used in Google Chrome before 49.0.2623.75, allows remote attackers to
cause a denial of service or possibly have unspecified other impact via a
crafted web site that triggers Cascading Style Sheets (CSS) style
invalidation during a certain subtree-removal action. (2016-1634)

extensions/renderer/render_frame_observer_natives.cc in Google Chrome
before 49.0.2623.75 does not properly consider object lifetimes and
re-entrancy issues during OnDocumentElementCreated handling, which allows
remote attackers to cause a denial of service (use-after-free) or possibly
have unspecified other impact via unknown vectors. (CVE-2016-1635)

The PendingScript::notifyFinished function in
WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before
49.0.2623.75 relies on memory-cache information about integrity-check
occurrences instead of integrity-check successes, which allows remote
attackers to bypass the Subresource Integrity (aka SRI) protection
mechanism by triggering two loads of the same resource. (CVE-2016-1636)

The SkATan2_255 function in effects/gradients/SkSweepGradient.cpp in Skia,
as used in Google Chrome before 49.0.2623.75, mishandles arctangent
calculations, which allows remote attackers to obtain sensitive
information via a crafted web site. (CVE-2016-1637)

extensions/renderer/resources/platform_app.js in the Extensions subsystem
in Google Chrome before 49.0.2623.75 does not properly restrict use of Web
APIs, which allows remote attackers to bypass intended access restrictions
via a crafted platform app. (CVE-2016-1638)

Use-after-free vulnerability in
browser/extensions/api/webrtc_audio_private/webrtc_audio_private_api.cc in
the WebRTC Audio Private API implementation in Google Chrome before
49.0.2623.75 allows remote attackers to cause a denial of service or
possibly have unspecified other impact by leveraging incorrect reliance on
the resource context pointer. (CVE-2016-1639)

The Web Store inline-installer implementation in the Extensions UI in
Google Chrome before 49.0.2623.75 does not block installations upon
deletion of an installation frame, which makes it easier for remote
attackers to trick a user into believing that an installation request
originated from the user's next navigation target via a crafted web site.
(CVE-2016-1640)

Use-after-free vulnerability in
content/browser/web_contents/web_contents_impl.cc in Google Chrome before
49.0.2623.75 allows remote attackers to cause a denial of service or
possibly have unspecified other impact by triggering an image download
after a certain data structure is deleted, as demonstrated by a
favicon.ico download. (CVE-2016-1641)

Multiple unspecified vulnerabilities in Google Chrome before 49.0.2623.75
allow attackers to cause a denial of service or possibly have other impact
via unknown vectors. (CVE-2016-1642)

Google Chrome before 48.0.2564.116 allows remote attackers to bypass the
Blink Same Origin Policy and a sandbox protection mechanism via
unspecified vectors. (CVE-2016-1629)

The Extensions subsystem in Google Chrome before 48.0.2564.109 does not
prevent use of the Object.defineProperty method to override intended
extension behavior, which allows remote attackers to bypass the Same
Origin Policy via crafted JavaScript code. (CVE-2016-1622)

The DOM implementation in Google Chrome before 48.0.2564.109 does not
properly restrict frame-attach operations from occurring during or after
frame-detach operations, which allows remote attackers to bypass the Same
Origin Policy via a crafted web site, related to FrameLoader.cpp,
HTMLFrameOwnerElement.h, LocalFrame.cpp, and WebLocalFrameImpl.cpp.
(CVE-2016-1623)

Integer underflow in the ProcessCommandsInternal function in dec/decode.c
in Brotli, as used in Google Chrome before 48.0.2564.109, allows remote
attackers to cause a denial of service (buffer overflow) or possibly have
unspecified other impact via crafted data with brotli compression.
(CVE-2016-1624)

The Chrome Instant feature in Google Chrome before 48.0.2564.109 does not
ensure that a New Tab Page (NTP) navigation target is on the most-visited
or suggestions list, which allows remote attackers to bypass intended
restrictions via unspecified vectors, related to instant_service.cc and
search_tab_helper.cc. (CVE-2016-1625)

The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in
PDFium in Google Chrome before 48.0.2564.109, miscalculates a certain
layer index value, which allows remote attackers to cause a denial of
service (out-of-bounds read) via a crafted PDF document. (CVE-2016-1626)

pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109,
does not validate a certain precision value, which allows remote attackers
to execute arbitrary code or cause a denial of service (out-of-bounds
read) via a crafted JPEG 2000 image in a PDF document, related to the
opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions.
(CVE-2016-1628)

The Developer Tools (aka DevTools) subsystem in Google Chrome before
48.0.2564.109 does not validate URL schemes and ensure that the remoteBase
parameter is associated with a chrome-devtools-frontend.appspot.com URL,
which allows remote attackers to bypass intended access restrictions via a
crafted URL, related to browser/devtools/devtools_ui_bindings.cc and
WebKit/Source/devtools/front_end/Runtime.js. (CVE-2016-1627)

References

SRPMS

5/core