Advisories ยป MGASA-2016-0274

Updated chromium-browser-stable packages fix security vulnerability

Publication date: 03 Aug 2016
Modification date: 03 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1705 , CVE-2016-1706 , CVE-2016-1708 , CVE-2016-1709 , CVE-2016-1710 , CVE-2016-1711 , CVE-2016-5127 , CVE-2016-5128 , CVE-2016-5129 , CVE-2016-5130 , CVE-2016-5133 , CVE-2016-5134 , CVE-2016-5135 , CVE-2016-5136 , CVE-2016-5137

Description

Multiple unspecified vulnerabilities in chromium before 52.0.2743.82 allow
attackers to cause a denial of service or possibly have other impact via
unknown vectors. (CVE-2016-1705)

The PPAPI implementation in Chromium before 52.0.2743.82 does not validate
the origin of IPC messages to the plugin broker process that should have
come from the browser process, which allows remote attackers to bypass a
sandbox protection mechanism via an unexpected message type, related to
broker_process_dispatcher.cc, ppapi_plugin_process_host.cc,
ppapi_thread.cc, and render_frame_message_filter.cc. (CVE-2016-1706)

The Chrome Web Store inline-installation implementation in the Extensions
subsystem in Chromium before 52.0.2743.82 does not properly consider
object lifetimes during progress observation, which allows remote
attackers to cause a denial of service (use-after-free) or possibly have
unspecified other impact via a crafted web site. (CVE-2016-1708)

Heap-based buffer overflow in the ByteArray::Get method in
data/byte_array.cc in sfntly before 2016-06-10, as used in Chromium before
52.0.2743.82, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted SFNT font.
(CVE-2016-1709)

The ChromeClientImpl::createWindow method in
WebKit/Source/web/ChromeClientImpl.cpp in Blink, as used in Chromium
before 52.0.2743.82, does not prevent window creation by a deferred frame,
which allows remote attackers to bypass the Same Origin Policy via a
crafted web site. (CVE-2016-1710)

WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Chromium
before 52.0.2743.82, does not disable frame navigation during a detach
operation on a DocumentLoader object, which allows remote attackers to
bypass the Same Origin Policy via a crafted web site. (CVE-2016-1711)

Use-after-free vulnerability in
WebKit/Source/core/editing/VisibleUnits.cpp in Blink, as used in Chromium
before 52.0.2743.82, allows remote attackers to cause a denial of service
or possibly have unspecified other impact via crafted JavaScript code
involving an @import at-rule in a Cascading Style Sheets (CSS) token
sequence in conjunction with a rel=import attribute of a LINK element.
(CVE-2016-5127)

objects.cc in V8 before 5.2.361.27, as used in Chromium before
52.0.2743.82, does not prevent API interceptors from modifying a store
target without setting a property, which allows remote attackers to bypass
the Same Origin Policy via a crafted web site. (CVE-2016-5128)

V8 before 5.2.361.32, as used in Chromium before 52.0.2743.82, does not
properly process left-trimmed objects, which allows remote attackers to
cause a denial of service (memory corruption) or possibly have unspecified
other impact via crafted JavaScript code. (CVE-2016-5129)

content/renderer/history_controller.cc in Chromium before 52.0.2743.82
does not properly restrict multiple uses of a JavaScript forward method,
which allows remote attackers to spoof the URL display via a crafted web
site. (CVE-2016-5130)

The Service Workers subsystem in Chromium before 52.0.2743.82 does not
properly implement the Secure Contexts specification during decisions
about whether to control a subframe, which allows remote attackers to
bypass the Same Origin Policy via an https IFRAME element inside an http
IFRAME element. (CVE-2016-5132)

Chromium before 52.0.2743.82 mishandles origin information during proxy
authentication, which allows man-in-the-middle attackers to spoof a
proxy-authentication login prompt or trigger incorrect credential storage
by modifying the client-server data stream. (CVE-2016-5133)

net/proxy/proxy_service.cc in the Proxy Auto-Config (PAC) feature in
Chromium before 52.0.2743.82 does not ensure that URL information is
restricted to a scheme, host, and port, which allows remote attackers to
discover credentials by operating a server with a PAC script, a related
issue to CVE-2016-3763. (CVE-2016-5134)

WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in
Chromium before 52.0.2743.82, does not consider referrer-policy
information inside an HTML document during a preload request, which allows
remote attackers to bypass the Content Security Policy (CSP) protection
mechanism via a crafted web site, as demonstrated by a
"Content-Security-Policy: referrer origin-when-cross-origin" header that
overrides a "" element.
(CVE-2016-5135)

Use-after-free vulnerability in
extensions/renderer/user_script_injector.cc in the Extensions subsystem in
Chromium before 52.0.2743.82 allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors related to
script deletion. (CVE-2016-5136)

The CSPSource::schemeMatches function in
WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy
(CSP) implementation in Blink, as used in Chromium before 52.0.2743.82,
does not apply http :80 policies to https :443 URLs and does not apply ws
:80 policies to wss :443 URLs, which makes it easier for remote attackers
to determine whether a specific HSTS web site has been visited by reading
a CSP report. NOTE: this vulnerability is associated with a specification
change after CVE-2016-1617 resolution. (CVE-2016-5137)

References

SRPMS

5/core