From ${URL} : The Chrome team is delighted to announce the promotion of Chrome 51 to the stable channel for Windows, Mac and Linux. Chrome 51.0.2704.63 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 51. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 42 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. [$7500][590118] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski. [$7500][597532] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. [$7500][598165] High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski. [$7500][600182] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. [$7500][604901] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu. [$4000][602970] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360. [$3500][595259] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler. [$3500][606390] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu. [$3000][589848] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG. [$3000][613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos. [$1000][579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime. [$1000][583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire. [$1000][583171] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire. [$1000][601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB. [$1000][603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB. [$1000][603748] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu. [$1000][604897] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko. [$1000][606185] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG. [$1000][608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu. [$500][597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG. [$500][598077] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich. [$500][598752] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani. [$500][603682] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. As usual, our ongoing internal security work was responsible for a wide range of fixes: [614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives. Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
chromium-51.0.2704.63 is in the tree. Feel free to stabilize.
amd64 stable
x86 stable
CVE-2016-1695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1695): Multiple unspecified vulnerabilities in Google Chrome before 51.0.2704.63 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2016-1694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1694): browser/browsing_data/browsing_data_remover.cc in Google Chrome before 51.0.2704.63 deletes HPKP pins during cache clearing, which makes it easier for remote attackers to spoof web sites via a valid certificate from an arbitrary recognized Certification Authority. CVE-2016-1693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1693): browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before 51.0.2704.63 does not use the HTTPS service on dl.google.com to obtain the Software Removal Tool, which allows remote attackers to spoof the chrome_cleanup_tool.exe (aka CCT) file via a man-in-the-middle attack on an HTTP session. CVE-2016-1692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1692): WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Google Chrome before 51.0.2704.63, permits cross-origin loading of CSS stylesheets by a ServiceWorker even when the stylesheet download has an incorrect MIME type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. CVE-2016-1691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1691): Skia, as used in Google Chrome before 51.0.2704.63, mishandles coincidence runs, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted curves, related to SkOpCoincidence.cpp and SkPathOpsCommon.cpp. CVE-2016-1690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1690): The Autofill implementation in Google Chrome before 51.0.2704.63 mishandles the interaction between field updates and JavaScript code that triggers a frame deletion, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted web site, a different vulnerability than CVE-2016-1701. CVE-2016-1689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1689): Heap-based buffer overflow in content/renderer/media/canvas_capture_handler.cc in Google Chrome before 51.0.2704.63 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site. CVE-2016-1688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1688): The regexp (aka regular expression) implementation in Google V8 before 5.0.71.40, as used in Google Chrome before 51.0.2704.63, mishandles external string sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted JavaScript code. CVE-2016-1687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1687): The renderer implementation in Google Chrome before 51.0.2704.63 does not properly restrict public exposure of classes, which allows remote attackers to obtain sensitive information via vectors related to extensions. CVE-2016-1686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1686): The CPDF_DIBSource::CreateDecoder function in core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp in PDFium, as used in Google Chrome before 51.0.2704.63, mishandles decoder-initialization failure, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. CVE-2016-1685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1685): core/fxge/ge/fx_ge_text.cpp in PDFium, as used in Google Chrome before 51.0.2704.63, miscalculates certain index values, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. CVE-2016-1684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1684): numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document. CVE-2016-1683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1683): numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document. CVE-2016-1682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1682): The ServiceWorkerContainer::registerServiceWorkerImpl function in WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp in Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a ServiceWorker registration. CVE-2016-1681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1681): Heap-based buffer overflow in the opj_j2k_read_SPCod_SPCoc function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 51.0.2704.63, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document. CVE-2016-1680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1680): Use-after-free vulnerability in ports/SkFontHost_FreeType.cpp in Skia, as used in Google Chrome before 51.0.2704.63, allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2016-1679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1679): The ToV8Value function in content/child/v8_value_converter_impl.cc in the V8 bindings in Google Chrome before 51.0.2704.63 does not properly restrict use of getters and setters, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted JavaScript code. CVE-2016-1678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1678): objects.cc in Google V8 before 5.0.71.32, as used in Google Chrome before 51.0.2704.63, does not properly restrict lazy deoptimization, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JavaScript code. CVE-2016-1677 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1677): uri.js in Google V8 before 5.1.281.26, as used in Google Chrome before 51.0.2704.63, uses an incorrect array type, which allows remote attackers to obtain sensitive information by calling the decodeURI function and leveraging "type confusion." CVE-2016-1676 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1676): extensions/renderer/resources/binding.js in the extension bindings in Google Chrome before 51.0.2704.63 does not properly use prototypes, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors. CVE-2016-1675 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1675): Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Same Origin Policy by leveraging the mishandling of Document reattachment during destruction, related to FrameLoader.cpp and LocalFrame.cpp. CVE-2016-1674 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1674): The extensions subsystem in Google Chrome before 51.0.2704.63 allows remote attackers to bypass the Same Origin Policy via unspecified vectors. CVE-2016-1673 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1673): Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. CVE-2016-1672 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1672): The ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the extension bindings in Google Chrome before 51.0.2704.63 mishandles properties, which allows remote attackers to conduct bindings-interception attacks and bypass the Same Origin Policy via unspecified vectors.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201607-07 at https://security.gentoo.org/glsa/201607-07 by GLSA coordinator Aaron Bauman (b-man).