Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584310 - <www-client/chromium-51.0.2704.63: multiple vulnerabilities (CVE-2016-{1672,1673,1674,1675,1676,1677,1678,1679,1680,1681,1682,1683,1684,1685,1686,1687,1688,1689,1690,1691,1692,1693,1694,1695})
Summary: <www-client/chromium-51.0.2704.63: multiple vulnerabilities (CVE-2016-{1672,1...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-27 09:23 UTC by Agostino Sarubbo
Modified: 2016-07-16 13:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-27 09:23:20 UTC
From ${URL} :

The Chrome team is delighted to announce the promotion of Chrome 51 to the stable channel for Windows, Mac and Linux.
 Chrome 51.0.2704.63 contains a number of fixes and improvements -- a list of changes is available in the log.  Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 51.
 Security Fixes and Rewards
 Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 This update includes 42 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. 
 [$7500][590118] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
[$7500][597532] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500][598165] High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
[$7500][600182] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500][604901] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
[$4000][602970] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
[$3500][595259] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
[$3500][606390] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
[$3000][589848] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
[$3000][613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
[$1000][579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
[$1000][583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
[$1000][583171] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
[$1000][601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
[$1000][603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
[$1000][603748] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
[$1000][604897] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
[$1000][606185] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
[$1000][608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
[$500][597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
[$500][598077] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
[$500][598752] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.
[$500][603682] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan.
 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. 
 As usual, our ongoing internal security work was responsible for a wide range of fixes:
[614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2016-05-27 21:11:00 UTC
chromium-51.0.2704.63 is in the tree. Feel free to stabilize.
Comment 2 Richard Freeman gentoo-dev 2016-05-28 17:10:32 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-05-30 08:06:59 UTC
x86 stable
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-06-22 11:51:52 UTC
CVE-2016-1695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1695):
  Multiple unspecified vulnerabilities in Google Chrome before 51.0.2704.63
  allow attackers to cause a denial of service or possibly have other impact
  via unknown vectors.

CVE-2016-1694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1694):
  browser/browsing_data/browsing_data_remover.cc in Google Chrome before
  51.0.2704.63 deletes HPKP pins during cache clearing, which makes it easier
  for remote attackers to spoof web sites via a valid certificate from an
  arbitrary recognized Certification Authority.

CVE-2016-1693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1693):
  browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before
  51.0.2704.63 does not use the HTTPS service on dl.google.com to obtain the
  Software Removal Tool, which allows remote attackers to spoof the
  chrome_cleanup_tool.exe (aka CCT) file via a man-in-the-middle attack on an
  HTTP session.

CVE-2016-1692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1692):
  WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Google
  Chrome before 51.0.2704.63, permits cross-origin loading of CSS stylesheets
  by a ServiceWorker even when the stylesheet download has an incorrect MIME
  type, which allows remote attackers to bypass the Same Origin Policy via a
  crafted web site.

CVE-2016-1691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1691):
  Skia, as used in Google Chrome before 51.0.2704.63, mishandles coincidence
  runs, which allows remote attackers to cause a denial of service (heap-based
  buffer overflow) or possibly have unspecified other impact via crafted
  curves, related to SkOpCoincidence.cpp and SkPathOpsCommon.cpp.

CVE-2016-1690 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1690):
  The Autofill implementation in Google Chrome before 51.0.2704.63 mishandles
  the interaction between field updates and JavaScript code that triggers a
  frame deletion, which allows remote attackers to cause a denial of service
  (use-after-free) or possibly have unspecified other impact via a crafted web
  site, a different vulnerability than CVE-2016-1701.

CVE-2016-1689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1689):
  Heap-based buffer overflow in
  content/renderer/media/canvas_capture_handler.cc in Google Chrome before
  51.0.2704.63 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via a crafted web site.

CVE-2016-1688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1688):
  The regexp (aka regular expression) implementation in Google V8 before
  5.0.71.40, as used in Google Chrome before 51.0.2704.63, mishandles external
  string sizes, which allows remote attackers to cause a denial of service
  (out-of-bounds read) via crafted JavaScript code.

CVE-2016-1687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1687):
  The renderer implementation in Google Chrome before 51.0.2704.63 does not
  properly restrict public exposure of classes, which allows remote attackers
  to obtain sensitive information via vectors related to extensions.

CVE-2016-1686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1686):
  The CPDF_DIBSource::CreateDecoder function in
  core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp in PDFium, as used in
  Google Chrome before 51.0.2704.63, mishandles decoder-initialization
  failure, which allows remote attackers to cause a denial of service
  (out-of-bounds read) via a crafted PDF document.

CVE-2016-1685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1685):
  core/fxge/ge/fx_ge_text.cpp in PDFium, as used in Google Chrome before
  51.0.2704.63, miscalculates certain index values, which allows remote
  attackers to cause a denial of service (out-of-bounds read) via a crafted
  PDF document.

CVE-2016-1684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1684):
  numbers.c in libxslt before 1.1.29, as used in Google Chrome before
  51.0.2704.63, mishandles the i format token for xsl:number data, which
  allows remote attackers to cause a denial of service (integer overflow or
  resource consumption) or possibly have unspecified other impact via a
  crafted document.

CVE-2016-1683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1683):
  numbers.c in libxslt before 1.1.29, as used in Google Chrome before
  51.0.2704.63, mishandles namespace nodes, which allows remote attackers to
  cause a denial of service (out-of-bounds heap memory access) or possibly
  have unspecified other impact via a crafted document.

CVE-2016-1682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1682):
  The ServiceWorkerContainer::registerServiceWorkerImpl function in
  WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp in Blink, as
  used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass
  the Content Security Policy (CSP) protection mechanism via a ServiceWorker
  registration.

CVE-2016-1681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1681):
  Heap-based buffer overflow in the opj_j2k_read_SPCod_SPCoc function in j2k.c
  in OpenJPEG, as used in PDFium in Google Chrome before 51.0.2704.63, allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via a crafted PDF document.

CVE-2016-1680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1680):
  Use-after-free vulnerability in ports/SkFontHost_FreeType.cpp in Skia, as
  used in Google Chrome before 51.0.2704.63, allows remote attackers to cause
  a denial of service (heap memory corruption) or possibly have unspecified
  other impact via unknown vectors.

CVE-2016-1679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1679):
  The ToV8Value function in content/child/v8_value_converter_impl.cc in the V8
  bindings in Google Chrome before 51.0.2704.63 does not properly restrict use
  of getters and setters, which allows remote attackers to cause a denial of
  service (use-after-free) or possibly have unspecified other impact via
  crafted JavaScript code.

CVE-2016-1678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1678):
  objects.cc in Google V8 before 5.0.71.32, as used in Google Chrome before
  51.0.2704.63, does not properly restrict lazy deoptimization, which allows
  remote attackers to cause a denial of service (heap-based buffer overflow)
  or possibly have unspecified other impact via crafted JavaScript code.

CVE-2016-1677 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1677):
  uri.js in Google V8 before 5.1.281.26, as used in Google Chrome before
  51.0.2704.63, uses an incorrect array type, which allows remote attackers to
  obtain sensitive information by calling the decodeURI function and
  leveraging "type confusion."

CVE-2016-1676 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1676):
  extensions/renderer/resources/binding.js in the extension bindings in Google
  Chrome before 51.0.2704.63 does not properly use prototypes, which allows
  remote attackers to bypass the Same Origin Policy via unspecified vectors.

CVE-2016-1675 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1675):
  Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers
  to bypass the Same Origin Policy by leveraging the mishandling of Document
  reattachment during destruction, related to FrameLoader.cpp and
  LocalFrame.cpp.

CVE-2016-1674 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1674):
  The extensions subsystem in Google Chrome before 51.0.2704.63 allows remote
  attackers to bypass the Same Origin Policy via unspecified vectors.

CVE-2016-1673 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1673):
  Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers
  to bypass the Same Origin Policy via unspecified vectors.

CVE-2016-1672 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1672):
  The ModuleSystem::RequireForJsInner function in
  extensions/renderer/module_system.cc in the extension bindings in Google
  Chrome before 51.0.2704.63 mishandles properties, which allows remote
  attackers to conduct bindings-interception attacks and bypass the Same
  Origin Policy via unspecified vectors.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-06-22 11:54:15 UTC
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 13:24:49 UTC
This issue was resolved and addressed in
 GLSA 201607-07 at https://security.gentoo.org/glsa/201607-07
by GLSA coordinator Aaron Bauman (b-man).