Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 590420 (CVE-2016-5139, CVE-2016-5140, CVE-2016-5141, CVE-2016-5142, CVE-2016-5143, CVE-2016-5144, CVE-2016-5145, CVE-2016-5146) - <www-client/chromium-52.0.2743.116: Multiple Vulnerabilities
Summary: <www-client/chromium-52.0.2743.116: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-5139, CVE-2016-5140, CVE-2016-5141, CVE-2016-5142, CVE-2016-5143, CVE-2016-5144, CVE-2016-5145, CVE-2016-5146
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-03 21:13 UTC by Mike Gilbert
Modified: 2016-10-29 13:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2016-08-03 21:13:36 UTC
This update includes 10 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. 
 [$4000][629542] High CVE-2016-5141 Address bar spoofing. Credit to Sergey Glazunov
[$4000][626948] High CVE-2016-5142 Use-after-free in Blink. Credit to Sergey Glazunov
[$3000][625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go of Stealien
[$3500][619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to Ke Liu of Tencent's Xuanwu LAB
[$4000][623406] Medium CVE-2016-5145 Same origin bypass for images in Blink. Credit to Sergey Glazunov
[$1000][619414] Medium CVE-2016-5143 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal
[$1000][618333] Medium CVE-2016-5144 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal
 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. 
 As usual, our ongoing internal security work was responsible for a wide range of fixes:
[633486] CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives.
Comment 1 Mike Gilbert gentoo-dev 2016-08-04 01:09:31 UTC
I have added 52.0.2743.116 to the gentoo repo. Please stabilize it.
Comment 2 Agostino Sarubbo gentoo-dev 2016-08-04 10:22:48 UTC
stabilization done.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-10-29 13:16:13 UTC
This issue was resolved and addressed in
 GLSA 201610-09 at https://security.gentoo.org/glsa/201610-09
by GLSA coordinator Kristian Fiskerstrand (K_F).