[arch-security] [ASA-201612-18] qt5-webengine: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Sat Dec 17 18:59:58 UTC 2016
Arch Linux Security Advisory ASA-201612-18
==========================================
Severity: Critical
Date : 2016-12-17
CVE-ID : CVE-2016-5133 CVE-2016-5147 CVE-2016-5153 CVE-2016-5155
CVE-2016-5161 CVE-2016-5166 CVE-2016-5170 CVE-2016-5171
CVE-2016-5172 CVE-2016-5181 CVE-2016-5185 CVE-2016-5186
CVE-2016-5187 CVE-2016-5188 CVE-2016-5192 CVE-2016-5198
Package : qt5-webengine
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package qt5-webengine before version 5.7.1-1 is vulnerable to
multiple issues including arbitrary code execution, content spoofing,
cross-site scripting, information disclosure and same-origin policy
bypass.
Resolution
==========
Upgrade to 5.7.1-1.
# pacman -Syu "qt5-webengine>=5.7.1-1"
The problems have been fixed upstream in version 5.7.1.
Workaround
==========
None.
Description
===========
- CVE-2016-5133 (content spoofing)
Google Chrome before 52.0.2743.82 mishandles origin information during
proxy authentication, which allows man-in-the-middle attackers to spoof
a proxy-authentication login prompt or trigger incorrect credential
storage by modifying the client-server data stream.
- CVE-2016-5147 (cross-site scripting)
Blink, as used in Google Chrome, mishandles deferred page loads, which
allows remote attackers to inject arbitrary web script or HTML via a
crafted web site, aka "Universal XSS (UXSS)."
- CVE-2016-5153 (arbitrary code execution)
The Web Animations implementation in Blink improperly relies on list
iteration, which allows remote attackers to cause a denial of service
(use-after-destruction) or possibly have unspecified other impact via a
crafted web site.
- CVE-2016-5155 (content spoofing)
Chromium does not properly validate access to the initial document,
which allows remote attackers to spoof the address bar via a crafted
web site.
- CVE-2016-5161 (information disclosure)
The EditingStyle::mergeStyle function in
WebKit/Source/core/editing/EditingStyle.cpp in Blink mishandles custom
properties, which allows remote attackers to cause a denial of service
or possibly have unspecified other impact via a crafted web site that
leverages "type confusion" in the StylePropertySerializer class.
- CVE-2016-5166 (information disclosure)
The download implementation in Chromium does not properly restrict
saving a file:// URL that is referenced by an http:// URL, which makes
it easier for user-assisted remote attackers to discover NetNTLM hashes
and conduct SMB relay attacks via a crafted web page that is accessed
with the "Save page as" menu choice.
- CVE-2016-5170 (arbitrary code execution)
WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink does
not properly consider getter side effects during array key conversion,
which allows remote attackers to cause a denial of service (use-after-
free) or possibly have unspecified other impact via crafted Indexed
Database (aka IndexedDB) API calls.
- CVE-2016-5171 (arbitrary code execution)
WebKit/Source/bindings/templates/interface.cpp in Blink does not
prevent certain constructor calls, which allows remote attackers to
cause a denial of service (use-after-free) or possibly have unspecified
other impact via crafted JavaScript code.
- CVE-2016-5172 (information disclosure)
The parser in Google V8 mishandles scopes, which allows remote
attackers to obtain sensitive information from arbitrary memory
locations via crafted JavaScript code.
- CVE-2016-5181 (cross-site scripting)
An universal XSS flaw was found in the Blink component of the Chromium
browser.
- CVE-2016-5185 (arbitrary code execution)
An use after free flaw was found in the Blink component of the Chromium
browser.
- CVE-2016-5186 (information disclosure)
An out of bounds read flaw was found in the DevTools component of the
Chromium browser.
- CVE-2016-5187 (content spoofing)
An URL spoofing flaw was found in the Chromium browser.
- CVE-2016-5188 (content spoofing)
An UI spoofing flaw was found in the Chromium browser.
- CVE-2016-5192 (same-origin policy bypass)
A cross-origin bypass flaw was found in the Blink component of the
Chromium browser.
- CVE-2016-5198 (arbitrary code execution)
An out of bounds memory access flaw was found in the V8 component of
the Chromium browser.
Impact
======
A remote attacker can access sensitive information, spoof content,
bypass security measures or execute arbitrary code on the affected
host.
References
==========
https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.7.1?h=5.7
https://bugs.chromium.org/p/chromium/issues/detail?id=613626
https://bugs.chromium.org/p/chromium/issues/detail?id=628942
https://bugs.chromium.org/p/chromium/issues/detail?id=631052
https://bugs.chromium.org/p/chromium/issues/detail?id=630662
https://bugzilla.redhat.com/show_bug.cgi?id=1372216
https://bugs.chromium.org/p/chromium/issues/detail?id=622420
https://bugs.chromium.org/p/chromium/issues/detail?id=616429
https://bugs.chromium.org/p/chromium/issues/detail?id=641101
https://bugs.chromium.org/p/chromium/issues/detail?id=643357
https://chromereleases.googleblog.com/2016/09/stable-channel-update-for-desktop_13.html
https://bugs.chromium.org/p/chromium/issues/detail?id=616386
https://googlechromereleases.blogspot.fr/2016/10/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/2016/11/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail?id=659475
https://access.redhat.com/security/cve/CVE-2016-5133
https://access.redhat.com/security/cve/CVE-2016-5147
https://access.redhat.com/security/cve/CVE-2016-5153
https://access.redhat.com/security/cve/CVE-2016-5155
https://access.redhat.com/security/cve/CVE-2016-5161
https://access.redhat.com/security/cve/CVE-2016-5166
https://access.redhat.com/security/cve/CVE-2016-5170
https://access.redhat.com/security/cve/CVE-2016-5171
https://access.redhat.com/security/cve/CVE-2016-5172
https://access.redhat.com/security/cve/CVE-2016-5181
https://access.redhat.com/security/cve/CVE-2016-5185
https://access.redhat.com/security/cve/CVE-2016-5186
https://access.redhat.com/security/cve/CVE-2016-5187
https://access.redhat.com/security/cve/CVE-2016-5188
https://access.redhat.com/security/cve/CVE-2016-5192
https://access.redhat.com/security/cve/CVE-2016-5198
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161217/8890df98/attachment.asc>
More information about the arch-security
mailing list