[arch-security] [ASA-201601-28] chromium: multiple issues

Remi Gacogne rgacogne at archlinux.org
Mon Jan 25 21:48:44 UTC 2016


Arch Linux Security Advisory ASA-201601-28
==========================================

Severity: Critical
Date    : 2016-01-25
CVE-ID  : CVE-2016-1612 CVE-2016-1613 CVE-2016-1614 CVE-2016-1615
CVE-2016-1616 CVE-2016-1617 CVE-2016-1618 CVE-2016-1619 CVE-2016-1620
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package chromium before version 48.0.2564.82-1 is vulnerable to
multiple issues.

Resolution
==========

Upgrade to 48.0.2564.82-1.

# pacman -Syu "chromium>=48.0.2564.82-1"

The problem has been fixed upstream in version 48.0.2564.82.

Workaround
==========

None.

Description
===========

- CVE-2016-1612:

The LoadIC::UpdateCaches function in ic/ic.cc in Google V8 does not
ensure receiver compatibility before performing a cast of an unspecified
variable, which allows remote attackers to cause a denial of service or
possibly have unknown other impact via crafted JavaScript code. Credit
to cloudfuzzer.

- CVE-2016-1613:

Multiple use-after-free vulnerabilities in the formfiller implementation
in PDFium allow remote attackers to cause a denial of service or
possibly have unspecified other impact via a crafted PDF document,
related to improper tracking of the destruction of (1) IPWL_FocusHandler
and (2) IPWL_Provider objects.

- CVE-2016-1614:

The UnacceleratedImageBufferSurface class in
WebKit/Source/platform/graphics/UnacceleratedImageBufferSurface.cpp in
Blink mishandles the initialization mode, which allows remote attackers
to obtain sensitive information from process memory via a crafted web
site. Credit to Christoph Diehl.

- CVE-2016-1615:

The Omnibox implementation allows remote attackers to spoof a document's
origin via unspecified vectors. Credit to Ron Masas.

- CVE-2016-1616:

The CustomButton::AcceleratorPressed function in
ui/views/controls/button/custom_button.cc allows remote attackers to
spoof URLs via vectors involving an unfocused custom button. Credit to
Luan Herrera.

- CVE-2016-1617:

The CSPSource::schemeMatches function in
WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security
Policy (CSP) implementation in Blink does not apply http policies to
https URLs and does not apply ws policies to wss URLs, which makes it
easier for remote attackers to determine whether a specific HSTS web
site has been visited by reading a CSP report. Credit to Yan Zhu.

- CVE-2016-1618:

Blink does not ensure that a proper cryptographicallyRandomValues random
number generator is used, which makes it easier for remote attackers to
defeat cryptographic protection mechanisms via unspecified vectors.
Credit to Aaron Toponce.

- CVE-2016-1619:

Multiple integer overflows in the sycc422_to_rgb and sycc444_to_rgb
functions in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium allow remote
attackers to cause a denial of service (out-of-bounds read) or possibly
have unspecified other impact via a crafted PDF document. Credit to Keve
Nagy.

- CVE-2016-1620:

Various fixes from internal audits, fuzzing and other initiatives.

Impact
======

A remote attacker might be able to cause a denial of service, access
sensitive information or execute arbitrary code on the affected host.

References
==========

http://googlechromereleases.blogspot.fr/2016/01/stable-channel-update_20.html
https://access.redhat.com/security/cve/CVE-2016-1612
https://access.redhat.com/security/cve/CVE-2016-1613
https://access.redhat.com/security/cve/CVE-2016-1614
https://access.redhat.com/security/cve/CVE-2016-1615
https://access.redhat.com/security/cve/CVE-2016-1616
https://access.redhat.com/security/cve/CVE-2016-1617
https://access.redhat.com/security/cve/CVE-2016-1618
https://access.redhat.com/security/cve/CVE-2016-1619
https://access.redhat.com/security/cve/CVE-2016-1620

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160125/12fdedd4/attachment.asc>


More information about the arch-security mailing list