ESB-2017.2451 - [Debian] chromium-browser: Multiple vulnerabilities 2017-09-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2451
                     chromium-browser security update
                             29 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium-browser
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5122 CVE-2017-5121 CVE-2017-5120
                   CVE-2017-5119 CVE-2017-5118 CVE-2017-5117
                   CVE-2017-5116 CVE-2017-5115 CVE-2017-5114
                   CVE-2017-5113 CVE-2017-5112 CVE-2017-5111

Reference:         ESB-2017.2296
                   ESB-2017.2263

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3985

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3985-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
September 28, 2017                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-5111 CVE-2017-5112 CVE-2017-5113 CVE-2017-5114
                 CVE-2017-5115 CVE-2017-5116 CVE-2017-5117 CVE-2017-5118
                 CVE-2017-5119 CVE-2017-5120 CVE-2017-5121 CVE-2017-5122

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2017-5111

    Luat Nguyen discovered a use-after-free issue in the pdfium library.

CVE-2017-5112

    Tobias Klein discovered a buffer overflow issue in the webgl
    library.

CVE-2017-5113

    A buffer overflow issue was discovered in the skia library.

CVE-2017-5114

    Ke Liu discovered a memory issue in the pdfium library.

CVE-2017-5115

    Marco Giovannini discovered a type confusion issue in the v8
    javascript library.

CVE-2017-5116

    Guang Gong discovered a type confusion issue in the v8 javascript
    library.

CVE-2017-5117

    Tobias Klein discovered an uninitialized value in the skia library.

CVE-2017-5118

    WenXu Wu discovered a way to bypass the Content Security Policy.

CVE-2017-5119

    Another uninitialized value was discovered in the skia library.

CVE-2017-5120

    Xiaoyin Liu discovered a way downgrade HTTPS connections during
    redirection.

CVE-2017-5121

    Jordan Rabet discovered an out-of-bounds memory access in the v8
    javascript library.

CVE-2017-5122

    Choongwoo Han discovered an out-of-bounds memory access in the v8
    javascript library.

For the stable distribution (stretch), these problems have been fixed in
version 61.0.3163.100-1~deb9u1.

For the testing distribution (buster), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 61.0.3163.100-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlnM7E0ACgkQuNayzQLW
9HPaQB/7BLQfY2DRCMoj0/WVxKCuR3DCjZasEeh6RRzPWUYMsvECBoQ+oeSdN6uW
aZX4XYGY1OkE4cmKYoQCOp7wMQ7KD6hIWLvNTR9gC9KMmpxekiqrWTmhDzSCR6on
/pYlguy0vCjtWfsGBMz9Tjba72lOGpMvW6Bbo9EvywN+pNeLNoKwkHFucCTwlSNH
X/fLOZTxdFFHlSPq7fxFgvQQq/y1PcaPxWiJvw62ds+AFV6O03OdR4/vJBI4d8OY
cwJRbZi0T91ary50MNuGZgLtA5PaCXBfBfXsx0MXTvMcpmNw6auKjUr2AEwKcB0L
fs4iFErXjxciz2Lf3VoepJhPjeRL35R/rkxKXV+71uXZRlpMYqXd8mZdnZZ+cSEZ
DoqJKSmr/PrwI6KSwiP1Gn2oWoxkjEV2T3lIAW/IdwX26rh0ruNjskPhZQbLmhlR
9OAW7UsMxnTzOxVV2BNghi7aQlyeq2pVFkakMQ2fMt0e+6YmdEH7I0CzOGXncCSK
c5VocSHvZfwaCw0FeqYLocHz4s1o9SR8qhcI6HiCV1PCRfAe5It5P90PTcTNJMP3
5D+efQ/cxU7u7IXep8mE8fDin8v1kYRcMCgxB7VKHQaPY8uJlCqH89RKf9NgggNe
8rAAlPUhkDq1gLzG1oWDFcFRtFuxRwIK+htQixcxNQuIDguxWFwL0lEUvdFe8wBp
B/896t2MM6kCkwmf4xXGDFk5DrPVMtUh6283CypZSjhcMs02l+SUBY2e/67xeKYE
KDcj+7D7yBsv7mddDisYx8jF34wiSBP8kE8MJuC39IdrLLTEgsbWDMs0e3E2oi24
1kZqgCKZqaZHm2Wc/+V8q/bubeaFGuQHsl4JOjnkuefg7wTrniDs73x/jduo3RRW
24FMVCdw18JJNNoSifT7Vj36oqr9Ei7yWjKPCyu0880R3Rf2P0Cu+JkCnpf0/yci
jur+d3Cs6ij1mAXVuIY0BoJtOlaljs/epFGyVfcPN255QXX1FDEG++2u4ovfxxmP
6bGCfczqnUtjxgVdHAJvbvLDBSgSLr3AWCTAN4P9fI99zUWgFHSi4cz/+JtlmRMn
6S0w4r0YJsK0tCKL6hzt2PhnDrDt8sJyDOczxA5a15zq9GgQdpFQW7bHv8EEj2Wk
tV3F4uHAqLKEgW4aEBaiIXvSDJlxy/FXeeVZXfl/V+by3BrNnmmy4CHJZcYZqh4g
NpEgXY6e67+S9zbQ/YqK4TL0lh6YWRt8KRxGRVDdev+k/IGQTmB7GgpyMyphVC57
AmN+vOD0uhV0UsLSzHl0vECoC9y5ko+JmZKW6JaDDsI1ql/MxOU9Q6rrMfbduRNp
ZHMd4PsWBQUvvLR6Wd3m/GWQc5EkZg==
=+/ji
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWc2F+Yx+lLeg9Ub1AQjWCBAAoZmewe7wsJdzL2FM1MMtKm1IQnTw+02r
l2Zf1ks1ixzSMCK3jUWda04en9GMrMk7mnXvsFd99xdHcERlKUMuP1mMtJ5spydc
/JOTrjyjbc5cfAWsPehurgitbGfxLwu6QFx3z30v21oUQwpKSjjO7qQl00+HjNYD
Oi7FjvHf4mUc8PingsCivIi0fcCoOYQGMXzDrfVOcR8snGQ21t1uVHNeBYNu084j
2f4fqOx2YE8Qaz2fNt6mRemVfyb4gDgVdK5J+PcSNhoMgBu1Z3eV2XYDhg9djLZB
2CnBm+v3N3X4vBzAJfn+jeYMGQ/IRWndCR0cnyaQd9sAvVJXGnsueBR4sXuZzYK5
JtObR2nH+k2YjDlSDXAIZ97Sq/C4XF5/GIsv1DPBAlOtxOxus2wF09M/IEYjkwmz
h46Qqguu0alrWr8TBLmCgevxt3UZQVl0QdJJx3l3shzah+09BXM03h1v9Sx5I0vl
6gfOCaAkMUcsqSP8Qo7xjNmMJyii4ZAfdXrMRYNTXR73DAXq10n83fFyx3XdY/1M
nMskFO0ZeMv4vl0/bkP/AfqcJEWec/XKDisQ9EeE0r4vxTZEVi2KUuWK61iXitRj
4Q72eRP7UHuzo3MPSM9iqU3juwObRZkhp6B1+kxSz+YwXFtVdeyDJQr0XsUzd2XH
E/26ipn8gy8=
=I7ZD
-----END PGP SIGNATURE-----

« Back to bulletins