Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Arch Linux: ASA-201511-8 Medium: Chromium Information Leak Advisory

Archlinux Large Esm H446
The package chromium before version 46.0.2490.86-1 is vulnerable to information leakage and cross-origin restriction bypass.
Arch Linux Security Advisory ASA-201511-8
========================================
Severity: Medium
Date    : 2015-11-13
CVE-ID  : CVE-2015-1302
Package : chromium
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package chromium before version 46.0.2490.86-1 is vulnerable to
information leakage and cross-origin restriction bypass.

Resolution
=========
Upgrade to 46.0.2490.86-1.

# pacman -Syu "chromium>=46.0.2490.86-1"

The problem has been fixed upstream in version 46.0.2490.86.

Workaround
=========
None.

Description
==========
The PDF viewer does not properly restrict scripting messages and API
exposure, which allows remote attackers to bypass the Same Origin Policy
via an unintended embedder or unintended plugin loading, related to
pdf.js and out_of_process_instance.cc.

Impact
=====
A remote attacker is able to bypass the cross-origin restriction via an
unintended embedder or unintended plugin loading, related to pdf.js and
out_of_process_instance.cc allowing unauthorized disclosure of information.

References
=========
https://access.redhat.com/security/cve/CVE-2015-1302
https://chromereleases.googleblog.com/2015/11/stable-channel-update.html
https://codereview.chromium.org/1316803003