Arch Linux Security Advisory ASA-201610-15
=========================================
Severity: Critical
Date    : 2016-10-23
CVE-ID  : CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184
          CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188
          CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192
          CVE-2016-5193 CVE-2016-5194
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package chromium before version 54.0.2840.59-1 is vulnerable to
multiple issues including arbitrary code execution, content spoofing,
cross-site scripting, information disclosure, same-origin policy bypass
and insufficient validation.

Resolution
=========
Upgrade to 54.0.2840.59-1.

# pacman -Syu "chromium>=54.0.2840.59-1"

The problems have been fixed upstream in version 54.0.2840.59.

Workaround
=========
None.

Description
==========
- CVE-2016-5181 (cross-site scripting)

An universal XSS flaw was found in the Blink component of the Chromium
browser.

- CVE-2016-5182 (arbitrary code execution)

A heap overflow flaw was found in the Blink component of the Chromium
browser.

- CVE-2016-5183 (arbitrary code execution)

An use after free flaw was found in the PDFium component of the
Chromium browser.

- CVE-2016-5184 (arbitrary code execution)

An use after free flaw was found in the PDFium component of the
Chromium browser.

- CVE-2016-5185 (arbitrary code execution)

An use after free flaw was found in the Blink component of the Chromium
browser.

- CVE-2016-5186 (information disclosure)

An out of bounds read flaw was found in the DevTools component of the
Chromium browser.

- CVE-2016-5187 (content spoofing)

An URL spoofing flaw was found in the Chromium browser.

- CVE-2016-5188 (content spoofing)

An UI spoofing flaw was found in the Chromium browser.

- CVE-2016-5189 (content spoofing)

An URL spoofing flaw was found in the Chromium browser.

- CVE-2016-5190 (arbitrary code execution)

An use after free flaw was found in the Internals component of the
Chromium browser.

- CVE-2016-5191 (cross-site scripting)

An universal XSS flaw was found in the Bookmarks component of the
Chromium browser.

- CVE-2016-5192 (same-origin policy bypass)

A cross-origin bypass flaw was found in the Blink component of the
Chromium browser.

- CVE-2016-5193 (insufficient validation)

A scheme bypass vulnerability has been discovered.

- CVE-2016-5194 (arbitrary code execution)

Various fixes from internal audits, fuzzing and other initiatives.

Impact
=====
A remote attacker can bypass security measures, access sensitive
information or execute arbitrary code on the affected host.

References
=========
https://chromereleases.googleblog.com/2016/10/stable-channel-update-for-desktop.html
https://access.redhat.com/security/cve/CVE-2016-5181
https://access.redhat.com/security/cve/CVE-2016-5182
https://access.redhat.com/security/cve/CVE-2016-5183
https://access.redhat.com/security/cve/CVE-2016-5184
https://access.redhat.com/security/cve/CVE-2016-5185
https://access.redhat.com/security/cve/CVE-2016-5186
https://access.redhat.com/security/cve/CVE-2016-5187
https://access.redhat.com/security/cve/CVE-2016-5188
https://access.redhat.com/security/cve/CVE-2016-5189
https://access.redhat.com/security/cve/CVE-2016-5190
https://access.redhat.com/security/cve/CVE-2016-5191
https://access.redhat.com/security/cve/CVE-2016-5192
https://access.redhat.com/security/cve/CVE-2016-5193
https://access.redhat.com/security/cve/CVE-2016-5194

ArchLinux: 201610-15: chromium: multiple issues

October 23, 2016

Summary

- CVE-2016-5181 (cross-site scripting) An universal XSS flaw was found in the Blink component of the Chromium browser.
- CVE-2016-5182 (arbitrary code execution)
A heap overflow flaw was found in the Blink component of the Chromium browser.
- CVE-2016-5183 (arbitrary code execution)
An use after free flaw was found in the PDFium component of the Chromium browser.
- CVE-2016-5184 (arbitrary code execution)
An use after free flaw was found in the PDFium component of the Chromium browser.
- CVE-2016-5185 (arbitrary code execution)
An use after free flaw was found in the Blink component of the Chromium browser.
- CVE-2016-5186 (information disclosure)
An out of bounds read flaw was found in the DevTools component of the Chromium browser.
- CVE-2016-5187 (content spoofing)
An URL spoofing flaw was found in the Chromium browser.
- CVE-2016-5188 (content spoofing)
An UI spoofing flaw was found in the Chromium browser.
- CVE-2016-5189 (content spoofing)
An URL spoofing flaw was found in the Chromium browser.
- CVE-2016-5190 (arbitrary code execution)
An use after free flaw was found in the Internals component of the Chromium browser.
- CVE-2016-5191 (cross-site scripting)
An universal XSS flaw was found in the Bookmarks component of the Chromium browser.
- CVE-2016-5192 (same-origin policy bypass)
A cross-origin bypass flaw was found in the Blink component of the Chromium browser.
- CVE-2016-5193 (insufficient validation)
A scheme bypass vulnerability has been discovered.
- CVE-2016-5194 (arbitrary code execution)
Various fixes from internal audits, fuzzing and other initiatives.

Resolution

Upgrade to 54.0.2840.59-1. # pacman -Syu "chromium>=54.0.2840.59-1"
The problems have been fixed upstream in version 54.0.2840.59.

References

https://chromereleases.googleblog.com/2016/10/stable-channel-update-for-desktop.html https://access.redhat.com/security/cve/CVE-2016-5181 https://access.redhat.com/security/cve/CVE-2016-5182 https://access.redhat.com/security/cve/CVE-2016-5183 https://access.redhat.com/security/cve/CVE-2016-5184 https://access.redhat.com/security/cve/CVE-2016-5185 https://access.redhat.com/security/cve/CVE-2016-5186 https://access.redhat.com/security/cve/CVE-2016-5187 https://access.redhat.com/security/cve/CVE-2016-5188 https://access.redhat.com/security/cve/CVE-2016-5189 https://access.redhat.com/security/cve/CVE-2016-5190 https://access.redhat.com/security/cve/CVE-2016-5191 https://access.redhat.com/security/cve/CVE-2016-5192 https://access.redhat.com/security/cve/CVE-2016-5193 https://access.redhat.com/security/cve/CVE-2016-5194

Severity
CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188
CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192
CVE-2016-5193 CVE-2016-5194
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved