Arch Linux Security Advisory ASA-201704-5
========================================
Severity: Critical
Date    : 2017-04-20
CVE-ID  : CVE-2017-5057 CVE-2017-5058 CVE-2017-5059 CVE-2017-5060
          CVE-2017-5061 CVE-2017-5062 CVE-2017-5063 CVE-2017-5064
          CVE-2017-5065 CVE-2017-5066 CVE-2017-5067 CVE-2017-5069
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-250

Summary
======
The package chromium before version 58.0.3029.81-1 is vulnerable to
multiple issues including arbitrary code execution, content spoofing,
incorrect calculation and same-origin policy bypass.

Resolution
=========
Upgrade to 58.0.3029.81-1.

# pacman -Syu "chromium>=58.0.3029.81-1"

The problems have been fixed upstream in version 58.0.3029.81.

Workaround
=========
None.

Description
==========
- CVE-2017-5057 (arbitrary code execution)

A type confusion issue has been found in the PDFium component of the
Chromium browser.

- CVE-2017-5058 (arbitrary code execution)

A heap use after free issue has been found in the Print Preview
component of the Chromium browser.

- CVE-2017-5059 (arbitrary code execution)

A type confusion issue has been found in the Blink component of the
Chromium browser.

- CVE-2017-5060 (content spoofing)

A URL spoofing issue has been found in the Omnibox component of the
Chromium browser.

- CVE-2017-5061 (content spoofing)

A URL spoofing issue has been found in the Omnibox component of the
Chromium browser.

- CVE-2017-5062 (arbitrary code execution)

A use after free issue has been found in the Chrome Apps component of
the Chromium browser.

- CVE-2017-5063 (arbitrary code execution)

A heap overflow issue has been found in the Skia component of the
Chromium browser.

- CVE-2017-5064 (arbitrary code execution)

A use after free flaw has been found in the Blink component of the
Chromium browser.

- CVE-2017-5065 (content spoofing)

An incorrect UI issue has been found in the Blink component of the
Chromium browser.

- CVE-2017-5066 (incorrect calculation)

An incorrect signature handing issue has been found in the Networking
component of the Chromium browser.

- CVE-2017-5067 (content spoofing)

A URL spoofing issue has been found in the Omnibox component of the
Chromium browser.

- CVE-2017-5069 (same-origin policy bypass)

A cross-origin bypass issue has been found in the Blink component of
the Chromium browser.

Impact
=====
A remote attacker can spoof URL, bypass security checks and execute
arbitrary code on the affected host.

References
=========
https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://bugs.chromium.org/p/chromium/issues/detail
https://security.archlinux.org/CVE-2017-5057
https://security.archlinux.org/CVE-2017-5058
https://security.archlinux.org/CVE-2017-5059
https://security.archlinux.org/CVE-2017-5060
https://security.archlinux.org/CVE-2017-5061
https://security.archlinux.org/CVE-2017-5062
https://security.archlinux.org/CVE-2017-5063
https://security.archlinux.org/CVE-2017-5064
https://security.archlinux.org/CVE-2017-5065
https://security.archlinux.org/CVE-2017-5066
https://security.archlinux.org/CVE-2017-5067
https://security.archlinux.org/CVE-2017-5069

ArchLinux: 201704-5: chromium: multiple issues

April 20, 2017

Summary

- CVE-2017-5057 (arbitrary code execution) A type confusion issue has been found in the PDFium component of the Chromium browser.
- CVE-2017-5058 (arbitrary code execution)
A heap use after free issue has been found in the Print Preview component of the Chromium browser.
- CVE-2017-5059 (arbitrary code execution)
A type confusion issue has been found in the Blink component of the Chromium browser.
- CVE-2017-5060 (content spoofing)
A URL spoofing issue has been found in the Omnibox component of the Chromium browser.
- CVE-2017-5061 (content spoofing)
A URL spoofing issue has been found in the Omnibox component of the Chromium browser.
- CVE-2017-5062 (arbitrary code execution)
A use after free issue has been found in the Chrome Apps component of the Chromium browser.
- CVE-2017-5063 (arbitrary code execution)
A heap overflow issue has been found in the Skia component of the Chromium browser.
- CVE-2017-5064 (arbitrary code execution)
A use after free flaw has been found in the Blink component of the Chromium browser.
- CVE-2017-5065 (content spoofing)
An incorrect UI issue has been found in the Blink component of the Chromium browser.
- CVE-2017-5066 (incorrect calculation)
An incorrect signature handing issue has been found in the Networking component of the Chromium browser.
- CVE-2017-5067 (content spoofing)
A URL spoofing issue has been found in the Omnibox component of the Chromium browser.
- CVE-2017-5069 (same-origin policy bypass)
A cross-origin bypass issue has been found in the Blink component of the Chromium browser.

Resolution

Upgrade to 58.0.3029.81-1. # pacman -Syu "chromium>=58.0.3029.81-1"
The problems have been fixed upstream in version 58.0.3029.81.

References

https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://bugs.chromium.org/p/chromium/issues/detail https://security.archlinux.org/CVE-2017-5057 https://security.archlinux.org/CVE-2017-5058 https://security.archlinux.org/CVE-2017-5059 https://security.archlinux.org/CVE-2017-5060 https://security.archlinux.org/CVE-2017-5061 https://security.archlinux.org/CVE-2017-5062 https://security.archlinux.org/CVE-2017-5063 https://security.archlinux.org/CVE-2017-5064 https://security.archlinux.org/CVE-2017-5065 https://security.archlinux.org/CVE-2017-5066 https://security.archlinux.org/CVE-2017-5067 https://security.archlinux.org/CVE-2017-5069

Severity
CVE-2017-5061 CVE-2017-5062 CVE-2017-5063 CVE-2017-5064
CVE-2017-5065 CVE-2017-5066 CVE-2017-5067 CVE-2017-5069
Package : chromium
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-250

Workaround

None.

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved