Stay Secure with the Latest Linux Advisories

security advisorydenial of servicearbitrary execution

Arch Linux: 201710-27 Critical: Chromium Multiple Issues

The package chromium before version 62.0.3202.62-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, content spoofing, information disclosure and denial of service. . Arch Linux Security Advisory ASA-201710-27 ========================================= Severity: Critical Date : 2017-10-19 CVE-ID : CVE-2017-15386 CVE-2017-15387 CVE-2017-15388 CVE-2017-15389 CVE-2017-15390 CVE-2017-15391 CVE-2017-15392 CVE-2017-15393 CVE-2017-15394 CVE-2017-15395 CVE-2017-5124 CVE-2017-5125 CVE-2017-5126 CVE-2017-5127 CVE-2017-5128 CVE-2017-5129 CVE-2017-5130 CVE-2017-5131 CVE-2017-5132 CVE-2017-5133 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-456 Summary ====== The package chromium before version 62.0.3202.62-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, content spoofing, information disclosure and denial of service. Resolution ========= Upgrade to 62.0.3202.62-1. # pacman -Syu "chromium> =62.0.3202.62-1" The problems have been fixed upstream in version 62.0.3202.62. Workaround ========= None. Description ========== - CVE-2017-15386 (content spoofing) A UI spoofing issue has been found in the Blink component of the Chromium browser < 62.0.3202.62. - CVE-2017-15387 (access restriction bypass) A content security bypass has been found in the Chromium browser < 62.0.3202.62. - CVE-2017-15388 (information disclosure) An out-of-bounds read has been found in the Skia component of the Chromium browser < 62.0.3202.62. - CVE-2017-15389 (content spoofing) A URL spoofing issue has been found in the Omnibox component of the Chromium browser < 62.0.3202.62. - CVE-2017-15390 (content spoofing) A URL spoofing issue has been found in the Omnibox component of the Chromium browser < 62.0.3202.62. - CVE-2017-15391 (accessrestriction bypass) An extension limitation bypass has been found in the Extensions component of the Chromium browser < 62.0.3202.62. - CVE-2017-15392 (access restriction bypass) An incorrect registry key handling issue has been found in the PlatformIntegration component of the Chromium browser < 62.0.3202.62. - CVE-2017-15393 (information disclosure) A referrer leak has been found in the Devtools component of the Chromium browser < 62.0.3202.62. - CVE-2017-15394 (content spoofing) A URL spoofing flaw has been found in the extensions UI of the Chromium browser < 62.0.3202.62. - CVE-2017-15395 (denial of service) A null-pointer dereference flaw has been found in the ImageCapture component of the Chromium browser < 62.0.3202.62. - CVE-2017-5124 (cross-site scripting) A universal XSS flaw has been found in the MHTML component of the Chromium browser < 62.0.3202.62. - CVE-2017-5125 (arbitrary code execution) A heap overflow security issue has been found in the Skia component of the Chromium browser < 62.0.3202.62. - CVE-2017-5126 (arbitrary code execution) A use-after-free security issue has been found in the PDFium component of the Chromium browser < 62.0.3202.62. - CVE-2017-5127 (arbitrary code execution) A use-after-free security issue has been found in the PDFium component of the Chromium browser < 62.0.3202.62. - CVE-2017-5128 (arbitrary code execution) A heap overflow security issue has been found in the WebGL component of the Chromium browser < 62.0.3202.62. - CVE-2017-5129 (arbitrary code execution) A use-after-free security issue has been found in the WebAudio component of the Chromium browser < 62.0.3202.62. - CVE-2017-5130 (arbitrary code execution) A heap overflow security issue has been found in libxml2. - CVE-2017-5131 (arbitrary code execution) An out-of-bounds write has been found in the Skia component of the Chromium browser < 62.0.3202.62. - CVE-2017-5132 (arbitrary code execution) An incorrect stackmanipulation security issue has been found in the WebAssembly component of the Chromium browser < 62.0.3202.62. - CVE-2017-5133 (arbitrary code execution) An out-of-bounds write has been found in the Skia component of the Chromium browser < 62.0.3202.62. Impact ===== A remote attacker can bypass security measures, trick the user by spoofing parts of the UI, cause a denial of service or execute arbitrary code on the affected host. References ========= https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://security.archlinux.org/CVE-2017-15386 https://security.archlinux.org/CVE-2017-15387 https://security.archlinux.org/CVE-2017-15388 https://security.archlinux.org/CVE-2017-15389 https://security.archlinux.org/CVE-2017-15390 https://security.archlinux.org/CVE-2017-15391 https://security.archlinux.org/CVE-2017-15392 https://security.archlinux.org/CVE-2017-15393 https://security.archlinux.org/CVE-2017-15394 https://security.archlinux.org/CVE-2017-15395 https://security.archlinux.org/CVE-2017-5124 https://security.archlinux.org/CVE-2017-5125 https://security.archlinux.org/CVE-2017-5126 https://security.archlinux.org/CVE-2017-5127 https://security.archlinux.org/CVE-2017-5128 https://security.archlinux.org/CVE-2017-5129 https://security.archlinux.org/CVE-2017-5130 https://security.archlinux.org/CVE-2017-5131 https://security.archlinux.org/CVE-2017-5132 https://security.archlinux.org/CVE-2017-5133 . Issues with Chromium on Arch Linux may lead to severe vulnerabilities, including potential remote code execution and service interruptions. Users should consider updating.. Arch Linux Chromium Risks, Critical Security Update, Code Execution Threats. . Severity: Critical. LinuxSecurity.com Team

Oct 19, 2017 •Critical ArchLinux