openSUSE Security Update : chromium (openSUSE-SU-2013:0454-1)

high Nessus Plugin ID 74920

Synopsis

The remote openSUSE host is missing a security update.

Description

chromium was updated to version 27.0.1425 having both stability and security fixes :

- Bug and stability fixes :

- Fixed crash after clicking through malware warning.
(Issue: 173986)

- Fixed broken command line to create extensions with locale info (Issue: 176187)

- Hosted apps in Chrome will always be opened from app launcher. (Issue: 176267)

- Added modal confirmation dialog to the enterprise profile sign-in flow. (Issue: 171236)

- Fixed a crash with autofill. (Issues: 175454, 176576)

- Fixed issues with sign-in. (Issues: 175672, 175819, 175541, 176190)

- Fixed spurious profile shortcuts created with a system-level install. (Issue: 177047)

- Fixed the background tab flashing with certain themes.
(Issue: 175426)

- Security Fixes: (bnc#804986)

- High CVE-2013-0879: Memory corruption with web audio node

- High CVE-2013-0880: Use-after-free in database handling

- Medium CVE-2013-0881: Bad read in Matroska handling

- High CVE-2013-0882: Bad memory access with excessive SVG parameters.

- Medium CVE-2013-0883: Bad read in Skia.

- Low CVE-2013-0884: Inappropriate load of NaCl.

- Medium CVE-2013-0885: Too many API permissions granted to web store

- Medium CVE-2013-0886: Incorrect NaCl signal handling.

- Low CVE-2013-0887: Developer tools process has too many permissions and places too much trust in the connected server

- Medium CVE-2013-0888: Out-of-bounds read in Skia

- Low CVE-2013-0889: Tighten user gesture check for dangerous file downloads.

- High CVE-2013-0890: Memory safety issues across the IPC layer.

- High CVE-2013-0891: Integer overflow in blob handling.

- Medium CVE-2013-0892: Lower severity issues across the IPC layer

- Medium CVE-2013-0893: Race condition in media handling.

- High CVE-2013-0894: Buffer overflow in vorbis decoding.

- High CVE-2013-0895: Incorrect path handling in file copying.

- High CVE-2013-0896: Memory management issues in plug-in message handling

- Low CVE-2013-0897: Off-by-one read in PDF

- High CVE-2013-0898: Use-after-free in URL handling

- Low CVE-2013-0899: Integer overflow in Opus handling

- Medium CVE-2013-0900: Race condition in ICU

- Make adjustment for autodetecting of the PepperFlash library. The package with the PepperFlash hopefully will be soon available through packman

- Update to 26.0.1411

- Bug and stability fixes

- Update to 26.0.1403

- Bug and stability fixes

- Using system libxml2 requires system libxslt.

- Using system MESA does not work in i586 for some reason.

- Also use system MESA, factory version seems adecuate now.

- Always use system libxml2.

- Restrict the usage of system libraries instead of the bundled ones to new products, too much hassle otherwise.

- Also link kerberos and libgps directly, do not dlopen them.

- Avoid using dlopen on system libraries, rpm or the package Manager do not handle this at all. tested for a few weeks and implemented with a macro so it can be easily disabled if problems arise.

- Use SOME system libraries instead of the bundled ones, tested for several weeks and implemented with a macro for easy enable/Disable in case of trouble.

- Update to 26.0.1393

- Bug and stability fixes

- Security fixes

- Update to 26.0.1375

- Bug and stability fixes

- Update to 26.0.1371

- Bug and stability fixes

- Update to 26.0.1367

- Bug and stability fixes

Solution

Update the affected chromium packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=804986

https://lists.opensuse.org/opensuse-updates/2013-03/msg00045.html

Plugin Details

Severity: High

ID: 74920

File Name: openSUSE-2013-203.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:chromedriver, p-cpe:/a:novell:opensuse:chromedriver-debuginfo, p-cpe:/a:novell:opensuse:chromium, p-cpe:/a:novell:opensuse:chromium-debuginfo, p-cpe:/a:novell:opensuse:chromium-debugsource, p-cpe:/a:novell:opensuse:chromium-desktop-gnome, p-cpe:/a:novell:opensuse:chromium-desktop-kde, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo-debuginfo, p-cpe:/a:novell:opensuse:chromium-suid-helper, p-cpe:/a:novell:opensuse:chromium-suid-helper-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/9/2013

Reference Information

CVE: CVE-2013-0879, CVE-2013-0880, CVE-2013-0881, CVE-2013-0882, CVE-2013-0883, CVE-2013-0884, CVE-2013-0885, CVE-2013-0886, CVE-2013-0887, CVE-2013-0888, CVE-2013-0889, CVE-2013-0890, CVE-2013-0891, CVE-2013-0892, CVE-2013-0893, CVE-2013-0894, CVE-2013-0895, CVE-2013-0896, CVE-2013-0897, CVE-2013-0898, CVE-2013-0899, CVE-2013-0900