http://googlechromereleases.blogspot.com/2015/12/stable-channel-update.html

openSUSE-SU-2015:2290

openSUSE-SU-2015:2291

DSA-3415

78416

1034298

USN-2825-1

https://code.google.com/p/chromium/issues/detail?id=554908

https://codereview.chromium.org/1441683004/

GLSA-201603-09

The remote host is affected by the vulnerability described in GLSA-201603-09 (Chromium: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Chromium web       browser. Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, obtain       sensitive information, or bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

Chromium was updated to 47.0.2526.80 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-6788: Type confusion in extensions

  - CVE-2015-6789: Use-after-free in Blink

  - CVE-2015-6790: Escaping issue in saved pages

  - CVE-2015-6791: Various fixes from internal audits,     fuzzing and other initiatives

The following vulnerabilities were fixed in 47.0.2526.73 :

  - CVE-2015-6765: Use-after-free in AppCache

  - CVE-2015-6766: Use-after-free in AppCache

  - CVE-2015-6767: Use-after-free in AppCache

  - CVE-2015-6768: Cross-origin bypass in DOM

  - CVE-2015-6769: Cross-origin bypass in core

  - CVE-2015-6770: Cross-origin bypass in DOM

  - CVE-2015-6771: Out of bounds access in v8

  - CVE-2015-6772: Cross-origin bypass in DOM

  - CVE-2015-6764: Out of bounds access in v8

  - CVE-2015-6773: Out of bounds access in Skia

  - CVE-2015-6774: Use-after-free in Extensions

  - CVE-2015-6775: Type confusion in PDFium

  - CVE-2015-6776: Out of bounds access in PDFium

  - CVE-2015-6777: Use-after-free in DOM

  - CVE-2015-6778: Out of bounds access in PDFium

  - CVE-2015-6779: Scheme bypass in PDFium

  - CVE-2015-6780: Use-after-free in Infobars

  - CVE-2015-6781: Integer overflow in Sfntly

  - CVE-2015-6782: Content spoofing in Omnibox

  - CVE-2015-6783: Signature validation issue in Android     Crazy Linker.

  - CVE-2015-6784: Escaping issue in saved pages

  - CVE-2015-6785: Wildcard matching issue in CSP

  - CVE-2015-6786: Scheme bypass in CSP

  - CVE-2015-6787: Various fixes from internal audits,     fuzzing and other initiatives.

  - Multiple vulnerabilities in V8 fixed at the tip of the     4.7 branch (currently 4.7.80.23)

Multiple use-after-free bugs were discovered in the application cache implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program.
(CVE-2015-6765, CVE-2015-6766, CVE-2015-6767)

Several security issues were discovered in the DOM implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions. (CVE-2015-6768, CVE-2015-6770)

A security issue was discovered in the provisional-load commit implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same origin restrictions. (CVE-2015-6769)

An out-of-bounds read was discovered in the array map and filter operations in V8 in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash.
(CVE-2015-6771)

It was discovered that the DOM implementation in Chromium does not prevent javascript: URL navigation while a document is being detached.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same origin restrictions. (CVE-2015-6772)

An out-of bounds read was discovered in Skia in some cirumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash. (CVE-2015-6773)

A use-after-free was discovered in the DOM implementation in Chromium.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2015-6777)

It was discovered that the Document::open function in Chromium did not ensure that page-dismissal event handling is compatible with modal dialog blocking. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to spoof application UI content. (CVE-2015-6782)

It was discovered that the page serializer in Chromium mishandled MOTW comments for URLs in some circumstances. An attacker could potentially exploit this to inject HTML content. (CVE-2015-6784)

It was discovered that the Content Security Policy (CSP) implementation in Chromium accepted an x.y hostname as a match for a
*.x.y pattern. An attacker could potentially exploit this to bypass intended access restrictions. (CVE-2015-6785)

It was discovered that the Content Security Policy (CSP) implementation in Chromium accepted blob:, data: and filesystem: URLs as a match for a * pattern. An attacker could potentially exploit this to bypass intended access restrictions. (CVE-2015-6786)

Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2015-6787)

Multiple security issues were discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2015-8478).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2015-1302     Rub Wu discovered an information leak in the pdfium     library.

  - CVE-2015-6764     Guang Gong discovered an out-of-bounds read issue in the     v8 JavaScript library.

  - CVE-2015-6765     A use-after-free issue was discovered in AppCache.

  - CVE-2015-6766     A use-after-free issue was discovered in AppCache.

  - CVE-2015-6767     A use-after-free issue was discovered in AppCache.

  - CVE-2015-6768     Mariusz Mlynski discovered a way to bypass the Same     Origin Policy.

  - CVE-2015-6769     Mariusz Mlynski discovered a way to bypass the Same     Origin Policy.

  - CVE-2015-6770     Mariusz Mlynski discovered a way to bypass the Same     Origin Policy.

  - CVE-2015-6771     An out-of-bounds read issue was discovered in the v8     JavaScript library.

  - CVE-2015-6772     Mariusz Mlynski discovered a way to bypass the Same     Origin Policy.

  - CVE-2015-6773     cloudfuzzer discovered an out-of-bounds read issue in     the skia library.

  - CVE-2015-6774     A use-after-free issue was found in extensions binding.

  - CVE-2015-6775     Atte Kettunen discovered a type confusion issue in the     pdfium library.

  - CVE-2015-6776     Hanno Bock dicovered an out-of-bounds access issue in     the openjpeg library, which is used by pdfium.

  - CVE-2015-6777     Long Liu found a use-after-free issue.

  - CVE-2015-6778     Karl Skomski found an out-of-bounds read issue in the     pdfium library.

  - CVE-2015-6779     Til Jasper Ullrich discovered that the pdfium library     does not sanitize 'chrome:' URLs.

  - CVE-2015-6780     Khalil Zhani discovered a use-after-free issue.

  - CVE-2015-6781     miaubiz discovered an integer overflow issue in the     sfntly library.

  - CVE-2015-6782     Luan Herrera discovered a URL spoofing issue.

  - CVE-2015-6784     Inti De Ceukelaire discovered a way to inject HTML into     serialized web pages.

  - CVE-2015-6785     Michael Ficarra discovered a way to bypass the Content     Security Policy.

  - CVE-2015-6786     Michael Ficarra discovered another way to bypass the     Content Security Policy.

The version of Google Chrome installed on the remote Mac OS X host is prior to 47.0.2526.73. It is, therefore, affected by multiple vulnerabilities :

  - An out-of-bounds access error exists in Google V8 that     is triggered when loading array elements. An attacker     can exploit this to have an unspecified impact.
    (CVE-2015-6764)

  - A use-after-free error exists that is triggered when     handling updates. An unauthenticated, remote attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2015-6765)

  - A use-after-free error exists in AppCache that is     triggered when handling updates. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2015-6766)

  - A use-after-free error exists in the     OnChannelConnected() function. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2015-6767)

  - A same-origin bypass vulnerability exists due to a flaw     that is triggered when handling 'javascript:' URI     document navigations during page dismissal events. An     attacker can exploit this to bypass the same-origin     policy. (CVE-2015-6768)

  - A same-origin bypass vulnerability exists due to a flaw     that is triggered when committing a provisional load and     handling the window proxy. An attacker can exploit this     to bypass the same-origin policy. (CVE-2015-6769)

  - A same-origin bypass vulnerability exists due to a flaw     in DOM. An attacker can exploit this to bypass the     same-origin policy. (CVE-2015-6770)

  - An out-of-bounds access error exists in Google V8     related Map and Filter array construction. An attacker     can exploit this to have an unspecified impact.
    (CVE-2015-6771)

  - A same-origin bypass vulnerability exists due to a flaw     that is triggered when navigating to a 'javascript:' URI     and detaching the document. An attacker can exploit this     to bypass the same-origin policy. (CVE-2015-6772)

  - An out-of-bounds access error exists in Google Skia     related to the handling of rows. An attacker can exploit     this to have an unspecified impact. (CVE-2015-6773)

  - A use-after-free error exists in the GetLoadTimes()     function. An unauthenticated, remote attacker can     exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2015-6774)

  - A type confusion error exists in Google PDFium. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2015-6775)

  - An heap-based overflow condition exists in OpenJPEG in     the opj_dwt_decode() function due to improper validation     of user-supplied input. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-6776)

  - A use-after-free error exists in the     notifyNodeInsertedInternal() function. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2015-6777)

  - An out-of-bounds access error exists in Google PDFium.
    An attacker can exploit this to have an unspecified     impact. (CVE-2015-6778)

  - A security bypass vulnerability exists in Google PDFium     due to improper restriction of certain URLs (e.g. allows     working links to 'chrome://'). An attacker can exploit     this to bypass intended access restrictions.
    (CVE-2015-6779)

  - A use-after-free error exists that is triggered when     handling the origin info bubble. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2015-6780)

  - An integer overflow condition exists in Google sfntly     due to improper validation of user-supplied input. An     attacker can exploit this to have an unspecified impact.
    (CVE-2015-6781)

  - A content spoofing vulnerability exists due to a flaw in     the Document::open() function that is triggered when     handling page dismissal events. An attacker can exploit     this to spoof omnibox content. (CVE-2015-6782)

  - A security bypass vulnerability exists in Google Android     Crazy Linker that is triggered when searching for the     zip EOCD record signature. An attacker can exploit this     to bypass signature validation. (CVE-2015-6783)

  - A flaw exists that is triggered as '--' in the page URL     is not escaped by the page serializer when saving pages.
    An attacker can exploit this to inject text that is     treated as HTML content. (CVE-2015-6784)

  - A security bypass vulnerability exists that is triggered     when matching Content Security Policy (CSP) source lists     containing wildcards. An attacker can exploit this to     bypass CSP restrictions. (CVE-2015-6785)

  - A security bypass vulnerability exists due to a flaw     that is triggered when matching 'data:', 'blob:', and     'filesystem:' URIs against wildcards. An attacker can     exploit this to bypass CSP restrictions. (CVE-2015-6786)

  - Multiple unspecified flaws exist that allow an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2015-6787)

The version of Google Chrome installed on the remote Windows host is prior to 47.0.2526.73. It is, therefore, affected by multiple vulnerabilities :

  - An out-of-bounds access error exists in Google V8 that     is triggered when loading array elements. An attacker     can exploit this to have an unspecified impact.
    (CVE-2015-6764)

  - A use-after-free error exists that is triggered when     handling updates. An unauthenticated, remote attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2015-6765)

  - A use-after-free error exists in AppCache that is     triggered when handling updates. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2015-6766)

  - A use-after-free error exists in the     OnChannelConnected() function. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2015-6767)

  - A same-origin bypass vulnerability exists due to a flaw     that is triggered when handling 'javascript:' URI     document navigations during page dismissal events. An     attacker can exploit this to bypass the same-origin     policy. (CVE-2015-6768)

  - A same-origin bypass vulnerability exists due to a flaw     that is triggered when committing a provisional load and     handling the window proxy. An attacker can exploit this     to bypass the same-origin policy. (CVE-2015-6769)

  - A same-origin bypass vulnerability exists due to a flaw     in DOM. An attacker can exploit this to bypass the     same-origin policy. (CVE-2015-6770)

  - An out-of-bounds access error exists in Google V8     related Map and Filter array construction. An attacker     can exploit this to have an unspecified impact.
    (CVE-2015-6771)

  - A same-origin bypass vulnerability exists due to a flaw     that is triggered when navigating to a 'javascript:' URI     and detaching the document. An attacker can exploit this     to bypass the same-origin policy. (CVE-2015-6772)

  - An out-of-bounds access error exists in Google Skia     related to the handling of rows. An attacker can exploit     this to have an unspecified impact. (CVE-2015-6773)

  - A use-after-free error exists in the GetLoadTimes()     function. An unauthenticated, remote attacker can     exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2015-6774)

  - A type confusion error exists in Google PDFium. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2015-6775)

  - An heap-based overflow condition exists in OpenJPEG in     the opj_dwt_decode() function due to improper validation     of user-supplied input. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-6776)

  - A use-after-free error exists in the     notifyNodeInsertedInternal() function. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2015-6777)

  - An out-of-bounds access error exists in Google PDFium.
    An attacker can exploit this to have an unspecified     impact. (CVE-2015-6778)

  - A security bypass vulnerability exists in Google PDFium     due to improper restriction of certain URLs (e.g.,     working links to 'chrome://' are allowed). An attacker     can exploit this to bypass intended access restrictions.
    (CVE-2015-6779)

  - A use-after-free error exists that is triggered when     handling the origin info bubble. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2015-6780)

  - An integer overflow condition exists in Google sfntly     due to improper validation of user-supplied input. An     attacker can exploit this to have an unspecified impact.
    (CVE-2015-6781)

  - A content spoofing vulnerability exists due to a flaw in     the Document::open() function that is triggered when     handling page dismissal events. An attacker can exploit     this to spoof omnibox content. (CVE-2015-6782)

  - A security bypass vulnerability exists in Google Android     Crazy Linker that is triggered when searching for the     zip EOCD record signature. An attacker can exploit this     to bypass signature validation. (CVE-2015-6783)

  - A flaw exists that is triggered as '--' in the page URL     is not escaped by the page serializer when saving pages.
    An attacker can exploit this to inject text that is     treated as HTML content. (CVE-2015-6784)

  - A security bypass vulnerability exists that is triggered     when matching Content Security Policy (CSP) source lists     containing wildcards. An attacker can exploit this to     bypass CSP restrictions. (CVE-2015-6785)

  - A security bypass vulnerability exists due to a flaw     that is triggered when matching 'data:', 'blob:', and     'filesystem:' URIs against wildcards. An attacker can     exploit this to bypass CSP restrictions. (CVE-2015-6786)

  - Multiple unspecified flaws exist that allow an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2015-6787)

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2015-6764, CVE-2015-6765, CVE-2015-6766, CVE-2015-6767, CVE-2015-6768, CVE-2015-6769, CVE-2015-6770, CVE-2015-6771, CVE-2015-6772, CVE-2015-6773, CVE-2015-6774, CVE-2015-6775, CVE-2015-6776, CVE-2015-6777, CVE-2015-6778, CVE-2015-6779, CVE-2015-6780, CVE-2015-6781, CVE-2015-6782, CVE-2015-6784, CVE-2015-6785, CVE-2015-6786, CVE-2015-6787)

All Chromium users should upgrade to these updated packages, which contain Chromium version 47.0.2526.73, which corrects these issues.
After installing the update, Chromium must be restarted for the changes to take effect.

Google Chrome Releases reports :

41 security fixes in this release, including :

- [558589] Critical CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous.

- [551044] High CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous.

- [554908] High CVE-2015-6767: Use-after-free in AppCache. Credit to anonymous.

- [556724] High CVE-2015-6768: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.

- [534923] High CVE-2015-6769: Cross-origin bypass in core. Credit to Mariusz Mlynski.

- [541206] High CVE-2015-6770: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.

- [544991] High CVE-2015-6771: Out of bounds access in v8. Credit to anonymous.

- [546545] High CVE-2015-6772: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.

- [554946] High CVE-2015-6764: Out of bounds access in v8. Credit to Guang Gong of Qihoo 360 via pwn2own.

- [491660] High CVE-2015-6773: Out of bounds access in Skia. Credit to cloudfuzzer.

- [549251] High CVE-2015-6774: Use-after-free in Extensions. Credit to anonymous.

- [529012] High CVE-2015-6775: Type confusion in PDFium. Credit to Atte Kettunen of OUSPG.

- [457480] High CVE-2015-6776: Out of bounds access in PDFium. Credit to Hanno Bock.

- [544020] High CVE-2015-6777: Use-after-free in DOM. Credit to Long Liu of Qihoo 360Vulcan Team.

- [514891] Medium CVE-2015-6778: Out of bounds access in PDFium.
Credit to Karl Skomski.

- [528505] Medium CVE-2015-6779: Scheme bypass in PDFium. Credit to Til Jasper Ullrich.

- [490492] Medium CVE-2015-6780: Use-after-free in Infobars. Credit to Khalil Zhani.

- [497302] Medium CVE-2015-6781: Integer overflow in Sfntly. Credit to miaubiz.

- [536652] Medium CVE-2015-6782: Content spoofing in Omnibox. Credit to Luan Herrera.

- [537205] Medium CVE-2015-6783: Signature validation issue in Android Crazy Linker. Credit to Michal Bednarski.

- [503217] Low CVE-2015-6784: Escaping issue in saved pages. Credit to Inti De Ceukelaire.

- [534542] Low CVE-2015-6785: Wildcard matching issue in CSP. Credit to Michael Ficarra / Shape Security.

- [534570] Low CVE-2015-6786: Scheme bypass in CSP. Credit to Michael Ficarra / Shape Security.

- [563930] CVE-2015-6787: Various fixes from internal audits, fuzzing and other initiatives.

- Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch (currently 4.7.80.23).

ID	Name	Product	Family	Severity
89902	GLSA-201603-09 : Chromium: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
87488	openSUSE Security Update : Chromium (openSUSE-2015-912)	Nessus	SuSE Local Security Checks	critical
87320	Ubuntu 14.04 LTS / 15.04 / 15.10 : oxide-qt vulnerabilities (USN-2825-1)	Nessus	Ubuntu Local Security Checks	critical
87289	Debian DSA-3415-1 : chromium-browser - security update	Nessus	Debian Local Security Checks	critical
87207	Google Chrome < 47.0.2526.73 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	critical
87206	Google Chrome < 47.0.2526.73 Multiple Vulnerabilities	Nessus	Windows	critical
87195	RHEL 6 : chromium-browser (RHSA-2015:2545)	Nessus	Red Hat Local Security Checks	critical
87177	FreeBSD : chromium -- multiple vulnerabilities (548f74bd-993c-11e5-956b-00262d5ed8ee)	Nessus	FreeBSD Local Security Checks	critical

CVE-2015-6767

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins