http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html

openSUSE-SU-2016:1865

openSUSE-SU-2016:1868

openSUSE-SU-2016:1869

openSUSE-SU-2016:1918

RHSA-2016:1485

DSA-3637

92053

1036428

USN-3041-1

https://codereview.chromium.org/2082893005/

https://codereview.chromium.org/2091633002

https://crbug.com/618237

GLSA-201610-09

The remote host is affected by the vulnerability described in GLSA-201610-09 (Chromium: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Chromium web       browser. Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, obtain       sensitive information, or bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

The specific version of Chrome that the system is running is reportedly affected by the following vulnerabilities:

- Google Chrome contains a flaw in PPAPI that is triggered when handling certain messages not sent by the browser in the plugin broker process. This may allow a context-dependent attacker to bypass the sandbox. (CVE-2016-1706)

- Google Chrome for iOS contains a flaw in web/web_state/ui/crw_web_controller.mm that is triggered when handling invalid URLs. This may allow a context-dependent attacker to conduct URL spoofing attacks. (CVE-2016-1707)

- Google Chrome contains a use-after-free error related to extensions that may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 (CVE-2016-1708)

- Google sfntly contains an array indexing error in the ByteArray::Get() function in data/byte_array.cc that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-1709)

- Google Chrome contains a flaw in web/ChromeClientImpl.cpp that is triggered when handling creation of new windows by deferred frames. This may allow a context-dependent attacker to bypass the same-origin policy. (CVE-2016-1710)

- Google Chrome contains a flaw in core/loader/FrameLoader.cpp that is triggered when handling frame navigations during DocumentLoader detach. This may allow a context-dependent attacker to bypass the same-origin policy. (CVE-2016-1711)

- Google Chrome contains a use-after-free error in the previousLinePosition() function in core/editing/VisibleUnits.cpp. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5127)

- Google V8 contains an unspecified flaw which may allow a context-dependent attacker to bypass the same-origin policy. No further details have been provided by the vendor. (CVE-2016-5128)

- Google V8 contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-5129)

- Google Chrome contains a flaw in the HistoryController::UpdateForCommit() function in content/renderer/history_controller.cc. The issue is triggered when handling two forward navigations that compete in different frames. This may allow a context-dependent attacker to perform URL spoofing attacks. (CVE-2016-5130)

- Libxml2 contains a use-after-free error in the xmlXPtrRangeToFunction() function in xpointer.c. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5131)

- Google Chrome contains a flaw related to Service Workers that is triggered when handling subframes of an insecure context. This may allow a context-dependent attacker to perform a limited bypass of the same-origin policy. (CVE-2016-5132)

- Google Chrome contains a flaw related to proxy authentication that is triggere when handling origins. This may allow a context-dependent attacker to spoof the proxy server origin. (CVE-2016-5133)

- Google Chrome contains a flaw that is triggered as https:// URLs are not properly sanitized before being sent to PAC scripts. This may allow a context-dependent attacker to leak URLs. (CVE-2016-5134)

- Google Chrome contains a flaw in html/parser/HTMLPreloadScanner.cpp related to the handling of referrer policies. This may allow a context-dependent attacker to bypass the content security policy (CSP). (CVE-2016-5135)

- Google Chrome contains a use-after-free error in extensions/renderer/user_script_injector.cc that is triggered when handling UserScript pointers. This may allow a malicious extension to dereference already freed memory and potentially execute arbitrary code with elevated privileges. (CVE-2016-5136)

- Google Chrome contains a flaw in the CSPSource::portMatches() function in frame/csp/CSPSource.cpp related to HSTS and CSP when handling HTTP vs HTTPS ports in source expressions. This may allow a context-dependent attacker to disclose browsing history information. (CVE-2016-5137)

- Google Chrome contains a flaw in the LayoutBox::removeFloatingOrPositionedChildFromBlockLists() function in core/layout/LayoutBox.cpp that is triggered when handling LayoutView floats. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1705)

- Google Chrome contains a flaw in the Resource::canUseCacheValidator() function in core/fetch/Resource.cpp that is triggered when revalidating Resource with redirects. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-1705)

- Google Chrome contains a flaw in the Resource::willFollowRedirect() function in core/fetch/Resource.cpp that is triggered when handling redirect responses while revalidating resources. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-1705)

- Google Chrome contains a flaw in net/url_request/sdch_dictionary_fetcher.cc that is triggered when handling dictionary requests failing after receiving data. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-1705)

- Google Chrome contains a flaw in the ShapeResultSpacing::computeSpacing() function in platform/fonts/shaping/ShapeResultSpacing.cpp that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1705)

- Google Chrome contains a flaw in the Channel::Message::Deserialize() function in mojo/edk/system/channel.cc that is triggered when handling header sizes in channel messages. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1705)

- Google Chrome contains an unspecified flaw in Font::individualCharacterRanges() function in platform/fonts/Font.cpp, which may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-1705)

- Google WebRTC contains an out-of-bounds read flaw in the WebRtcIsacfix_PitchFilter() and WebRtcIsacfix_PitchFilterGains() functions in modules/audio_coding/codecs/isac/fix/source/pitch_filter.c that may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-1705)

- Google Chrome contains a flaw in org/chromium/chrome/browser/toolbar/CustomTabToolbarAnimationDelegate.java that is due to the program failing to properly load security icons on custom HTTP connection tabs. This may allow a context-dependent attacker to spoof valid icons. (CVE-2016-1705)

- Google Skia contains an integer overflow condition in the SkLinearGradient::LinearGradientContext::shade4_dx_clamp() function in effects/gradients/SkLinearGradient.cpp . The issue is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-1705)

- libvpx contains an invalid read flaw in the setup_frame_size_with_refs() function in vp9/decoder/vp9_decodeframe.c that may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.

- Google Chrome contains an unspecified flaw in extensions that is triggered during the handling of NativeMessaging IDs. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-1705)

- Google Chrome contains an out-of-bounds read flaw in the HTMLMenuItemElement::defaultEventHandler() function in core/html/HTMLMenuItemElement.cpp that may allow a context-dependent attacker to potentially disclose memory contents. (CVE-2016-1705)

- Google Chrome contains an unspecified flaw in the GURL::ReplaceComponents() function in url/gurl.cc that is triggered during inner URL creation. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (CVE-2016-1705)

- Google V8 contains an unspecified flaw that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor. (CVE-2016-1705)

The version of Google Chrome installed on the remote host is prior to 52.0.2743.82, and is affected by multiple vulnerabilities :

 - An out-of-bounds read flaw in the 'xmlParseEndTag2()' function in 'parser.c' is triggered when parsing an end tag. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - An out-of-bounds read flaw in the 'xmlNextChar()' function in 'parserInternals.c' is triggered when parsing characters in an XML file. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - An overflow condition in the 'htmlParseName()' and 'htmlParseNameComplex()' functions of 'HTMLparser.c' is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An integer overflow condition in the 'xmlParse3986Port()' function in 'uri.c' is triggered as user-supplied input is not properly validated when handling port numbers in the URL. This may allow a context-dependent attacker to have an unspecified impact.
 - An out-of-bounds under-read flaw in the 'xmlParseConditionalSections()' and 'xmlParseElementDecl()' functions in 'parser.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A format string flaw in multiple functionalities is triggered as string format specifiers (e.g. %s and %x) are not properly used. This may allow a context-dependent attacker to potentially execute arbitrary code or cause a denial of service in a process linked against the library.
 - An out-of-bounds read flaw in the 'PairPosFormat1::sanitize()' function 'in hb-ot-layout-gpos-table.hh' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A flaw in 'PPAPI' is triggered when handling certain messages not sent by the browser in the plugin broker process. This may allow a context-dependent attacker to bypass the sandbox.
 - A flaw in 'web/web_state/ui/crw_web_controller.mm' is triggered when handling invalid URLs. This may allow a context-dependent attacker to conduct URL spoofing attacks.
 - A use-after-free error related to extensions may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An array indexing error in the 'ByteArray::Get()' function in 'data/byte_array.cc' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
 - A flaw in 'web/ChromeClientImpl.cpp' is triggered when handling creation of new windows by deferred frames. This may allow a context-dependent attacker to bypass the same-origin policy.
 - A flaw in 'core/loader/FrameLoader.cpp' is triggered when handling frame navigations during 'DocumentLoader' detach. This may allow a context-dependent attacker to bypass the same-origin policy.
 - A use-after-free error in the 'previousLinePosition()' function in 'core/editing/VisibleUnits.cpp' may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An unspecified flaw may allow a context-dependent attacker to bypass the same-origin policy. No further details have been provided by the vendor.
 - A flaw is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and cause a denial of service in a process linked against the library or potentially execute arbitrary code.
 - A flaw in the 'HistoryController::UpdateForCommit()' function in 'content/renderer/history_controller.cc' is triggered when handling two forward navigations that compete in different frames. This may allow a context-dependent attacker to perform URL spoofing attacks.
 - A use-after-free error in the 'xmlXPtrRangeToFunction()' function in 'libxml/src/xpointer.c' may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw related to 'Service Workers' is triggered when handling subframes of an insecure context. This may allow a context-dependent attacker to perform a limited bypass of the same-origin policy.
 - A flaw related to proxy authentication is triggered when handling origins. This may allow a context-dependent attacker to spoof the proxy server origin.
 - A flaw that is triggered as 'https://' URLs are not properly sanitized before being sent to PAC scripts. This may allow a context-dependent attacker to leak URLs.
 - A flaw exists in 'html/parser/HTMLPreloadScanner.cpp' related to the handling of referrer policies. This may allow a context-dependent attacker to bypass the content security policy (CSP).
 - A use-after-free error in 'extensions/renderer/user_script_injector.cc' is triggered when handling 'UserScript' pointers. This may allow a malicious extension to dereference already freed memory and potentially execute arbitrary code with elevated privileges.
 - A flaw exists in the 'CSPSource::portMatches()' function in 'frame/csp/CSPSource.cpp' related to HSTS and CSP when handling HTTP vs HTTPS ports in source expressions. This may allow a context-dependent attacker to disclose browsing history information.
 - A flaw in the 'LayoutBox::removeFloatingOrPositionedChildFromBlockLists()' function in 'core/layout/LayoutBox.cpp' is triggered when handling 'LayoutView' floats. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw in the 'Resource::canUseCacheValidator()' function in 'core/fetch/Resource.cpp' is triggered when revalidating 'Resource' with redirects. This may allow a context-dependent attacker to have an unspecified impact.
 - A flaw in the 'Resource::willFollowRedirect()' function in 'core/fetch/Resource.cpp' is triggered when handling redirect responses while revalidating resources. This may allow a context-dependent attacker to have an unspecified impact.
 - A flaw in 'net/url_request/sdch_dictionary_fetcher.cc' is triggered when handling dictionary requests failing after receiving data. This may allow a context-dependent attacker to have an unspecified impact.
 - A flaw in the 'ShapeResultSpacing::computeSpacing()' function in 'platform/fonts/shaping/ShapeResultSpacing.cpp' is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw in the 'Channel::Message::Deserialize()' function in 'mojo/edk/system/channel.cc' is triggered when handling header sizes in channel messages. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - An unspecified flaw in 'Font::individualCharacterRanges()' function in 'platform/fonts/Font.cpp' may allow a context-dependent attacker to have an unspecified impact.
 - An out-of-bounds read flaw in the 'WebRtcIsacfix_PitchFilter()' and 'WebRtcIsacfix_PitchFilterGains()' functions in 'modules/audio_coding/codecs/isac/fix/source/pitch_filter.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A flaw exists in 'org/chromium/chrome/browser/toolbar/CustomTabToolbarAnimationDelegate.java' due to the program failing to properly load security icons on custom HTTP connection tabs. This may allow a context-dependent attacker to spoof valid icons.
 - An integer overflow condition in the 'SkLinearGradient::LinearGradientContext::shade4_dx_clamp()' function in 'effects/gradients/SkLinearGradient.cpp' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact.
 - An invalid read flaw in the 'setup_frame_size_with_refs()' function in 'vp9/decoder/vp9_decodeframe.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - An unspecified flaw exists within 'extensions' that is triggered during the handling of 'NativeMessaging' IDs. This may allow a context-dependent attacker to have an unspecified impact.
 - An out-of-bounds read flaw in the 'HTMLMenuItemElement::defaultEventHandler()' function in 'core/html/HTMLMenuItemElement.cpp' may allow a context-dependent attacker to potentially disclose memory contents.
 - An unspecified flaw in 'core/SkDraw.cpp' is triggered during the handling of unusual coordinates on text drawings. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
 - An unspecified flaw in the 'PseudoTcp::parse()' function in 'p2p/base/pseudotcp.cc' is triggered during the handling of header sizes. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
 - An unspecified flaw in the 'GURL::ReplaceComponents()' function in 'url/gurl.cc' is triggered during inner URL creation. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
 - An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.

Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service (application crash) or execute arbitrary code.
(CVE-2016-1705)

It was discovered that the PPAPI implementation does not validate the origin of IPC messages to the plugin broker process. A remote attacker could potentially exploit this to bypass sandbox protection mechanisms. (CVE-2016-1706)

It was discovered that Blink does not prevent window creation by a deferred frame. A remote attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-1710)

It was discovered that Blink does not disable frame navigation during a detach operation on a DocumentLoader object. A remote attacker could potentially exploit this to bypass same origin restrictions.
(CVE-2016-1711)

A use-after-free was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer process crash, or execute arbitrary code. (CVE-2016-5127)

It was discovered that objects.cc in V8 does not prevent API interceptors from modifying a store target without setting a property.
A remote attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-5128)

A memory corruption was discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer process crash, or execute arbitrary code. (CVE-2016-5129)

A security issue was discovered in Chromium. A remote attacker could potentially exploit this to spoof the currently displayed URL.
(CVE-2016-5130)

A use-after-free was discovered in libxml. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer process crash, or execute arbitrary code. (CVE-2016-5131)

The Service Workers implementation in Chromium does not properly implement the Secure Contexts specification during decisions about whether to control a subframe. A remote attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-5132)

It was discovered that Chromium mishandles origin information during proxy authentication. A man-in-the-middle attacker could potentially exploit this to spoof a proxy authentication login prompt.
(CVE-2016-5133)

It was discovered that the Proxy Auto-Config (PAC) feature in Chromium does not ensure that URL information is restricted to a scheme, host and port. A remote attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5134)

It was discovered that Blink does not consider referrer-policy information inside an HTML document during a preload request. A remote attacker could potentially exploit this to bypass Content Security Policy (CSP) protections. (CVE-2016-5135)

It was discovered that the Content Security Policy (CSP) implementation in Blink does not apply http :80 policies to https :443 URLs. A remote attacker could potentially exploit this to determine whether a specific HSTS website has been visited by reading a CSP report. (CVE-2016-5137).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2016-1704     The chrome development team found and fixed various     issues during internal auditing.

  - CVE-2016-1705     The chrome development team found and fixed various     issues during internal auditing.

  - CVE-2016-1706     Pinkie Pie discovered a way to escape the Pepper Plugin     API sandbox.

  - CVE-2016-1707     xisigr discovered a URL spoofing issue.

  - CVE-2016-1708     Adam Varsan discovered a use-after-free issue.

  - CVE-2016-1709     ChenQin discovered a buffer overflow issue in the sfntly     library.

  - CVE-2016-1710     Mariusz Mlynski discovered a same-origin bypass.

  - CVE-2016-1711     Mariusz Mlynski discovered another same-origin bypass.

  - CVE-2016-5127     cloudfuzzer discovered a use-after-free issue.

  - CVE-2016-5128     A same-origin bypass issue was discovered in the v8     JavaScript library.

  - CVE-2016-5129     Jeonghoon Shin discovered a memory corruption issue in     the v8 JavaScript library.

  - CVE-2016-5130     Widih Matar discovered a URL spoofing issue.

  - CVE-2016-5131     Nick Wellnhofer discovered a use-after-free issue in the     libxml2 library.

  - CVE-2016-5132     Ben Kelly discovered a same-origin bypass.

  - CVE-2016-5133     Patch Eudor discovered an issue in proxy authentication.

  - CVE-2016-5134     Paul Stone discovered an information leak in the Proxy     Auto-Config feature.

  - CVE-2016-5135     ShenYeYinJiu discovered a way to bypass the Content     Security Policy.

  - CVE-2016-5136     Rob Wu discovered a use-after-free issue.

  - CVE-2016-5137     Xiaoyin Liu discovered a way to discover whether an HSTS     website had been visited.

Chromium was updated to 52.0.2743.82 to fix the following security issues (boo#989901) :

  - CVE-2016-1706: Sandbox escape in PPAPI

  - CVE-2016-1707: URL spoofing on iOS

  - CVE-2016-1708: Use-after-free in Extensions

  - CVE-2016-1709: Heap-buffer-overflow in sfntly

  - CVE-2016-1710: Same-origin bypass in Blink

  - CVE-2016-1711: Same-origin bypass in Blink

  - CVE-2016-5127: Use-after-free in Blink

  - CVE-2016-5128: Same-origin bypass in V8

  - CVE-2016-5129: Memory corruption in V8

  - CVE-2016-5130: URL spoofing

  - CVE-2016-5131: Use-after-free in libxml

  - CVE-2016-5132: Limited same-origin bypass in Service     Workers

  - CVE-2016-5133: Origin confusion in proxy authentication

  - CVE-2016-5134: URL leakage via PAC script

  - CVE-2016-5135: Content-Security-Policy bypass

  - CVE-2016-5136: Use after free in extensions

  - CVE-2016-5137: History sniffing with HSTS and CSP

  - CVE-2016-1705: Various fixes from internal audits,     fuzzing and other initiatives

The version of Google Chrome installed on the remote Mac OS X host is prior to 52.0.2743.82. It is, therefore, affected by multiple vulnerabilities :

  - Multiple unspecified vulnerabilities exist that allow a     remote attacker to cause a denial of service condition     or possibly have other impact via unknown vectors.
    (CVE-2016-1705)

  - A sandbox protection bypass vulnerability exists in     PPAPI due to a failure to validate the origin of IPC     messages to the plugin broker process. An     unauthenticated, remote attacker can exploit this to     bypass the sandbox. (CVE-2016-1706)

  - A use-after-free error exists in Extensions due to a     failure to consider object lifetimes during progress     observation. An unauthenticated, remote attacker can     exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-1708)

  - An array indexing error exists in the ByteArray::Get()     function in data/byte_array.cc due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-1709)

  - A same-origin bypass vulnerability exists in Blink due     to a failure to prevent window creation by a deferred     frame. A remote attacker can exploit this to bypass the     same-origin policy. (CVE-2016-1710)

  - A same-origin bypass vulnerability exists in Blink due     to a failure to disable frame navigation during a detach     operation on a DocumentLoader object. A remote attacker     can exploit this to bypass the same-origin policy.
    (CVE-2016-1711)

  - A use-after-free error exists in Blink in the     previousLinePosition() function. An unauthenticated,     remote attacker can exploit this, via crafted JavaScript     code involving an @import at-rule in a Cascading Style     Sheets (CSS) token sequence in conjunction with a     rel=import attribute of a LINK element, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2016-5127)

  - A same-origin bypass vulnerability exists in Google V8     due to a failure to prevent API interceptors from     modifying a store target without setting a property. A     remote attacker can exploit this to bypass the     same-origin policy. (CVE-2016-5128)

  - A flaw exists in V8 due to improper processing of     left-trimmed objects. An unauthenticated, remote     attacker can exploit this, via crafted JavaScript code,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2016-5129)

  - A flaw exists that is triggered when handling two     forward navigations that compete in different frames. A     remote attacker can exploit this to conduct a URL     spoofing attack. (CVE-2016-5130)

  - A use-after-free error exists in libxml2 in the     xmlXPtrRangeToFunction() function. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2016-5131)

  - A same-origin bypass vulnerability exists in the Service     Workers subsystem due to a failure to properly implement     the Secure Contexts specification during decisions about     whether to control a subframe. A remote attacker can     exploit this to bypass the same-origin policy.
    (CVE-2016-5132)

  - A flaw exists in the handling of origin information     during proxy authentication that allows a     man-in-the-middle attacker to spoof a     proxy-authentication login prompt or trigger incorrect     credential storage by modifying the client-server data     stream. (CVE-2016-5133)

  - A validation flaw exists in the Proxy Auto-Config (PAC)     feature due to a failure to ensure that URL information     is restricted to a scheme, host, and port. A remote     attacker can exploit this to disclose credentials by     operating a server with a PAC script. (CVE-2016-5134)

  - A cross-origin bypass vulnerability exists in Blink due     to a failure to consider referrer-policy information     inside an HTML document during a preload request. A     remote attacker can exploit this to bypass the Content     Security Policy (CSP) protection mechanism.
    (CVE-2016-5135)

  - A use-after-free error exists in Extensions that allows     a remote attacker to dereference already freed memory,     resulting in the execution of arbitrary code with     elevated privileges. (CVE-2016-5136)

  - An information disclosure vulnerability exists in Blink     when handling HTTP vs HTTPs ports in source expressions.
    An unauthenticated, remote attacker can exploit this to     determine whether a specific HTTP Strict Transport     Security (HSTS) web site has been visited by reading a     CSP report. (CVE-2016-5137)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote Windows host is prior to 52.0.2743.82. It is, therefore, affected by multiple vulnerabilities :

  - Multiple unspecified vulnerabilities exist that allow a     remote attacker to cause a denial of service condition     or possibly have other impact via unknown vectors.
    (CVE-2016-1705)

  - A sandbox protection bypass vulnerability exists in     PPAPI due to a failure to validate the origin of IPC     messages to the plugin broker process. An     unauthenticated, remote attacker can exploit this to     bypass the sandbox. (CVE-2016-1706)

  - A use-after-free error exists in Extensions due to a     failure to consider object lifetimes during progress     observation. An unauthenticated, remote attacker can     exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-1708)

  - An array indexing error exists in the ByteArray::Get()     function in data/byte_array.cc due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.
    (CVE-2016-1709)

  - A same-origin bypass vulnerability exists in Blink due     to a failure to prevent window creation by a deferred     frame. A remote attacker can exploit this to bypass the     same-origin policy. (CVE-2016-1710)

  - A same-origin bypass vulnerability exists in Blink due     to a failure to disable frame navigation during a detach     operation on a DocumentLoader object. A remote attacker     can exploit this to bypass the same-origin policy.
    (CVE-2016-1711)

  - A use-after-free error exists in Blink in the     previousLinePosition() function. An unauthenticated,     remote attacker can exploit this, via crafted JavaScript     code involving an @import at-rule in a Cascading Style     Sheets (CSS) token sequence in conjunction with a     rel=import attribute of a LINK element, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2016-5127)

  - A same-origin bypass vulnerability exists in Google V8     due to a failure to prevent API interceptors from     modifying a store target without setting a property. A     remote attacker can exploit this to bypass the     same-origin policy. (CVE-2016-5128)

  - A flaw exists in V8 due to improper processing of     left-trimmed objects. An unauthenticated, remote     attacker can exploit this, via crafted JavaScript code,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2016-5129)

  - A flaw exists that is triggered when handling two     forward navigations that compete in different frames. A     remote attacker can exploit this to conduct a URL     spoofing attack. (CVE-2016-5130)

  - A use-after-free error exists in libxml2 in the     xmlXPtrRangeToFunction() function. An unauthenticated,     remote attacker can exploit this to dereference already     freed memory, resulting in the execution of arbitrary     code. (CVE-2016-5131)

  - A same-origin bypass vulnerability exists in the Service     Workers subsystem due to a failure to properly implement     the Secure Contexts specification during decisions about     whether to control a subframe. A remote attacker can     exploit this to bypass the same-origin policy.
    (CVE-2016-5132)

  - A flaw exists in the handling of origin information     during proxy authentication that allows a     man-in-the-middle attacker to spoof a     proxy-authentication login prompt or trigger incorrect     credential storage by modifying the client-server data     stream. (CVE-2016-5133)

  - A validation flaw exists in the Proxy Auto-Config (PAC)     feature due to a failure to ensure that URL information     is restricted to a scheme, host, and port. A remote     attacker can exploit this to disclose credentials by     operating a server with a PAC script. (CVE-2016-5134)

  - A cross-origin bypass vulnerability exists in Blink due     to a failure to consider referrer-policy information     inside an HTML document during a preload request. A     remote attacker can exploit this to bypass the Content     Security Policy (CSP) protection mechanism.
    (CVE-2016-5135)

  - A use-after-free error exists in Extensions that allows     a remote attacker to dereference already freed memory,     resulting in the execution of arbitrary code with     elevated privileges. (CVE-2016-5136)

  - An information disclosure vulnerability exists in Blink     when handling HTTP vs HTTPs ports in source expressions.
    An unauthenticated, remote attacker can exploit this to     determine whether a specific HTTP Strict Transport     Security (HSTS) web site has been visited by reading a     CSP report. (CVE-2016-5137)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 52.0.2743.82.

Security Fix(es) :

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2016-1706, CVE-2016-1708, CVE-2016-1709, CVE-2016-1710, CVE-2016-1711, CVE-2016-5127, CVE-2016-5128, CVE-2016-5129, CVE-2016-5130, CVE-2016-5131, CVE-2016-5132, CVE-2016-5133, CVE-2016-5134, CVE-2016-5135, CVE-2016-5136, CVE-2016-5137, CVE-2016-1705)

Google Chrome Releases reports :

48 security fixes in this release, including :

- [610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie xisigr of Tencent's Xuanwu Lab

- [613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan

- [614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team

- [616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski

- [617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski

- [618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer

- [619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous

- [620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin

- [623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar

- [623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer

- [607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly

- [613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor

- [593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone

- [605451] Medium CVE-2016-5135: Content-Security-Policy bypass.
Credit to kingxwy

- [625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu

- [625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP.
Credit to Xiaoyin Liu

- [629852] CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives.

ID	Name	Product	Family	Severity
94420	GLSA-201610-09 : Chromium: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
802027	Chrome < 52.0.2743.82 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
9480	Google Chrome < 52.0.2743.82 Multiple Vulnerabilites	Nessus Network Monitor	Web Clients	critical
92784	Ubuntu 14.04 LTS / 16.04 LTS : oxide-qt vulnerabilities (USN-3041-1)	Nessus	Ubuntu Local Security Checks	high
92666	Debian DSA-3637-1 : chromium-browser - security update	Nessus	Debian Local Security Checks	high
92655	openSUSE Security Update : Chromium (openSUSE-2016-919)	Nessus	SuSE Local Security Checks	high
92629	Google Chrome < 52.0.2743.82 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
92628	Google Chrome < 52.0.2743.82 Multiple Vulnerabilities	Nessus	Windows	high
92552	RHEL 6 : chromium-browser (RHSA-2016:1485)	Nessus	Red Hat Local Security Checks	high
92551	openSUSE Security Update : Chromium (openSUSE-2016-901)	Nessus	SuSE Local Security Checks	high
92550	openSUSE Security Update : Chromium (openSUSE-2016-900)	Nessus	SuSE Local Security Checks	high
92537	FreeBSD : chromium -- multiple vulnerabilities (6fae9fe1-5048-11e6-8aa7-3065ec8fd3ec)	Nessus	FreeBSD Local Security Checks	high

CVE-2016-5127

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins