DSA-3985

100610

1039291

RHSA-2017:2676

https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop.html

https://crbug.com/747847

GLSA-201709-15

The version of Google Chrome installed on the remote host is prior to 61.0.3163.79, and is affected by multiple vulnerabilities :

 - A use-after-free flaw exists in WebAssembly that is triggered when async compilation is enabled. This may allow a context-dependent attacker to have an unspecified impact.
 - A flaw exists that is triggered when handling the 'ExternalInterface.'addCallback'()' ActionScript method, as it works across isolated worlds. This may allow a context-dependent attacker to bypass intended security restrictions.
 - A double-free condition exists in the 'celt_header()' function in 'libavformat/oggparsecelt.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially execute arbitrary code.
 - A use-after-poison flaw exists in the 'LocalFrameView::ForAllNonThrottledLocalFrameViews()' function in 'frame/LocalFrameView.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists that is triggered when handling maximum stack space exceeded exceptions in the WritableStream and
 - An flaw exists in the SSLCommonNameMismatchHandling feature that is triggered during redirect navigation and may result in using an HTTP URL. This may allow a MitM attacker to disclose the path of the original HTTPS URL.
 - A flaw exists in the 'SkArithmeticImageFilter::Make()' function related to use of uninitialized memory. This may allow a context-dependent attacker to have an unspecified impact.
 - A flaw exists that is triggered as the Content Security Policy (CSP) is not inherited when inheriting the security origin during main window navigation. This may allow a context-dependent attacker to bypass the Content Security Policy.
 - A flaw exists in the 'SkPathMeasure::getLength()' function in 'core/SkPathMeasure.cpp' related to use of uninitialized memory. This may allow a context-dependent attacker to crash a process linked against the library or potentially execute arbitrary code.
 - An out-of-bounds write flaw exists in the 'GetFirstArgumentAsBytes()' function in '/wasm/wasm-js.cc' that is triggered when processing WebAssembly code. This may allow a context-dependent attacker to manipulate memory content and execute arbitrary code.
 - A type confusion flaw exists in the 'VirtualObject::MergeFields()' function in 'compiler/escape-analysis.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitary code.
 - A flaw exists in 'core/fxcodec/codec/fx_codec_jpx_opj.cpp' that is triggered when management memory lifecycles. This may allow an context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the SkArenaAlloc class in 'core/SkArenaAlloc.cpp' that is triggered when allocating memory. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing to execute arbitrary code.
 - An overflow condition exists in the WebGL component that is triggered as certain input is not properly validated when handling ES3 pixel pack parameters. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists in the handling of CPWL_Wnd objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

An update of QtWebEngine to the security and bugfix release 5.9.2, including :

Chromium Snapshot :

  - Security fixes from Chromium up to version 61.0.3163.79     Including: CVE-2017-5092, CVE-2017-5093, CVE-2017-5095,     CVE-2017-5097, CVE-2017-5099, CVE-2017-5102,     CVE-2017-5103, CVE-2017-5107, CVE-2017-5112,     CVE-2017-5114, CVE-2017-5117 and CVE-2017-5118

  - Fixed Skia to to render text correctly with FreeType     2.8.1

  - [QTBUG-50389] Fixed assert on some flash content

QtWebEngine :

  - [QTBUG-57505] Handle --force-webrtc-ip-handling-policy     on command-line

  - [QTBUG-58306] Fixed handling of menu key

  - [QTBUG-60790] Fixed dragging images to desktop

  - [QTBUG-61354] Set referrer on download requests

  - [QTBUG-61429] Fixed cancelling IME composition

  - [QTBUG-61506] Stop searching when navigating away

  - [QTBUG-61910] Fixed an issue where system proxy settings     were not picked up correctly

  - [QTBUG-62112] Fixed upside-down rendering in software     rendering mode

  - [QTBUG-62112] Fixed rendering of content with     preserve-3d in CSS

  - [QTBUG-62311] Fixed hang when exiting with open combobox

  - [QTBUG-62808] Handle --explicitly-allowed-ports on     command-line

  - [QTBUG-62898] Fixed accessing webchannels from     document-creation user-scripts after navigation.

  - [QTBUG-62942] Fixed committing IME composition on touch     events

QWebEngineView :

  - [QTBUG-61621] Fixed propagation of unhandled key press     events

WebEngineView :

  - The callback version of printToPdf is now called with a     proper bytearray result instead of a PDF data in a     JavaScript string.

Platform Specific Changes :

  - [QTBUG-61528, QTBUG-62673] Fixed various multilib build     configurations

  - [QTBUG-61846] Fixed host builds on Arm and MIPS

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 61.0.3163.100. Security fix for CVE-2017-5111, CVE-2017-5112, CVE-2017-5113, CVE-2017-5114, CVE-2017-5115, CVE-2017-5116, CVE-2017-5117, CVE-2017-5118, CVE-2017-5119, CVE-2017-5120, CVE-2017-5121, CVE-2017-5122

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2017-5111     Luat Nguyen discovered a use-after-free issue in the     pdfium library.

  - CVE-2017-5112     Tobias Klein discovered a buffer overflow issue in the     webgl library.

  - CVE-2017-5113     A buffer overflow issue was discovered in the skia     library.

  - CVE-2017-5114     Ke Liu discovered a memory issue in the pdfium library.

  - CVE-2017-5115     Marco Giovannini discovered a type confusion issue in     the v8 JavaScript library.

  - CVE-2017-5116     Guang Gong discovered a type confusion issue in the v8     JavaScript library.

  - CVE-2017-5117     Tobias Klein discovered an uninitialized value in the     skia library.

  - CVE-2017-5118     WenXu Wu discovered a way to bypass the Content Security     Policy.

  - CVE-2017-5119     Another uninitialized value was discovered in the skia     library.

  - CVE-2017-5120     Xiaoyin Liu discovered a way downgrade HTTPS connections     during redirection.

  - CVE-2017-5121     Jordan Rabet discovered an out-of-bounds memory access     in the v8 JavaScript library.

  - CVE-2017-5122     Choongwoo Han discovered an out-of-bounds memory access     in the v8 JavaScript library.

The remote host is affected by the vulnerability described in GLSA-201709-15 (Chromium: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Chromium. Please review       the referenced CVE identifiers for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, obtain       sensitive information, bypass security restrictions, or spoof content.
  Workaround :

    There is no known workaround at this time.

This update for chromium to version 61.0.3163.79 fixes several issues.

These security issues were fixed :

  - CVE-2017-5111: Use after free in PDFium (boo#1057364).

  - CVE-2017-5112: Heap buffer overflow in WebGL     (boo#1057364).

  - CVE-2017-5113: Heap buffer overflow in Skia     (boo#1057364).

  - CVE-2017-5114: Memory lifecycle issue in PDFium     (boo#1057364).

  - CVE-2017-5115: Type confusion in V8 (boo#1057364).

  - CVE-2017-5116: Type confusion in V8 (boo#1057364).

  - CVE-2017-5117: Use of uninitialized value in Skia     (boo#1057364).

  - CVE-2017-5118: Bypass of Content Security Policy in     Blink (boo#1057364).

  - CVE-2017-5119: Use of uninitialized value in Skia     (boo#1057364).

  - CVE-2017-5120: Potential HTTPS downgrade during redirect     navigation (boo#1057364).

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 61.0.3163.79.

Security Fix(es) :

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2017-5111, CVE-2017-5112, CVE-2017-5113, CVE-2017-5114, CVE-2017-5115, CVE-2017-5116, CVE-2017-5117, CVE-2017-5118, CVE-2017-5119, CVE-2017-5120)

The version of Google Chrome installed on the remote macOS or Mac OS X host is prior to 61.0.3163.79. It is, therefore, affected by the following vulnerabilities :

  - A use-after-free error exists in PDFium. A unauthenticated, remote     attacker can exploit this to execute arbitrary code.
    (CVE-2017-5111)

  - A heap buffer overflow condition exists in WebGL that allows an     unauthenticated, remote attacker to execute arbitrary code.
    (CVE-2017-5112)

  - A heap buffer overflow condition exists in Skia that allows an     unauthenticated, remote attacker to execute arbitrary code.
    (CVE-2017-5113)

  - An unspecified memory lifecycle issue exists in PDFium that allow     an unauthenticated, remote attacker to have an unspecified impact     (CVE-2017-5114)

  - An unspecified type confusion errors exist in V8.
    (CVE-2017-5115, CVE-2017-5116)

  - An unspecified uninitialized value flaws exist in Skia that allows     an unauthenticated, remote attacker to have an unspecified impact.
    (CVE-2017-5117, CVE-2017-5119)

  - An unspecified security bypass vulnerability exists in Blink. An     unauthenticated, remote attacker can exploit this to bypass     content security policy. (CVE-2017-5118)

  - An unspecified flaw allows HTTPS downgrade during redirection.
    (CVE-2017-5120)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote Windows host is prior to 61.0.3163.79. It is, therefore, affected by the following vulnerabilities :

  - A use-after-free error exists in PDFium. A unauthenticated, remote     attacker can exploit this to execute arbitrary code.
    (CVE-2017-5111)

  - A heap buffer overflow condition exists in WebGL that allows an     unauthenticated, remote attacker to execute arbitrary code.
    (CVE-2017-5112)

  - A heap buffer overflow condition exists in Skia that allows an     unauthenticated, remote attacker to execute arbitrary code.
    (CVE-2017-5113)

  - An unspecified memory lifecycle issue exists in PDFium that allow     an unauthenticated, remote attacker to have an unspecified impact     (CVE-2017-5114)

  - An unspecified type confusion errors exist in V8.
    (CVE-2017-5115, CVE-2017-5116)

  - An unspecified uninitialized value flaws exist in Skia that allows     an unauthenticated, remote attacker to have an unspecified impact.
    (CVE-2017-5117, CVE-2017-5119)

  - An unspecified security bypass vulnerability exists in Blink. An     unauthenticated, remote attacker can exploit this to bypass     content security policy. (CVE-2017-5118)

  - An unspecified flaw allows HTTPS downgrade during redirection.
    (CVE-2017-5120)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

Google Chrome releases reports :

22 security fixes in this release, including :

- [737023] High CVE-2017-5111: Use after free in PDFium. Reported by Luat Nguyen on KeenLab, Tencent on 2017-06-27

- [740603] High CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein on 2017-07-10

- [747043] High CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous on 2017-07-20

- [752829] High CVE-2017-5114: Memory life cycle issue in PDFium.
Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-08-07

- [744584] High CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini on 2017-07-17

- [759624] High CVE-2017-5116: Type confusion in V8. Reported by Anonymous on 2017-08-28

- [739190] Medium CVE-2017-5117: Use of uninitialized value in Skia.
Reported by Tobias Klein on 2017-07-04

- [747847] Medium CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-07-24

- [725127] Medium CVE-2017-5119: Use of uninitialized value in Skia.
Reported by Anonymous on 2017-05-22

- [718676] Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu on 2017-05-05

- [762099] Various fixes from internal audits, fuzzing and other initiatives

ID	Name	Product	Family	Severity
700345	Google Chrome < 61.0.3163.79 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
105875	Fedora 27 : qt5-qtwebengine (2017-4f9bb0861b)	Nessus	Fedora Local Security Checks	medium
105815	Fedora 27 : chromium (2017-109f8db088)	Nessus	Fedora Local Security Checks	medium
104757	Fedora 25 : qt5-qtwebengine (2017-580f91f6b0)	Nessus	Fedora Local Security Checks	medium
104691	Fedora 26 : qt5-qtwebengine (2017-9a7e562fca)	Nessus	Fedora Local Security Checks	medium
103907	Fedora 26 : chromium (2017-efeb59171d)	Nessus	Fedora Local Security Checks	medium
103539	Debian DSA-3985-1 : chromium-browser - security update	Nessus	Debian Local Security Checks	medium
103443	GLSA-201709-15 : Chromium: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
103283	openSUSE Security Update : chromium (openSUSE-2017-1047)	Nessus	SuSE Local Security Checks	medium
103119	RHEL 6 : chromium-browser (RHSA-2017:2676)	Nessus	Red Hat Local Security Checks	medium
102994	Google Chrome < 61.0.3163.79 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	medium
102993	Google Chrome < 61.0.3163.79 Multiple Vulnerabilities	Nessus	Windows	medium
102988	FreeBSD : chromium -- multiple vulnerabilities (e1100e63-92f7-11e7-bd95-e8e0b747a45a)	Nessus	FreeBSD Local Security Checks	medium

CVE-2017-5118

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins