Ubuntu 14.04 LTS / 15.04 / 15.10 : oxide-qt vulnerabilities (USN-2877-1)

Ubuntu Security Notice (C) 2016 Canonical, Inc. / NASL script (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

A bad cast was discovered in V8. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via renderer crash or execute
arbitrary code with the privileges of the sandboxed render process.
(CVE-2016-1612)

An issue was discovered when initializing the
UnacceleratedImageBufferSurface class in Blink. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit this to obtain sensitive information.
(CVE-2016-1614)

An issue was discovered with the CSP implementation in Blink. If a
user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to determine whether specific
HSTS sites had been visited by reading a CSP report. (CVE-2016-1617)

An issue was discovered with random number generator in Blink. An
attacker could potentially exploit this to defeat cryptographic
protection mechanisms. (CVE-2016-1618)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2016-1620)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via renderer crash or execute arbitrary code with the
privileges of the sandboxed render process. (CVE-2016-2051)

Multiple security issues were discovered in Harfbuzz. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via renderer
crash or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2016-2052).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected liboxideqtcore0 package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.4
(CVSS2#E:POC/RL:U/RC:ND)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 88455 ()

Bugtraq ID:

CVE ID: CVE-2016-1612
CVE-2016-1614
CVE-2016-1617
CVE-2016-1618
CVE-2016-1620
CVE-2016-2051
CVE-2016-2052

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now