Debian DSA-3985-1 : chromium-browser - security update

medium Nessus Plugin ID 103539
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 8.9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2017-5111 Luat Nguyen discovered a use-after-free issue in the pdfium library.

- CVE-2017-5112 Tobias Klein discovered a buffer overflow issue in the webgl library.

- CVE-2017-5113 A buffer overflow issue was discovered in the skia library.

- CVE-2017-5114 Ke Liu discovered a memory issue in the pdfium library.

- CVE-2017-5115 Marco Giovannini discovered a type confusion issue in the v8 JavaScript library.

- CVE-2017-5116 Guang Gong discovered a type confusion issue in the v8 JavaScript library.

- CVE-2017-5117 Tobias Klein discovered an uninitialized value in the skia library.

- CVE-2017-5118 WenXu Wu discovered a way to bypass the Content Security Policy.

- CVE-2017-5119 Another uninitialized value was discovered in the skia library.

- CVE-2017-5120 Xiaoyin Liu discovered a way downgrade HTTPS connections during redirection.

- CVE-2017-5121 Jordan Rabet discovered an out-of-bounds memory access in the v8 JavaScript library.

- CVE-2017-5122 Choongwoo Han discovered an out-of-bounds memory access in the v8 JavaScript library.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (stretch), these problems have been fixed in version 61.0.3163.100-1~deb9u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2017-5111

https://security-tracker.debian.org/tracker/CVE-2017-5112

https://security-tracker.debian.org/tracker/CVE-2017-5113

https://security-tracker.debian.org/tracker/CVE-2017-5114

https://security-tracker.debian.org/tracker/CVE-2017-5115

https://security-tracker.debian.org/tracker/CVE-2017-5116

https://security-tracker.debian.org/tracker/CVE-2017-5117

https://security-tracker.debian.org/tracker/CVE-2017-5118

https://security-tracker.debian.org/tracker/CVE-2017-5119

https://security-tracker.debian.org/tracker/CVE-2017-5120

https://security-tracker.debian.org/tracker/CVE-2017-5121

https://security-tracker.debian.org/tracker/CVE-2017-5122

https://packages.debian.org/source/stretch/chromium-browser

https://www.debian.org/security/2017/dsa-3985

Plugin Details

Severity: Medium

ID: 103539

File Name: debian_DSA-3985.nasl

Version: 3.8

Type: local

Agent: unix

Published: 9/29/2017

Updated: 1/4/2021

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 8.9

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/28/2017

Vulnerability Publication Date: 10/27/2017

Reference Information

CVE: CVE-2017-5111, CVE-2017-5112, CVE-2017-5113, CVE-2017-5114, CVE-2017-5115, CVE-2017-5116, CVE-2017-5117, CVE-2017-5118, CVE-2017-5119, CVE-2017-5120, CVE-2017-5121, CVE-2017-5122

DSA: 3985