openSUSE Security Update : chromium (openSUSE-SU-2013:0454-1)

high Nessus Plugin ID 74920
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

chromium was updated to version 27.0.1425 having both stability and security fixes :

- Bug and stability fixes :

- Fixed crash after clicking through malware warning.
(Issue: 173986)

- Fixed broken command line to create extensions with locale info (Issue: 176187)

- Hosted apps in Chrome will always be opened from app launcher. (Issue: 176267)

- Added modal confirmation dialog to the enterprise profile sign-in flow. (Issue: 171236)

- Fixed a crash with autofill. (Issues: 175454, 176576)

- Fixed issues with sign-in. (Issues: 175672, 175819, 175541, 176190)

- Fixed spurious profile shortcuts created with a system-level install. (Issue: 177047)

- Fixed the background tab flashing with certain themes.
(Issue: 175426)

- Security Fixes: (bnc#804986)

- High CVE-2013-0879: Memory corruption with web audio node

- High CVE-2013-0880: Use-after-free in database handling

- Medium CVE-2013-0881: Bad read in Matroska handling

- High CVE-2013-0882: Bad memory access with excessive SVG parameters.

- Medium CVE-2013-0883: Bad read in Skia.

- Low CVE-2013-0884: Inappropriate load of NaCl.

- Medium CVE-2013-0885: Too many API permissions granted to web store

- Medium CVE-2013-0886: Incorrect NaCl signal handling.

- Low CVE-2013-0887: Developer tools process has too many permissions and places too much trust in the connected server

- Medium CVE-2013-0888: Out-of-bounds read in Skia

- Low CVE-2013-0889: Tighten user gesture check for dangerous file downloads.

- High CVE-2013-0890: Memory safety issues across the IPC layer.

- High CVE-2013-0891: Integer overflow in blob handling.

- Medium CVE-2013-0892: Lower severity issues across the IPC layer

- Medium CVE-2013-0893: Race condition in media handling.

- High CVE-2013-0894: Buffer overflow in vorbis decoding.

- High CVE-2013-0895: Incorrect path handling in file copying.

- High CVE-2013-0896: Memory management issues in plug-in message handling

- Low CVE-2013-0897: Off-by-one read in PDF

- High CVE-2013-0898: Use-after-free in URL handling

- Low CVE-2013-0899: Integer overflow in Opus handling

- Medium CVE-2013-0900: Race condition in ICU

- Make adjustment for autodetecting of the PepperFlash library. The package with the PepperFlash hopefully will be soon available through packman

- Update to 26.0.1411

- Bug and stability fixes

- Update to 26.0.1403

- Bug and stability fixes

- Using system libxml2 requires system libxslt.

- Using system MESA does not work in i586 for some reason.

- Also use system MESA, factory version seems adecuate now.

- Always use system libxml2.

- Restrict the usage of system libraries instead of the bundled ones to new products, too much hassle otherwise.

- Also link kerberos and libgps directly, do not dlopen them.

- Avoid using dlopen on system libraries, rpm or the package Manager do not handle this at all. tested for a few weeks and implemented with a macro so it can be easily disabled if problems arise.

- Use SOME system libraries instead of the bundled ones, tested for several weeks and implemented with a macro for easy enable/Disable in case of trouble.

- Update to 26.0.1393

- Bug and stability fixes

- Security fixes

- Update to 26.0.1375

- Bug and stability fixes

- Update to 26.0.1371

- Bug and stability fixes

- Update to 26.0.1367

- Bug and stability fixes

Solution

Update the affected chromium packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=804986

https://lists.opensuse.org/opensuse-updates/2013-03/msg00045.html

Plugin Details

Severity: High

ID: 74920

File Name: openSUSE-2013-203.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:chromedriver, p-cpe:/a:novell:opensuse:chromedriver-debuginfo, p-cpe:/a:novell:opensuse:chromium, p-cpe:/a:novell:opensuse:chromium-debuginfo, p-cpe:/a:novell:opensuse:chromium-debugsource, p-cpe:/a:novell:opensuse:chromium-desktop-gnome, p-cpe:/a:novell:opensuse:chromium-desktop-kde, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo-debuginfo, p-cpe:/a:novell:opensuse:chromium-suid-helper, p-cpe:/a:novell:opensuse:chromium-suid-helper-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 3/9/2013

Reference Information

CVE: CVE-2013-0879, CVE-2013-0880, CVE-2013-0881, CVE-2013-0882, CVE-2013-0883, CVE-2013-0884, CVE-2013-0885, CVE-2013-0886, CVE-2013-0887, CVE-2013-0888, CVE-2013-0889, CVE-2013-0890, CVE-2013-0891, CVE-2013-0892, CVE-2013-0893, CVE-2013-0894, CVE-2013-0895, CVE-2013-0896, CVE-2013-0897, CVE-2013-0898, CVE-2013-0899, CVE-2013-0900