openSUSE Security Update : chromium (openSUSE-SU-2013:0454-1)

High Nessus Plugin ID 74920

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

chromium was updated to version 27.0.1425 having both stability and security fixes :

- Bug and stability fixes :

- Fixed crash after clicking through malware warning.
(Issue: 173986)

- Fixed broken command line to create extensions with locale info (Issue: 176187)

- Hosted apps in Chrome will always be opened from app launcher. (Issue: 176267)

- Added modal confirmation dialog to the enterprise profile sign-in flow. (Issue: 171236)

- Fixed a crash with autofill. (Issues: 175454, 176576)

- Fixed issues with sign-in. (Issues: 175672, 175819, 175541, 176190)

- Fixed spurious profile shortcuts created with a system-level install. (Issue: 177047)

- Fixed the background tab flashing with certain themes.
(Issue: 175426)

- Security Fixes: (bnc#804986)

- High CVE-2013-0879: Memory corruption with web audio node

- High CVE-2013-0880: Use-after-free in database handling

- Medium CVE-2013-0881: Bad read in Matroska handling

- High CVE-2013-0882: Bad memory access with excessive SVG parameters.

- Medium CVE-2013-0883: Bad read in Skia.

- Low CVE-2013-0884: Inappropriate load of NaCl.

- Medium CVE-2013-0885: Too many API permissions granted to web store

- Medium CVE-2013-0886: Incorrect NaCl signal handling.

- Low CVE-2013-0887: Developer tools process has too many permissions and places too much trust in the connected server

- Medium CVE-2013-0888: Out-of-bounds read in Skia

- Low CVE-2013-0889: Tighten user gesture check for dangerous file downloads.

- High CVE-2013-0890: Memory safety issues across the IPC layer.

- High CVE-2013-0891: Integer overflow in blob handling.

- Medium CVE-2013-0892: Lower severity issues across the IPC layer

- Medium CVE-2013-0893: Race condition in media handling.

- High CVE-2013-0894: Buffer overflow in vorbis decoding.

- High CVE-2013-0895: Incorrect path handling in file copying.

- High CVE-2013-0896: Memory management issues in plug-in message handling

- Low CVE-2013-0897: Off-by-one read in PDF

- High CVE-2013-0898: Use-after-free in URL handling

- Low CVE-2013-0899: Integer overflow in Opus handling

- Medium CVE-2013-0900: Race condition in ICU

- Make adjustment for autodetecting of the PepperFlash library. The package with the PepperFlash hopefully will be soon available through packman

- Update to 26.0.1411

- Bug and stability fixes

- Update to 26.0.1403

- Bug and stability fixes

- Using system libxml2 requires system libxslt.

- Using system MESA does not work in i586 for some reason.

- Also use system MESA, factory version seems adecuate now.

- Always use system libxml2.

- Restrict the usage of system libraries instead of the bundled ones to new products, too much hassle otherwise.

- Also link kerberos and libgps directly, do not dlopen them.

- Avoid using dlopen on system libraries, rpm or the package Manager do not handle this at all. tested for a few weeks and implemented with a macro so it can be easily disabled if problems arise.

- Use SOME system libraries instead of the bundled ones, tested for several weeks and implemented with a macro for easy enable/Disable in case of trouble.

- Update to 26.0.1393

- Bug and stability fixes

- Security fixes

- Update to 26.0.1375

- Bug and stability fixes

- Update to 26.0.1371

- Bug and stability fixes

- Update to 26.0.1367

- Bug and stability fixes

Solution

Update the affected chromium packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=804986

https://lists.opensuse.org/opensuse-updates/2013-03/msg00045.html

Plugin Details

Severity: High

ID: 74920

File Name: openSUSE-2013-203.nasl

Version: 1.6

Type: local

Agent: unix

Published: 2014/06/13

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:chromedriver, p-cpe:/a:novell:opensuse:chromedriver-debuginfo, p-cpe:/a:novell:opensuse:chromium, p-cpe:/a:novell:opensuse:chromium-debuginfo, p-cpe:/a:novell:opensuse:chromium-debugsource, p-cpe:/a:novell:opensuse:chromium-desktop-gnome, p-cpe:/a:novell:opensuse:chromium-desktop-kde, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo, p-cpe:/a:novell:opensuse:chromium-ffmpegsumo-debuginfo, p-cpe:/a:novell:opensuse:chromium-suid-helper, p-cpe:/a:novell:opensuse:chromium-suid-helper-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/03/09

Reference Information

CVE: CVE-2013-0879, CVE-2013-0880, CVE-2013-0881, CVE-2013-0882, CVE-2013-0883, CVE-2013-0884, CVE-2013-0885, CVE-2013-0886, CVE-2013-0887, CVE-2013-0888, CVE-2013-0889, CVE-2013-0890, CVE-2013-0891, CVE-2013-0892, CVE-2013-0893, CVE-2013-0894, CVE-2013-0895, CVE-2013-0896, CVE-2013-0897, CVE-2013-0898, CVE-2013-0899, CVE-2013-0900