Debian DSA-3810-1 : chromium-browser - security update

Medium Nessus Plugin ID 97783

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 8.9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2017-5029 Holger Fuhrmannek discovered an integer overflow issue in the libxslt library.

- CVE-2017-5030 Brendon Tiszka discovered a memory corruption issue in the v8 JavaScript library.

- CVE-2017-5031 Looben Yang discovered a use-after-free issue in the ANGLE library.

- CVE-2017-5032 Ashfaq Ansari discovered an out-of-bounds write in the pdfium library.

- CVE-2017-5033 Nicolai Grodum discovered a way to bypass the Content Security Policy.

- CVE-2017-5034 Ke Liu discovered an integer overflow issue in the pdfium library.

- CVE-2017-5035 Enzo Aguado discovered an issue with the omnibox.

- CVE-2017-5036 A use-after-free issue was discovered in the pdfium library.

- CVE-2017-5037 Yongke Wang discovered multiple out-of-bounds write issues.

- CVE-2017-5038 A use-after-free issue was discovered in the guest view.

- CVE-2017-5039 jinmo123 discovered a use-after-free issue in the pdfium library.

- CVE-2017-5040 Choongwoo Han discovered an information disclosure issue in the v8 JavaScript library.

- CVE-2017-5041 Jordi Chancel discovered an address spoofing issue.

- CVE-2017-5042 Mike Ruddy discovered incorrect handling of cookies.

- CVE-2017-5043 Another use-after-free issue was discovered in the guest view.

- CVE-2017-5044 Kushal Arvind Shah discovered a heap overflow issue in the skia library.

- CVE-2017-5045 Dhaval Kapil discovered an information disclosure issue.

- CVE-2017-5046 Masato Kinugawa discovered an information disclosure issue.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (jessie), these problems have been fixed in version 57.0.2987.98-1~deb8u1.

For the upcoming stable (stretch) and unstable (sid) distributions, these problems have been fixed in version 57.0.2987.98-1.

See Also

https://security-tracker.debian.org/tracker/CVE-2017-5029

https://security-tracker.debian.org/tracker/CVE-2017-5030

https://security-tracker.debian.org/tracker/CVE-2017-5031

https://security-tracker.debian.org/tracker/CVE-2017-5032

https://security-tracker.debian.org/tracker/CVE-2017-5033

https://security-tracker.debian.org/tracker/CVE-2017-5034

https://security-tracker.debian.org/tracker/CVE-2017-5035

https://security-tracker.debian.org/tracker/CVE-2017-5036

https://security-tracker.debian.org/tracker/CVE-2017-5037

https://security-tracker.debian.org/tracker/CVE-2017-5038

https://security-tracker.debian.org/tracker/CVE-2017-5039

https://security-tracker.debian.org/tracker/CVE-2017-5040

https://security-tracker.debian.org/tracker/CVE-2017-5041

https://security-tracker.debian.org/tracker/CVE-2017-5042

https://security-tracker.debian.org/tracker/CVE-2017-5043

https://security-tracker.debian.org/tracker/CVE-2017-5044

https://security-tracker.debian.org/tracker/CVE-2017-5045

https://security-tracker.debian.org/tracker/CVE-2017-5046

https://packages.debian.org/source/jessie/chromium-browser

https://www.debian.org/security/2017/dsa-3810

Plugin Details

Severity: Medium

ID: 97783

File Name: debian_DSA-3810.nasl

Version: 3.13

Type: local

Agent: unix

Published: 2017/03/17

Updated: 2020/09/23

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 8.9

CVSS v2.0

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/03/15

Vulnerability Publication Date: 2017/04/24

Reference Information

CVE: CVE-2017-5029, CVE-2017-5030, CVE-2017-5031, CVE-2017-5032, CVE-2017-5033, CVE-2017-5034, CVE-2017-5035, CVE-2017-5036, CVE-2017-5037, CVE-2017-5038, CVE-2017-5039, CVE-2017-5040, CVE-2017-5041, CVE-2017-5042, CVE-2017-5043, CVE-2017-5044, CVE-2017-5045, CVE-2017-5046

DSA: 3810