Google Chrome < 52.0.2743.82 Multiple Vulnerabilites

Critical Nessus Network Monitor Plugin ID 9480

Synopsis

The remote host is utilizing a web browser that is affected by multiple vulnerabilities.

Description

The version of Google Chrome installed on the remote host is prior to 52.0.2743.82, and is affected by multiple vulnerabilities :

- An out-of-bounds read flaw in the 'xmlParseEndTag2()' function in 'parser.c' is triggered when parsing an end tag. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds read flaw in the 'xmlNextChar()' function in 'parserInternals.c' is triggered when parsing characters in an XML file. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An overflow condition in the 'htmlParseName()' and 'htmlParseNameComplex()' functions of 'HTMLparser.c' is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- An integer overflow condition in the 'xmlParse3986Port()' function in 'uri.c' is triggered as user-supplied input is not properly validated when handling port numbers in the URL. This may allow a context-dependent attacker to have an unspecified impact.
- An out-of-bounds under-read flaw in the 'xmlParseConditionalSections()' and 'xmlParseElementDecl()' functions in 'parser.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A format string flaw in multiple functionalities is triggered as string format specifiers (e.g. %s and %x) are not properly used. This may allow a context-dependent attacker to potentially execute arbitrary code or cause a denial of service in a process linked against the library.
- An out-of-bounds read flaw in the 'PairPosFormat1::sanitize()' function 'in hb-ot-layout-gpos-table.hh' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw in 'PPAPI' is triggered when handling certain messages not sent by the browser in the plugin broker process. This may allow a context-dependent attacker to bypass the sandbox.
- A flaw in 'web/web_state/ui/crw_web_controller.mm' is triggered when handling invalid URLs. This may allow a context-dependent attacker to conduct URL spoofing attacks.
- A use-after-free error related to extensions may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An array indexing error in the 'ByteArray::Get()' function in 'data/byte_array.cc' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- A flaw in 'web/ChromeClientImpl.cpp' is triggered when handling creation of new windows by deferred frames. This may allow a context-dependent attacker to bypass the same-origin policy.
- A flaw in 'core/loader/FrameLoader.cpp' is triggered when handling frame navigations during 'DocumentLoader' detach. This may allow a context-dependent attacker to bypass the same-origin policy.
- A use-after-free error in the 'previousLinePosition()' function in 'core/editing/VisibleUnits.cpp' may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw may allow a context-dependent attacker to bypass the same-origin policy. No further details have been provided by the vendor.
- A flaw is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and cause a denial of service in a process linked against the library or potentially execute arbitrary code.
- A flaw in the 'HistoryController::UpdateForCommit()' function in 'content/renderer/history_controller.cc' is triggered when handling two forward navigations that compete in different frames. This may allow a context-dependent attacker to perform URL spoofing attacks.
- A use-after-free error in the 'xmlXPtrRangeToFunction()' function in 'libxml/src/xpointer.c' may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw related to 'Service Workers' is triggered when handling subframes of an insecure context. This may allow a context-dependent attacker to perform a limited bypass of the same-origin policy.
- A flaw related to proxy authentication is triggered when handling origins. This may allow a context-dependent attacker to spoof the proxy server origin.
- A flaw that is triggered as 'https://' URLs are not properly sanitized before being sent to PAC scripts. This may allow a context-dependent attacker to leak URLs.
- A flaw exists in 'html/parser/HTMLPreloadScanner.cpp' related to the handling of referrer policies. This may allow a context-dependent attacker to bypass the content security policy (CSP).
- A use-after-free error in 'extensions/renderer/user_script_injector.cc' is triggered when handling 'UserScript' pointers. This may allow a malicious extension to dereference already freed memory and potentially execute arbitrary code with elevated privileges.
- A flaw exists in the 'CSPSource::portMatches()' function in 'frame/csp/CSPSource.cpp' related to HSTS and CSP when handling HTTP vs HTTPS ports in source expressions. This may allow a context-dependent attacker to disclose browsing history information.
- A flaw in the 'LayoutBox::removeFloatingOrPositionedChildFromBlockLists()' function in 'core/layout/LayoutBox.cpp' is triggered when handling 'LayoutView' floats. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw in the 'Resource::canUseCacheValidator()' function in 'core/fetch/Resource.cpp' is triggered when revalidating 'Resource' with redirects. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw in the 'Resource::willFollowRedirect()' function in 'core/fetch/Resource.cpp' is triggered when handling redirect responses while revalidating resources. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw in 'net/url_request/sdch_dictionary_fetcher.cc' is triggered when handling dictionary requests failing after receiving data. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw in the 'ShapeResultSpacing::computeSpacing()' function in 'platform/fonts/shaping/ShapeResultSpacing.cpp' is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw in the 'Channel::Message::Deserialize()' function in 'mojo/edk/system/channel.cc' is triggered when handling header sizes in channel messages. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An unspecified flaw in 'Font::individualCharacterRanges()' function in 'platform/fonts/Font.cpp' may allow a context-dependent attacker to have an unspecified impact.
- An out-of-bounds read flaw in the 'WebRtcIsacfix_PitchFilter()' and 'WebRtcIsacfix_PitchFilterGains()' functions in 'modules/audio_coding/codecs/isac/fix/source/pitch_filter.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw exists in 'org/chromium/chrome/browser/toolbar/CustomTabToolbarAnimationDelegate.java' due to the program failing to properly load security icons on custom HTTP connection tabs. This may allow a context-dependent attacker to spoof valid icons.
- An integer overflow condition in the 'SkLinearGradient::LinearGradientContext::shade4_dx_clamp()' function in 'effects/gradients/SkLinearGradient.cpp' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact.
- An invalid read flaw in the 'setup_frame_size_with_refs()' function in 'vp9/decoder/vp9_decodeframe.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An unspecified flaw exists within 'extensions' that is triggered during the handling of 'NativeMessaging' IDs. This may allow a context-dependent attacker to have an unspecified impact.
- An out-of-bounds read flaw in the 'HTMLMenuItemElement::defaultEventHandler()' function in 'core/html/HTMLMenuItemElement.cpp' may allow a context-dependent attacker to potentially disclose memory contents.
- An unspecified flaw in 'core/SkDraw.cpp' is triggered during the handling of unusual coordinates on text drawings. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An unspecified flaw in the 'PseudoTcp::parse()' function in 'p2p/base/pseudotcp.cc' is triggered during the handling of header sizes. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An unspecified flaw in the 'GURL::ReplaceComponents()' function in 'url/gurl.cc' is triggered during inner URL creation. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.

Solution

Update the Chrome browser to 52.0.2743.82 or later.

See Also

http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html

https://codereview.chromium.org/2010803004

Plugin Details

Severity: Critical

ID: 9480

Family: Web Clients

Published: 2016/08/12

Updated: 2019/03/06

Dependencies: 4645

Nessus ID: 92628, 92629

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2016/05/23

Vulnerability Publication Date: 2016/05/23

Reference Information

CVE: CVE-2015-8947, CVE-2016-1695, CVE-2016-1705, CVE-2016-1706, CVE-2016-1707, CVE-2016-1708, CVE-2016-1709, CVE-2016-1710, CVE-2016-1711, CVE-2016-1833, CVE-2016-1838, CVE-2016-1839, CVE-2016-4447, CVE-2016-4448, CVE-2016-5127, CVE-2016-5128, CVE-2016-5129, CVE-2016-5130, CVE-2016-5131, CVE-2016-5132, CVE-2016-5133, CVE-2016-5134, CVE-2016-5135, CVE-2016-5136, CVE-2016-5137

BID: 92039, 90864, 90856