Security update for Chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2296-1 Final 1 1 2016-09-13T08:04:58Z current 2016-09-13T08:04:58Z 2016-09-13T08:04:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Chromium Chromium was updated to 53.0.2785.101 to fix a number of security issues and bugs. The following vulnerabilities were fixed: (boo#996648) - CVE-2016-5147: Universal XSS in Blink. - CVE-2016-5148: Universal XSS in Blink. - CVE-2016-5149: Script injection in extensions. - CVE-2016-5150: Use after free in Blink. - CVE-2016-5151: Use after free in PDFium. - CVE-2016-5152: Heap overflow in PDFium. - CVE-2016-5153: Use after destruction in Blink. - CVE-2016-5154: Heap overflow in PDFium. - CVE-2016-5155: Address bar spoofing. - CVE-2016-5156: Use after free in event bindings. - CVE-2016-5157: Heap overflow in PDFium. - CVE-2016-5158: Heap overflow in PDFium. - CVE-2016-5159: Heap overflow in PDFium. - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. - CVE-2016-5163: Address bar spoofing. - CVE-2016-5164: Universal XSS using DevTools. - CVE-2016-5165: Script injection in DevTools. - CVE-2016-5166: SMB Relay Attack via Save Page As. - CVE-2016-5160: Extensions web accessible resources bypass. The following upstream fixes are included: - SPDY crasher fixes - Disable NV12 DXGI video on AMD - Forward --password-store switch to os_crypt - Tell the kernel to discard USB requests when they time out. - disallow WKBackForwardListItem navigations for pushState pages - arc: bluetooth: Fix advertised uuid - fix conflicting PendingIntent for stop button and swipe away A number of tracked build system fixes are included. (boo#996032, boo#99606, boo#995932) The following tracked regression fix is included: - Re-enable widevine plugin (boo#998328) rpmlint and rpmlint-mini were updated to work around a memory exhaustion problem with this package on 32 bit (boo#969732). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html E-Mail link for openSUSE-SU-2016:2296-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 chromedriver-53.0.2785.101-120.1 chromedriver-debuginfo-53.0.2785.101-120.1 chromium-53.0.2785.101-120.1 chromium-debuginfo-53.0.2785.101-120.1 chromium-desktop-gnome-53.0.2785.101-120.1 chromium-desktop-kde-53.0.2785.101-120.1 chromium-ffmpegsumo-53.0.2785.101-120.1 chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 rpmlint-1.5-39.4.1 rpmlint-mini-1.5-8.7.2 rpmlint-mini-debuginfo-1.5-8.7.2 rpmlint-mini-debugsource-1.5-8.7.2 chromedriver-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromedriver-debuginfo-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromium-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromium-debuginfo-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromium-desktop-gnome-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromium-desktop-kde-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromium-ffmpegsumo-53.0.2785.101-120.1 as a component of openSUSE 13.2 chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 as a component of openSUSE 13.2 rpmlint-1.5-39.4.1 as a component of openSUSE 13.2 rpmlint-mini-1.5-8.7.2 as a component of openSUSE 13.2 rpmlint-mini-debuginfo-1.5-8.7.2 as a component of openSUSE 13.2 rpmlint-mini-debugsource-1.5-8.7.2 as a component of openSUSE 13.2 Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles deferred page loads, which allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)." CVE-2016-5147 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5147.html CVE-2016-5147 https://bugzilla.suse.com/996648 SUSE Bug 996648 Cross-site scripting (XSS) vulnerability in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML via vectors related to widget updates, aka "Universal XSS (UXSS)." CVE-2016-5148 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5148.html CVE-2016-5148 https://bugzilla.suse.com/996648 SUSE Bug 996648 The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a resource that initially has the about:blank URL. CVE-2016-5149 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5149.html CVE-2016-5149 https://bugzilla.suse.com/996648 SUSE Bug 996648 WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, has an Indexed Database (aka IndexedDB) API implementation that does not properly restrict key-path evaluation, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted JavaScript code that leverages certain side effects. CVE-2016-5150 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5150.html CVE-2016-5150 https://bugzilla.suse.com/996648 SUSE Bug 996648 PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux mishandles timers, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted PDF document, related to fpdfsdk/javascript/JS_Object.cpp and fpdfsdk/javascript/app.cpp. CVE-2016-5151 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5151.html CVE-2016-5151 https://bugzilla.suse.com/996648 SUSE Bug 996648 Integer overflow in the opj_tcd_get_decoded_tile_size function in tcd.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data. CVE-2016-5152 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5152.html CVE-2016-5152 https://bugzilla.suse.com/996648 SUSE Bug 996648 The Web Animations implementation in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, improperly relies on list iteration, which allows remote attackers to cause a denial of service (use-after-destruction) or possibly have unspecified other impact via a crafted web site. CVE-2016-5153 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5153.html CVE-2016-5153 https://bugzilla.suse.com/996648 SUSE Bug 996648 Multiple heap-based buffer overflows in PDFium, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted JBig2 image. CVE-2016-5154 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5154.html CVE-2016-5154 https://bugzilla.suse.com/996648 SUSE Bug 996648 Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly validate access to the initial document, which allows remote attackers to spoof the address bar via a crafted web site. CVE-2016-5155 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5155.html CVE-2016-5155 https://bugzilla.suse.com/996648 SUSE Bug 996648 extensions/renderer/event_bindings.cc in the event bindings in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux attempts to process filtered events after failure to add an event matcher, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via unknown vectors. CVE-2016-5156 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5156.html CVE-2016-5156 https://bugzilla.suse.com/996648 SUSE Bug 996648 Heap-based buffer overflow in the opj_dwt_interleave_v function in dwt.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to execute arbitrary code via crafted coordinate values in JPEG 2000 data. CVE-2016-5157 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5157.html CVE-2016-5157 https://bugzilla.suse.com/996648 SUSE Bug 996648 Multiple integer overflows in the opj_tcd_init_tile function in tcd.c in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data. CVE-2016-5158 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5158.html CVE-2016-5158 https://bugzilla.suse.com/996648 SUSE Bug 996648 Multiple integer overflows in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data that is mishandled during opj_aligned_malloc calls in dwt.c and t1.c. CVE-2016-5159 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5159.html CVE-2016-5159 https://bugzilla.suse.com/996648 SUSE Bug 996648 The AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json web_accessible_resources field for restrictions on IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks, and trick users into changing extension settings, via a crafted web site, a different vulnerability than CVE-2016-5162. CVE-2016-5160 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5160.html CVE-2016-5160 https://bugzilla.suse.com/996648 SUSE Bug 996648 The EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles custom properties, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that leverages "type confusion" in the StylePropertySerializer class. CVE-2016-5161 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5161.html CVE-2016-5161 https://bugzilla.suse.com/996648 SUSE Bug 996648 The AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json web_accessible_resources field for restrictions on IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks, and trick users into changing extension settings, via a crafted web site, a different vulnerability than CVE-2016-5160. CVE-2016-5162 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5162.html CVE-2016-5162 https://bugzilla.suse.com/996648 SUSE Bug 996648 The bidirectional-text implementation in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not ensure left-to-right (LTR) rendering of URLs, which allows remote attackers to spoof the address bar via crafted right-to-left (RTL) Unicode text, related to omnibox/SuggestionView.java and omnibox/UrlBar.java in Chrome for Android. CVE-2016-5163 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5163.html CVE-2016-5163 https://bugzilla.suse.com/996648 SUSE Bug 996648 Cross-site scripting (XSS) vulnerability in WebKit/Source/platform/v8_inspector/V8Debugger.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML into the Developer Tools (aka DevTools) subsystem via a crafted web site, aka "Universal XSS (UXSS)." CVE-2016-5164 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5164.html CVE-2016-5164 https://bugzilla.suse.com/996648 SUSE Bug 996648 Cross-site scripting (XSS) vulnerability in the Developer Tools (aka DevTools) subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux allows remote attackers to inject arbitrary web script or HTML via the settings parameter in a chrome-devtools-frontend.appspot.com URL's query string. CVE-2016-5165 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5165.html CVE-2016-5165 https://bugzilla.suse.com/996648 SUSE Bug 996648 The download implementation in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly restrict saving a file:// URL that is referenced by an http:// URL, which makes it easier for user-assisted remote attackers to discover NetNTLM hashes and conduct SMB relay attacks via a crafted web page that is accessed with the "Save page as" menu choice. CVE-2016-5166 openSUSE 13.2:chromedriver-53.0.2785.101-120.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-53.0.2785.101-120.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.101-120.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.101-120.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.101-120.1 openSUSE 13.2:rpmlint-1.5-39.4.1 openSUSE 13.2:rpmlint-mini-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debuginfo-1.5-8.7.2 openSUSE 13.2:rpmlint-mini-debugsource-1.5-8.7.2 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00008.html https://www.suse.com/security/cve/CVE-2016-5166.html CVE-2016-5166 https://bugzilla.suse.com/996648 SUSE Bug 996648