Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2310-1 Final 1 1 2016-09-14T21:28:48Z current 2016-09-14T21:28:48Z 2016-09-14T21:28:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium Chromium was updated to 53.0.2785.113 to fix a number of security issues and bugs. The following vulnerabilities were fixed: - CVE-2016-5170: Use after free in Blink - CVE-2016-5171: Use after free in Blink - CVE-2016-5172: Arbitrary Memory Read in v8 - CVE-2016-5173: Extension resource access - CVE-2016-5174: Popup not correctly suppressed - CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html E-Mail link for openSUSE-SU-2016:2310-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 chromedriver-53.0.2785.113-123.1 chromedriver-debuginfo-53.0.2785.113-123.1 chromium-53.0.2785.113-123.1 chromium-debuginfo-53.0.2785.113-123.1 chromium-desktop-gnome-53.0.2785.113-123.1 chromium-desktop-kde-53.0.2785.113-123.1 chromium-ffmpegsumo-53.0.2785.113-123.1 chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 chromedriver-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromedriver-debuginfo-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromium-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromium-debuginfo-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromium-desktop-gnome-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromium-desktop-kde-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromium-ffmpegsumo-53.0.2785.113-123.1 as a component of openSUSE 13.2 chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 as a component of openSUSE 13.2 WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as used in Google Chrome before 53.0.2785.113, does not properly consider getter side effects during array key conversion, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Indexed Database (aka IndexedDB) API calls. CVE-2016-5170 openSUSE 13.2:chromedriver-53.0.2785.113-123.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-53.0.2785.113-123.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5170.html CVE-2016-5170 https://bugzilla.suse.com/998743 SUSE Bug 998743 WebKit/Source/bindings/templates/interface.cpp in Blink, as used in Google Chrome before 53.0.2785.113, does not prevent certain constructor calls, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted JavaScript code. CVE-2016-5171 openSUSE 13.2:chromedriver-53.0.2785.113-123.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-53.0.2785.113-123.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5171.html CVE-2016-5171 https://bugzilla.suse.com/998743 SUSE Bug 998743 The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. CVE-2016-5172 openSUSE 13.2:chromedriver-53.0.2785.113-123.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-53.0.2785.113-123.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5172.html CVE-2016-5172 https://bugzilla.suse.com/998743 SUSE Bug 998743 The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack. CVE-2016-5173 openSUSE 13.2:chromedriver-53.0.2785.113-123.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-53.0.2785.113-123.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5173.html CVE-2016-5173 https://bugzilla.suse.com/998743 SUSE Bug 998743 browser/ui/cocoa/browser_window_controller_private.mm in Google Chrome before 53.0.2785.113 does not process fullscreen toggle requests during a fullscreen transition, which allows remote attackers to cause a denial of service (unsuppressed popup) via a crafted web site. CVE-2016-5174 openSUSE 13.2:chromedriver-53.0.2785.113-123.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-53.0.2785.113-123.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5174.html CVE-2016-5174 https://bugzilla.suse.com/998743 SUSE Bug 998743 Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785.113 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2016-5175 openSUSE 13.2:chromedriver-53.0.2785.113-123.1 openSUSE 13.2:chromedriver-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-53.0.2785.113-123.1 openSUSE 13.2:chromium-debuginfo-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-gnome-53.0.2785.113-123.1 openSUSE 13.2:chromium-desktop-kde-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-53.0.2785.113-123.1 openSUSE 13.2:chromium-ffmpegsumo-debuginfo-53.0.2785.113-123.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5175.html CVE-2016-5175 https://bugzilla.suse.com/998743 SUSE Bug 998743