Security update for Chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0909-1 Final 1 1 2017-04-01T16:49:09Z current 2017-04-01T16:49:09Z 2017-04-01T16:49:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Chromium This update to Chromium 57.0.2987.133 fixes the following issues (boo#1031677): - CVE-2017-5055: Use after free in printing - CVE-2017-5054: Heap buffer overflow in V8 - CVE-2017-5052: Bad cast in Blink - CVE-2017-5056: Use after free in Blink - CVE-2017-5053: Out of bounds memory access in V8 The following packaging changes are included: - No longer claim to provide browser(npapi) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-420 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U/#YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U E-Mail link for openSUSE-SU-2017:0909-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1031677 SUSE Bug 1031677 https://www.suse.com/security/cve/CVE-2017-5052/ SUSE CVE CVE-2017-5052 page https://www.suse.com/security/cve/CVE-2017-5053/ SUSE CVE CVE-2017-5053 page https://www.suse.com/security/cve/CVE-2017-5054/ SUSE CVE CVE-2017-5054 page https://www.suse.com/security/cve/CVE-2017-5055/ SUSE CVE CVE-2017-5055 page https://www.suse.com/security/cve/CVE-2017-5056/ SUSE CVE CVE-2017-5056 page SUSE Package Hub 12 SP2 chromedriver-57.0.2987.133-11.1 chromium-57.0.2987.133-11.1 chromedriver-57.0.2987.133-11.1 as a component of SUSE Package Hub 12 SP2 chromium-57.0.2987.133-11.1 as a component of SUSE Package Hub 12 SP2 An incorrect assumption about block structure in Blink in Google Chrome prior to 57.0.2987.133 for Mac, Windows, and Linux, and 57.0.2987.132 for Android, allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page that triggers improper casting. CVE-2017-5052 SUSE Package Hub 12 SP2:chromedriver-57.0.2987.133-11.1 SUSE Package Hub 12 SP2:chromium-57.0.2987.133-11.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U/#YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U https://www.suse.com/security/cve/CVE-2017-5052.html CVE-2017-5052 https://bugzilla.suse.com/1031677 SUSE Bug 1031677 An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 for Linux, Windows, and Mac, and 57.0.2987.132 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, related to Array.prototype.indexOf. CVE-2017-5053 SUSE Package Hub 12 SP2:chromedriver-57.0.2987.133-11.1 SUSE Package Hub 12 SP2:chromium-57.0.2987.133-11.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U/#YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U https://www.suse.com/security/cve/CVE-2017-5053.html CVE-2017-5053 https://bugzilla.suse.com/1031677 SUSE Bug 1031677 An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 for Linux, Windows, and Mac, and 57.0.2987.132 for Android, allowed a remote attacker to obtain heap memory contents via a crafted HTML page. CVE-2017-5054 SUSE Package Hub 12 SP2:chromedriver-57.0.2987.133-11.1 SUSE Package Hub 12 SP2:chromium-57.0.2987.133-11.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U/#YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U https://www.suse.com/security/cve/CVE-2017-5054.html CVE-2017-5054 https://bugzilla.suse.com/1031677 SUSE Bug 1031677 A use after free in printing in Google Chrome prior to 57.0.2987.133 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2017-5055 SUSE Package Hub 12 SP2:chromedriver-57.0.2987.133-11.1 SUSE Package Hub 12 SP2:chromium-57.0.2987.133-11.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U/#YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U https://www.suse.com/security/cve/CVE-2017-5055.html CVE-2017-5055 https://bugzilla.suse.com/1031677 SUSE Bug 1031677 A use after free in Blink in Google Chrome prior to 57.0.2987.133 for Linux, Windows, and Mac, and 57.0.2987.132 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2017-5056 SUSE Package Hub 12 SP2:chromedriver-57.0.2987.133-11.1 SUSE Package Hub 12 SP2:chromium-57.0.2987.133-11.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U/#YYKZ3STA6DNOFJBTBXMG4QNPXCHQVR4U https://www.suse.com/security/cve/CVE-2017-5056.html CVE-2017-5056 https://bugzilla.suse.com/1031677 SUSE Bug 1031677