SB2017051641 - Fedora 26 update for chromium, chromium-native_client

Description

This security bulletin contains information about 13 vulnerabilities.

1) Race condition (CVE-ID: CVE-2017-5068)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a race condition in WebRTC when processing web pages. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Type confusion (CVE-ID: CVE-2017-5057)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in PDFium. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

3) Use-after-free (CVE-ID: CVE-2017-5058)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error in Print Preview. A remote attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

4) Type confusion (CVE-ID: CVE-2017-5059)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in Blink within the processing of list item markers. A remote attacker can create a specially crafted web page, trigger a type confusion condition by manipulating a document's elements and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

5) URL spoofing (CVE-ID: CVE-2017-5060)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to spoof URLs.

The vulnerability exists due to an error in Omnibox. A remote attacker can spoof URLs.

6) URL spoofing (CVE-ID: CVE-2017-5061)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to spoof URLs.

The vulnerability exists due to an error in Omnibox. A remote attacker can spoof URLs.

7) Use-after-free (CVE-ID: CVE-2017-5062)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error in Chrome Apps. A remote attacker can trigger potentially exploitable browser crash.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

8) Heap-based buffer overflow (CVE-ID: CVE-2017-5063)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Skia. A remote attacker can trigger potentially exploitable browser crash via heap-based buffer overflow.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

9) Use-after-free (CVE-ID: CVE-2017-5064)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error in Blink. A remote attacker can trigger potentially exploitable browser crash.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

10) Security bypass (CVE-ID: CVE-2017-5065)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error related to incorrect UI in Blink.

11) Security bypass (CVE-ID: CVE-2017-5066)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error related to incorrect signature handing in Networking.

12) URL spoofing (CVE-ID: CVE-2017-5067)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to spoof URLs.

The vulnerability exists due to an error in Omnibox. A remote attacker can spoof URLs.

13) Cross-origin bypass (CVE-ID: CVE-2017-5069)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Blink. A remote attacker can bypass same origin policy restrictions and access potentially sensitive information.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2017-811133dc2c