SB2017072706 - Arch Linux update for chromium
Published: July 27, 2017 Updated: June 14, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Use-after-free error (CVE-ID: CVE-2017-5091)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to use-after free error in IndexedDB. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Use-after-free error (CVE-ID: CVE-2017-5092)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to use-after free error in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Spoofing attack (CVE-ID: CVE-2017-5093)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
4) Type confusion (CVE-ID: CVE-2017-5094)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to type confusion in extensions. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) Out-of-bounds write (CVE-ID: CVE-2017-5095)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to out-of-bounds write in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
6) Out-of-bounds read (CVE-ID: CVE-2017-5097)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.The weakness exists due to out-of-bounds read in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and read important files on the system.
Successful exploitation of the vulnerability results in information disclosure.
7) Use-after-free error (CVE-ID: CVE-2017-5098)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to use-after free error in V8. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
8) Out-of-bounds write (CVE-ID: CVE-2017-5099)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to out-of-bounds write in PPAPI. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
9) Use-after-free error (CVE-ID: CVE-2017-5100)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to use-after free error in Chrome Apps. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
10) Spoofing attack (CVE-ID: CVE-2017-5101)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
11) Security restrictions bypass (CVE-ID: CVE-2017-5102)
The vulnerability allows a remote attacker to bypass security restrictions.The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.
12) Security restrictions bypass (CVE-ID: CVE-2017-5103)
The vulnerability allows a remote attacker to bypass security restrictions.The weakness exists due to uninitialized use in Skia. A remote attacker can trick the victim into visiting a specially crafted web page and gain access to the system.
13) Spoofing attack (CVE-ID: CVE-2017-5104)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in browser. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
14) Spoofing attack (CVE-ID: CVE-2017-5105)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
15) Spoofing attack (CVE-ID: CVE-2017-5106)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to URL spoofing in OmniBox. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
16) Memory leak (CVE-ID: CVE-2017-5107)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.The weakness exists due to memory leak via SVG. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
17) Type confusion (CVE-ID: CVE-2017-5108)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.The weakness exists due to type confusion in PDFium. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
18) Spoofing attack (CVE-ID: CVE-2017-5109)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in browser. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
19) Spoofing attack (CVE-ID: CVE-2017-5110)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to UI spoofing in payments dialog. A remote attacker can create a specially crafted web page, trick the victim into visiting it and conduct domain spoofing attacks.
Successful exploitation of the vulnerability results in address spoofing.
20) Information disclosure (CVE-ID: CVE-2017-7000)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the system.The weakness exists due to pointer disclosure in SQLite. A remote attacker can trick the victim into visiting a specially crafted web page and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Remediation
Install update from vendor's website.