{"id":"MGASA-2016-0274","summary":"Updated chromium-browser-stable packages fix security vulnerability","details":"Multiple unspecified vulnerabilities in chromium before 52.0.2743.82 allow\nattackers to cause a denial of service or possibly have other impact via\nunknown vectors. (CVE-2016-1705)\n\nThe PPAPI implementation in Chromium before 52.0.2743.82 does not validate\nthe origin of IPC messages to the plugin broker process that should have\ncome from the browser process, which allows remote attackers to bypass a\nsandbox protection mechanism via an unexpected message type, related to\nbroker_process_dispatcher.cc, ppapi_plugin_process_host.cc,\nppapi_thread.cc, and render_frame_message_filter.cc. (CVE-2016-1706)\n\nThe Chrome Web Store inline-installation implementation in the Extensions\nsubsystem in Chromium before 52.0.2743.82 does not properly consider\nobject lifetimes during progress observation, which allows remote\nattackers to cause a denial of service (use-after-free) or possibly have\nunspecified other impact via a crafted web site. (CVE-2016-1708)\n\nHeap-based buffer overflow in the ByteArray::Get method in\ndata/byte_array.cc in sfntly before 2016-06-10, as used in Chromium before\n52.0.2743.82, allows remote attackers to cause a denial of service or\npossibly have unspecified other impact via a crafted SFNT font.\n(CVE-2016-1709)\n\nThe ChromeClientImpl::createWindow method in\nWebKit/Source/web/ChromeClientImpl.cpp in Blink, as used in Chromium\nbefore 52.0.2743.82, does not prevent window creation by a deferred frame,\nwhich allows remote attackers to bypass the Same Origin Policy via a\ncrafted web site. (CVE-2016-1710)\n\nWebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Chromium\nbefore 52.0.2743.82, does not disable frame navigation during a detach\noperation on a DocumentLoader object, which allows remote attackers to\nbypass the Same Origin Policy via a crafted web site. (CVE-2016-1711)\n\nUse-after-free vulnerability in\nWebKit/Source/core/editing/VisibleUnits.cpp in Blink, as used in Chromium\nbefore 52.0.2743.82, allows remote attackers to cause a denial of service\nor possibly have unspecified other impact via crafted JavaScript code\ninvolving an @import at-rule in a Cascading Style Sheets (CSS) token\nsequence in conjunction with a rel=import attribute of a LINK element.\n(CVE-2016-5127)\n\nobjects.cc in V8 before 5.2.361.27, as used in Chromium before\n52.0.2743.82, does not prevent API interceptors from modifying a store\ntarget without setting a property, which allows remote attackers to bypass\nthe Same Origin Policy via a crafted web site. (CVE-2016-5128)\n\nV8 before 5.2.361.32, as used in Chromium before 52.0.2743.82, does not\nproperly process left-trimmed objects, which allows remote attackers to\ncause a denial of service (memory corruption) or possibly have unspecified\nother impact via crafted JavaScript code. (CVE-2016-5129)\n\ncontent/renderer/history_controller.cc in Chromium before 52.0.2743.82\ndoes not properly restrict multiple uses of a JavaScript forward method,\nwhich allows remote attackers to spoof the URL display via a crafted web\nsite. (CVE-2016-5130)\n\nThe Service Workers subsystem in Chromium before 52.0.2743.82 does not\nproperly implement the Secure Contexts specification during decisions\nabout whether to control a subframe, which allows remote attackers to\nbypass the Same Origin Policy via an https IFRAME element inside an http\nIFRAME element. (CVE-2016-5132)\n\nChromium before 52.0.2743.82 mishandles origin information during proxy\nauthentication, which allows man-in-the-middle attackers to spoof a\nproxy-authentication login prompt or trigger incorrect credential storage\nby modifying the client-server data stream. (CVE-2016-5133)\n\nnet/proxy/proxy_service.cc in the Proxy Auto-Config (PAC) feature in\nChromium before 52.0.2743.82 does not ensure that URL information is\nrestricted to a scheme, host, and port, which allows remote attackers to\ndiscover credentials by operating a server with a PAC script, a related\nissue to CVE-2016-3763. (CVE-2016-5134)\n\nWebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in\nChromium before 52.0.2743.82, does not consider referrer-policy\ninformation inside an HTML document during a preload request, which allows\nremote attackers to bypass the Content Security Policy (CSP) protection\nmechanism via a crafted web site, as demonstrated by a\n\"Content-Security-Policy: referrer origin-when-cross-origin\" header that\noverrides a \"\u003cMETA name='referrer' content='no-referrer'\u003e\" element.\n(CVE-2016-5135)\n\nUse-after-free vulnerability in\nextensions/renderer/user_script_injector.cc in the Extensions subsystem in\nChromium before 52.0.2743.82 allows remote attackers to cause a denial of\nservice or possibly have unspecified other impact via vectors related to\nscript deletion. (CVE-2016-5136)\n\nThe CSPSource::schemeMatches function in\nWebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy\n(CSP) implementation in Blink, as used in Chromium before 52.0.2743.82,\ndoes not apply http :80 policies to https :443 URLs and does not apply ws\n:80 policies to wss :443 URLs, which makes it easier for remote attackers\nto determine whether a specific HSTS web site has been visited by reading\na CSP report. NOTE: this vulnerability is associated with a specification\nchange after CVE-2016-1617 resolution. (CVE-2016-5137)\n","modified":"2026-02-04T02:22:58.465513Z","published":"2016-08-03T10:57:01Z","related":["CVE-2016-1705","CVE-2016-1706","CVE-2016-1708","CVE-2016-1709","CVE-2016-1710","CVE-2016-1711","CVE-2016-5127","CVE-2016-5128","CVE-2016-5129","CVE-2016-5130","CVE-2016-5133","CVE-2016-5134","CVE-2016-5135","CVE-2016-5136","CVE-2016-5137"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0274.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=19007"},{"type":"REPORT","url":"http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html"}],"affected":[{"package":{"name":"chromium-browser-stable","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/chromium-browser-stable?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"52.0.2743.82-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0274.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}