{"id":"MGASA-2016-0309","summary":"Updated chromium-browser-stable packages fix security vulnerability","details":"Blink, as used in Chromium before 53.0.2785.89 on Windows and OS X and\nbefore 53.0.2785.92 on Linux, mishandles deferred page loads, which\nallows remote attackers to inject arbitrary web script or HTML via a\ncrafted web site, aka \"Universal XSS (UXSS).\" (CVE-2016-5147)\n\nCross-site scripting (XSS) vulnerability in Blink, as used in Chromium\nbefore 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on\nLinux, allows remote attackers to inject arbitrary web script or HTML\nvia vectors related to widget updates, aka \"Universal XSS (UXSS).\"\n(CVE-2016-5148)\n\nThe extensions subsystem in Chromium before 53.0.2785.89 on Windows and\nOS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to\nidentify an associated extension, which allows remote attackers to\nconduct extension-bindings injection attacks by leveraging script access\nto a resource that initially has the about:blank URL. (CVE-2016-5149)\n\nWebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as\nused in Chromium before 53.0.2785.89 on Windows and OS X and before\n53.0.2785.92 on Linux, has an Indexed Database (aka IndexedDB) API\nimplementation that does not properly restrict key-path evaluation,\nwhich allows remote attackers to cause a denial of service\n(use-after-free) or possibly have unspecified other impact via crafted\nJavaScript code that leverages certain side effects. (CVE-2016-5150)\n\nPDFium in Chromium before 53.0.2785.89 on Windows and OS X and before\n53.0.2785.92 on Linux mishandles timers, which allows remote attackers\nto cause a denial of service (use-after-free) or possibly have\nunspecified other impact via a crafted PDF document, related to\nfpdfsdk/javascript/JS_Object.cpp and fpdfsdk/javascript/app.cpp.\n(CVE-2016-5151)\n\nInteger overflow in the opj_tcd_get_decoded_tile_size function in tcd.c\nin OpenJPEG, as used in PDFium in Chromium before 53.0.2785.89 on\nWindows and OS X and before 53.0.2785.92 on Linux, allows remote\nattackers to cause a denial of service (heap-based buffer overflow) or\npossibly have unspecified other impact via crafted JPEG 2000 data.\n(CVE-2016-5152)\n\nThe Web Animations implementation in Blink, as used in Chromium before\n53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux,\nimproperly relies on list iteration, which allows remote attackers to\ncause a denial of service (use-after-destruction) or possibly have\nunspecified other impact via a crafted web site. (CVE-2016-5153)\n\nMultiple heap-based buffer overflows in PDFium, as used in Chromium\nbefore 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on\nLinux, allow remote attackers to cause a denial of service or possibly\nhave unspecified other impact via a crafted JBig2 image. (CVE-2016-5154)\n\nChromium before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92\non Linux does not properly validate access to the initial document,\nwhich allows remote attackers to spoof the address bar via a crafted web\nsite. (CVE-2016-5155)\n\nextensions/renderer/event_bindings.cc in the event bindings in Chromium\nbefore 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux\nattempts to process filtered events after failure to add an event\nmatcher, which allows remote attackers to cause a denial of service\n(use-after-free) or possibly have unspecified other impact via unknown\nvectors. (CVE-2016-5156)\n\nHeap-based buffer overflow in the opj_dwt_interleave_v function in dwt.c\nin OpenJPEG, as used in PDFium in Chromium before 53.0.2785.89 on\nWindows and OS X and before 53.0.2785.92 on Linux, allows remote\nattackers to execute arbitrary code via crafted coordinate values in\nJPEG 2000 data. (CVE-2016-5157)\n\nMultiple integer overflows in the opj_tcd_init_tile function in tcd.c in\nOpenJPEG, as used in PDFium in Chromium before 53.0.2785.89 on Windows\nand OS X and before 53.0.2785.92 on Linux, allow remote attackers to\ncause a denial of service (heap-based buffer overflow) or possibly have\nunspecified other impact via crafted JPEG 2000 data. (CVE-2016-5158)\n\nMultiple integer overflows in OpenJPEG, as used in PDFium in Chromium\nbefore 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on\nLinux, allow remote attackers to cause a denial of service (heap-based\nbuffer overflow) or possibly have unspecified other impact via crafted\nJPEG 2000 data that is mishandled during opj_aligned_malloc calls in\ndwt.c and t1.c. (CVE-2016-5159)\n\nThe AllowCrossRendererResourceLoad function in\nextensions/browser/url_request_util.cc in Chromium before 53.0.2785.89\non Windows and OS X and before 53.0.2785.92 on Linux does not properly\nuse an extension's manifest.json web_accessible_resources field for\nrestrictions on IFRAME elements, which makes it easier for remote\nattackers to conduct clickjacking attacks, and trick users into changing\nextension settings, via a crafted web site, a different vulnerability\nthan CVE-2016-5162. (CVE-2016-5160)\n\nThe EditingStyle::mergeStyle function in\nWebKit/Source/core/editing/EditingStyle.cpp in Blink, as used in\nChromium before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92\non Linux, mishandles custom properties, which allows remote attackers to\ncause a denial of service or possibly have unspecified other impact via\na crafted web site that leverages \"type confusion\" in the\nStylePropertySerializer class. (CVE-2016-5161)\n\nThe AllowCrossRendererResourceLoad function in\nextensions/browser/url_request_util.cc in Chromium before 53.0.2785.89\non Windows and OS X and before 53.0.2785.92 on Linux does not properly\nuse an extension's manifest.json web_accessible_resources field for\nrestrictions on IFRAME elements, which makes it easier for remote\nattackers to conduct clickjacking attacks, and trick users into changing\nextension settings, via a crafted web site, a different vulnerability\nthan CVE-2016-5160. (CVE-2016-5162)\n\nThe bidirectional-text implementation in Chromium before 53.0.2785.89 on\nWindows and OS X and before 53.0.2785.92 on Linux does not ensure\nleft-to-right (LTR) rendering of URLs, which allows remote attackers to\nspoof the address bar via crafted right-to-left (RTL) Unicode text,\nrelated to omnibox/SuggestionView.java and omnibox/UrlBar.java in Chrome\nfor Android. (CVE-2016-5163)\n\nCross-site scripting (XSS) vulnerability in\nWebKit/Source/platform/v8_inspector/V8Debugger.cpp in Blink, as used in\nChromium before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92\non Linux, allows remote attackers to inject arbitrary web script or HTML\ninto the Developer Tools (aka DevTools) subsystem via a crafted web\nsite, aka \"Universal XSS (UXSS).\" (CVE-2016-5164)\n\nCross-site scripting (XSS) vulnerability in the Developer Tools (aka\nDevTools) subsystem in Chromium before 53.0.2785.89 on Windows and OS X\nand before 53.0.2785.92 on Linux allows remote attackers to inject\narbitrary web script or HTML via the settings parameter in a\nchrome-devtools-frontend.appspot.com URL's query string. (CVE-2016-5165)\n\nThe download implementation in Chromium before 53.0.2785.89 on Windows\nand OS X and before 53.0.2785.92 on Linux does not properly restrict\nsaving a file:// URL that is referenced by an http:// URL, which makes\nit easier for user-assisted remote attackers to discover NetNTLM hashes\nand conduct SMB relay attacks via a crafted web page that is accessed\nwith the \"Save page as\" menu choice. (CVE-2016-5166)\n\nMultiple unspecified vulnerabilities in Chromium before 53.0.2785.89 on\nWindows and OS X and before 53.0.2785.92 on Linux allow attackers to\ncause a denial of service or possibly have other impact via unknown\nvectors. (CVE-2016-5167)\n\nWebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as\nused in Chromium before 53.0.2785.113, has an Indexed Database (aka\nIndexedDB) API implementation that inspects properties not owned by the\narray when converting an array to a key, resulting in side effects and a\npotential use-after-free problem. (CVE-2016-5170)\n\nBlink, as used in Chromium before 53.0.2785.113, allowed its\nWindowProperties constructor to be called from javascript, resulting in\na potential use-after-free problem. (CVE-2016-5171)\n\nChromium before 53.0.2785.113 exhibits three more separate issues:\narbitrary Memory Read in v8 (CVE-2016-5172), extension resource access\n(CVE-2016-5173), and a pop-up event was not correctly suppressed\n(CVE-2016-5174).\n\nFinally, Chromium 53.0.2785.113 contains (as usual) various fixes from\nupstream's internal audits, fuzzing and other initiatives.\n(CVE-2016-5175)\n","modified":"2026-04-16T06:23:16.864300156Z","published":"2016-09-21T20:38:22Z","upstream":["CVE-2016-5147","CVE-2016-5148","CVE-2016-5149","CVE-2016-5150","CVE-2016-5151","CVE-2016-5152","CVE-2016-5153","CVE-2016-5154","CVE-2016-5155","CVE-2016-5156","CVE-2016-5157","CVE-2016-5158","CVE-2016-5159","CVE-2016-5160","CVE-2016-5161","CVE-2016-5162","CVE-2016-5163","CVE-2016-5164","CVE-2016-5165","CVE-2016-5166","CVE-2016-5167","CVE-2016-5170","CVE-2016-5171","CVE-2016-5172","CVE-2016-5173","CVE-2016-5174","CVE-2016-5175"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0309.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=19281"},{"type":"WEB","url":"https://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop_31.html"},{"type":"WEB","url":"https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop.html"},{"type":"WEB","url":"https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html"}],"affected":[{"package":{"name":"chromium-browser-stable","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/chromium-browser-stable?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"53.0.2785.113-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0309.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}