Security update for Chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1287-1 Final 1 1 2015-07-24T09:44:13Z current 2015-07-24T09:44:13Z 2015-07-24T09:44:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Chromium Chromium was updated to 44.0.2403.89 to fix multiple security issues. The following vulnerabilities were fixed: * CVE-2015-1271: Heap-buffer-overflow in pdfium * CVE-2015-1273: Heap-buffer-overflow in pdfium * CVE-2015-1274: Settings allowed executable files to run immediately after download * CVE-2015-1275: UXSS in Chrome for Android * CVE-2015-1276: Use-after-free in IndexedDB * CVE-2015-1279: Heap-buffer-overflow in pdfium * CVE-2015-1280: Memory corruption in skia * CVE-2015-1281: CSP bypass * CVE-2015-1282: Use-after-free in pdfium * CVE-2015-1283: Heap-buffer-overflow in expat * CVE-2015-1284: Use-after-free in blink * CVE-2015-1286: UXSS in blink * CVE-2015-1287: SOP bypass with CSS * CVE-2015-1270: Uninitialized memory read in ICU * CVE-2015-1272: Use-after-free related to unexpected GPU process termination * CVE-2015-1277: Use-after-free in accessibility * CVE-2015-1278: URL spoofing using pdf files * CVE-2015-1285: Information leak in XSS auditor * CVE-2015-1288: Spell checking dictionaries fetched over HTTP * CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives * CVE-2015-5605: Rgular-expression implementation mishandles interrupts, DoS via JS The following non-security changes are included: * A number of new apps/extension APIs * Lots of under the hood changes for stability and performance * Pepper Flash plugin updated to 18.0.0.209 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html E-Mail link for openSUSE-SU-2015:1287-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings chromedriver-44.0.2403.89-93.1 chromium-44.0.2403.89-93.1 chromium-desktop-gnome-44.0.2403.89-93.1 chromium-desktop-kde-44.0.2403.89-93.1 chromium-ffmpegsumo-44.0.2403.89-93.1 The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU), as used in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file. CVE-2015-1270 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1270.html CVE-2015-1270 https://bugzilla.suse.com/939077 SUSE Bug 939077 PDFium, as used in Google Chrome before 44.0.2403.89, does not properly handle certain out-of-memory conditions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted PDF document that triggers a large memory allocation. CVE-2015-1271 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1271.html CVE-2015-1271 https://bugzilla.suse.com/939077 SUSE Bug 939077 Use-after-free vulnerability in the GPU process implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging the continued availability of a GPUChannelHost data structure during Blink shutdown, related to content/browser/gpu/browser_gpu_channel_host_factory.cc and content/renderer/render_thread_impl.cc. CVE-2015-1272 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1272.html CVE-2015-1272 https://bugzilla.suse.com/939077 SUSE Bug 939077 Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid JPEG2000 data in a PDF document. CVE-2015-1273 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1273.html CVE-2015-1273 https://bugzilla.suse.com/939077 SUSE Bug 939077 Google Chrome before 44.0.2403.89 does not ensure that the auto-open list omits all dangerous file types, which makes it easier for remote attackers to execute arbitrary code by providing a crafted file and leveraging a user's previous "Always open files of this type" choice, related to download_commands.cc and download_prefs.cc. CVE-2015-1274 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1274.html CVE-2015-1274 https://bugzilla.suse.com/939077 SUSE Bug 939077 Cross-site scripting (XSS) vulnerability in org/chromium/chrome/browser/UrlUtilities.java in Google Chrome before 44.0.2403.89 on Android allows remote attackers to inject arbitrary web script or HTML via a crafted intent: URL, as demonstrated by a trailing alert(document.cookie);// substring, aka "Universal XSS (UXSS)." CVE-2015-1275 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1275.html CVE-2015-1275 https://bugzilla.suse.com/939077 SUSE Bug 939077 Use-after-free vulnerability in content/browser/indexed_db/indexed_db_backing_store.cc in the IndexedDB implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an abort action before a certain write operation. CVE-2015-1276 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1276.html CVE-2015-1276 https://bugzilla.suse.com/939077 SUSE Bug 939077 Use-after-free vulnerability in the accessibility implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging lack of certain validity checks for accessibility-tree data structures. CVE-2015-1277 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1277.html CVE-2015-1277 https://bugzilla.suse.com/939077 SUSE Bug 939077 content/browser/web_contents/web_contents_impl.cc in Google Chrome before 44.0.2403.89 does not ensure that a PDF document's modal dialog is closed upon navigation to an interstitial page, which allows remote attackers to spoof URLs via a crafted document, as demonstrated by the alert_dialog.pdf document. CVE-2015-1278 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1278.html CVE-2015-1278 https://bugzilla.suse.com/939077 SUSE Bug 939077 Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2/JBig2_Image.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via large height and stride values. CVE-2015-1279 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1279.html CVE-2015-1279 https://bugzilla.suse.com/939077 SUSE Bug 939077 SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging access to a renderer process and providing crafted serialized data. CVE-2015-1280 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1280.html CVE-2015-1280 https://bugzilla.suse.com/939077 SUSE Bug 939077 core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source. CVE-2015-1281 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1281.html CVE-2015-1281 https://bugzilla.suse.com/939077 SUSE Bug 939077 Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Document.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to the (1) Document::delay and (2) Document::DoFieldDelay functions. CVE-2015-1282 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1282.html CVE-2015-1282 https://bugzilla.suse.com/939077 SUSE Bug 939077 Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716. CVE-2015-1283 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1283.html CVE-2015-1283 https://bugzilla.suse.com/1034050 SUSE Bug 1034050 https://bugzilla.suse.com/939077 SUSE Bug 939077 https://bugzilla.suse.com/979441 SUSE Bug 979441 https://bugzilla.suse.com/980391 SUSE Bug 980391 https://bugzilla.suse.com/983985 SUSE Bug 983985 The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service (invalid count value and use-after-free) or possibly have unspecified other impact via crafted JavaScript code that makes many createElement calls for IFRAME elements. CVE-2015-1284 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1284.html CVE-2015-1284 https://bugzilla.suse.com/939077 SUSE Bug 939077 https://bugzilla.suse.com/959178 SUSE Bug 959178 The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89, does not properly choose a truncation point, which makes it easier for remote attackers to obtain sensitive information via an unspecified linear-time attack. CVE-2015-1285 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1285.html CVE-2015-1285 https://bugzilla.suse.com/939077 SUSE Bug 939077 Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler::GetModuleSystem function in extensions/renderer/v8_context_native_handler.cc in Google Chrome before 44.0.2403.89 allows remote attackers to inject arbitrary web script or HTML by leveraging the lack of a certain V8 context restriction, aka a Blink "Universal XSS (UXSS)." CVE-2015-1286 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1286.html CVE-2015-1286 https://bugzilla.suse.com/939077 SUSE Bug 939077 Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode exception that limits the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to core/fetch/CSSStyleSheetResource.cpp. CVE-2015-1287 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1287.html CVE-2015-1287 https://bugzilla.suse.com/939077 SUSE Bug 939077 The Spellcheck API implementation in Google Chrome before 44.0.2403.89 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file, a related issue to CVE-2015-1263. CVE-2015-1288 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1288.html CVE-2015-1288 https://bugzilla.suse.com/939077 SUSE Bug 939077 Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2015-1289 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-1289.html CVE-2015-1289 https://bugzilla.suse.com/939077 SUSE Bug 939077 The regular-expression implementation in Google V8, as used in Google Chrome before 44.0.2403.89, mishandles interrupts, which allows remote attackers to cause a denial of service (application crash) via crafted JavaScript code, as demonstrated by an error in garbage collection during allocation of a stack-overflow exception message. CVE-2015-5605 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00038.html https://www.suse.com/security/cve/CVE-2015-5605.html CVE-2015-5605 https://bugzilla.suse.com/939077 SUSE Bug 939077