Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3245-1 Final 1 1 2017-12-08T07:34:05Z current 2017-12-08T07:34:05Z 2017-12-08T07:34:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update to Chromium 63.0.3239.84 fixes the following security issues: - CVE-2017-5124: UXSS with MHTML - CVE-2017-5125: Heap overflow in Skia - CVE-2017-5126: Use after free in PDFium - CVE-2017-5127: Use after free in PDFium - CVE-2017-5128: Heap overflow in WebGL - CVE-2017-5129: Use after free in WebAudio - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. - CVE-2017-5130: Heap overflow in libxml2 - CVE-2017-5131: Out of bounds write in Skia - CVE-2017-5133: Out of bounds write in Skia - CVE-2017-15386: UI spoofing in Blink - CVE-2017-15387: Content security bypass - CVE-2017-15388: Out of bounds read in Skia - CVE-2017-15389: URL spoofing in OmniBox - CVE-2017-15390: URL spoofing in OmniBox - CVE-2017-15391: Extension limitation bypass in Extensions. - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration - CVE-2017-15393: Referrer leak in Devtools - CVE-2017-15394: URL spoofing in extensions UI - CVE-2017-15395: Null pointer dereference in ImageCapture - CVE-2017-15396: Stack overflow in V8 - CVE-2017-15398: Stack buffer overflow in QUIC - CVE-2017-15399: Use after free in V8 - CVE-2017-15408: Heap buffer overflow in PDFium - CVE-2017-15409: Out of bounds write in Skia - CVE-2017-15410: Use after free in PDFium - CVE-2017-15411: Use after free in PDFium - CVE-2017-15412: Use after free in libXML - CVE-2017-15413: Type confusion in WebAssembly - CVE-2017-15415: Pointer information disclosure in IPC call - CVE-2017-15416: Out of bounds read in Blink - CVE-2017-15417: Cross origin information disclosure in Skia - CVE-2017-15418: Use of uninitialized value in Skia - CVE-2017-15419: Cross origin leak of redirect URL in Blink - CVE-2017-15420: URL spoofing in Omnibox - CVE-2017-15422: Integer overflow in ICU - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL - CVE-2017-15424: URL Spoof in Omnibox - CVE-2017-15425: URL Spoof in Omnibox - CVE-2017-15426: URL Spoof in Omnibox - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox The following tracked bug fixes are included: - sandbox crash fixes (bsc#1064298) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-1352 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 E-Mail link for openSUSE-SU-2017:3245-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064298 SUSE Bug 1064298 https://bugzilla.suse.com/1065405 SUSE Bug 1065405 https://bugzilla.suse.com/1066851 SUSE Bug 1066851 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 https://www.suse.com/security/cve/CVE-2017-15386/ SUSE CVE CVE-2017-15386 page https://www.suse.com/security/cve/CVE-2017-15387/ SUSE CVE CVE-2017-15387 page https://www.suse.com/security/cve/CVE-2017-15388/ SUSE CVE CVE-2017-15388 page https://www.suse.com/security/cve/CVE-2017-15389/ SUSE CVE CVE-2017-15389 page https://www.suse.com/security/cve/CVE-2017-15390/ SUSE CVE CVE-2017-15390 page https://www.suse.com/security/cve/CVE-2017-15391/ SUSE CVE CVE-2017-15391 page https://www.suse.com/security/cve/CVE-2017-15392/ SUSE CVE CVE-2017-15392 page https://www.suse.com/security/cve/CVE-2017-15393/ SUSE CVE CVE-2017-15393 page https://www.suse.com/security/cve/CVE-2017-15394/ SUSE CVE CVE-2017-15394 page https://www.suse.com/security/cve/CVE-2017-15395/ SUSE CVE CVE-2017-15395 page https://www.suse.com/security/cve/CVE-2017-15396/ SUSE CVE CVE-2017-15396 page https://www.suse.com/security/cve/CVE-2017-15398/ SUSE CVE CVE-2017-15398 page https://www.suse.com/security/cve/CVE-2017-15399/ SUSE CVE CVE-2017-15399 page https://www.suse.com/security/cve/CVE-2017-15408/ SUSE CVE CVE-2017-15408 page https://www.suse.com/security/cve/CVE-2017-15409/ SUSE CVE CVE-2017-15409 page https://www.suse.com/security/cve/CVE-2017-15410/ SUSE CVE CVE-2017-15410 page https://www.suse.com/security/cve/CVE-2017-15411/ SUSE CVE CVE-2017-15411 page https://www.suse.com/security/cve/CVE-2017-15412/ SUSE CVE CVE-2017-15412 page https://www.suse.com/security/cve/CVE-2017-15413/ SUSE CVE CVE-2017-15413 page https://www.suse.com/security/cve/CVE-2017-15415/ SUSE CVE CVE-2017-15415 page https://www.suse.com/security/cve/CVE-2017-15416/ SUSE CVE CVE-2017-15416 page https://www.suse.com/security/cve/CVE-2017-15417/ SUSE CVE CVE-2017-15417 page https://www.suse.com/security/cve/CVE-2017-15418/ SUSE CVE CVE-2017-15418 page https://www.suse.com/security/cve/CVE-2017-15419/ SUSE CVE CVE-2017-15419 page https://www.suse.com/security/cve/CVE-2017-15420/ SUSE CVE CVE-2017-15420 page https://www.suse.com/security/cve/CVE-2017-15422/ SUSE CVE CVE-2017-15422 page https://www.suse.com/security/cve/CVE-2017-15423/ SUSE CVE CVE-2017-15423 page https://www.suse.com/security/cve/CVE-2017-15424/ SUSE CVE CVE-2017-15424 page https://www.suse.com/security/cve/CVE-2017-15425/ SUSE CVE CVE-2017-15425 page https://www.suse.com/security/cve/CVE-2017-15426/ SUSE CVE CVE-2017-15426 page https://www.suse.com/security/cve/CVE-2017-15427/ SUSE CVE CVE-2017-15427 page https://www.suse.com/security/cve/CVE-2017-5124/ SUSE CVE CVE-2017-5124 page https://www.suse.com/security/cve/CVE-2017-5125/ SUSE CVE CVE-2017-5125 page https://www.suse.com/security/cve/CVE-2017-5126/ SUSE CVE CVE-2017-5126 page https://www.suse.com/security/cve/CVE-2017-5127/ SUSE CVE CVE-2017-5127 page https://www.suse.com/security/cve/CVE-2017-5128/ SUSE CVE CVE-2017-5128 page https://www.suse.com/security/cve/CVE-2017-5129/ SUSE CVE CVE-2017-5129 page https://www.suse.com/security/cve/CVE-2017-5130/ SUSE CVE CVE-2017-5130 page https://www.suse.com/security/cve/CVE-2017-5131/ SUSE CVE CVE-2017-5131 page https://www.suse.com/security/cve/CVE-2017-5132/ SUSE CVE CVE-2017-5132 page https://www.suse.com/security/cve/CVE-2017-5133/ SUSE CVE CVE-2017-5133 page SUSE Package Hub 12 SP2 chromedriver-63.0.3239.84-40.1 chromium-63.0.3239.84-40.1 chromedriver-63.0.3239.84-40.1 as a component of SUSE Package Hub 12 SP2 chromium-63.0.3239.84-40.1 as a component of SUSE Package Hub 12 SP2 Incorrect implementation in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. CVE-2017-15386 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15386.html CVE-2017-15386 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Insufficient enforcement of Content Security Policy in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to open javascript: URL windows when they should not be allowed to via a crafted HTML page. CVE-2017-15387 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15387.html CVE-2017-15387 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Iteration through non-finite points in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2017-15388 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15388.html CVE-2017-15388 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 An insufficient watchdog timer in navigation in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. CVE-2017-15389 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15389.html CVE-2017-15389 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. CVE-2017-15390 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15390.html CVE-2017-15390 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to access Extension pages without authorisation via a crafted HTML page. CVE-2017-15391 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15391.html CVE-2017-15391 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Insufficient data validation in V8 in Google Chrome prior to 62.0.3202.62 allowed an attacker who can write to the Windows Registry to potentially exploit heap corruption via a crafted Windows Registry entry, related to PlatformIntegration. CVE-2017-15392 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15392.html CVE-2017-15392 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak. CVE-2017-15393 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15393.html CVE-2017-15393 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing in permission dialogs via IDN homographs in a crafted Chrome Extension. CVE-2017-15394 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15394.html CVE-2017-15394 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 A use after free in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an ImageCapture NULL pointer dereference. CVE-2017-15395 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15395.html CVE-2017-15395 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15396 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15396.html CVE-2017-15396 https://bugzilla.suse.com/1065405 SUSE Bug 1065405 A stack buffer overflow in the QUIC networking stack in Google Chrome prior to 62.0.3202.89 allowed a remote attacker to gain code execution via a malicious server. CVE-2017-15398 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15398.html CVE-2017-15398 https://bugzilla.suse.com/1066851 SUSE Bug 1066851 https://bugzilla.suse.com/1066853 SUSE Bug 1066853 A use after free in V8 in Google Chrome prior to 62.0.3202.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15399 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15399.html CVE-2017-15399 https://bugzilla.suse.com/1066851 SUSE Bug 1066851 https://bugzilla.suse.com/1066853 SUSE Bug 1066853 Heap buffer overflow in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file that is mishandled by PDFium. CVE-2017-15408 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15408.html CVE-2017-15408 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Heap buffer overflow in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15409 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15409.html CVE-2017-15409 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2017-15410 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15410.html CVE-2017-15410 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2017-15411 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15411.html CVE-2017-15411 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15412 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15412.html CVE-2017-15412 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 https://bugzilla.suse.com/1077993 SUSE Bug 1077993 https://bugzilla.suse.com/1123129 SUSE Bug 1123129 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 Type confusion in WebAssembly in V8 in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-15413 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15413.html CVE-2017-15413 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Incorrect serialization in IPC in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the value of a pointer via a crafted HTML page. CVE-2017-15415 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15415.html CVE-2017-15415 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Heap buffer overflow in Blob API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka a Blink out-of-bounds read. CVE-2017-15416 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15416.html CVE-2017-15416 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Inappropriate implementation in Skia canvas composite operations in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2017-15417 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15417.html CVE-2017-15417 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Use of uninitialized memory in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVE-2017-15418 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15418.html CVE-2017-15418 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. CVE-2017-15419 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15419.html CVE-2017-15419 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Incorrect handling of back navigations in error pages in Navigation in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. CVE-2017-15420 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15420.html CVE-2017-15420 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 https://bugzilla.suse.com/1077571 SUSE Bug 1077571 Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2017-15422 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15422.html CVE-2017-15422 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 https://bugzilla.suse.com/1077999 SUSE Bug 1077999 https://bugzilla.suse.com/1123121 SUSE Bug 1123121 Inappropriate implementation in BoringSSL SPAKE2 in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the low-order bits of SHA512(password) by inspecting protocol traffic. CVE-2017-15423 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15423.html CVE-2017-15423 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. CVE-2017-15424 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15424.html CVE-2017-15424 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. CVE-2017-15425 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15425.html CVE-2017-15425 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. CVE-2017-15426 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15426.html CVE-2017-15426 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar. CVE-2017-15427 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-15427.html CVE-2017-15427 https://bugzilla.suse.com/1071691 SUSE Bug 1071691 Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page. CVE-2017-5124 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5124.html CVE-2017-5124 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Heap buffer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2017-5125 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5125.html CVE-2017-5125 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2017-5126 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5126.html CVE-2017-5126 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2017-5127 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5127.html CVE-2017-5127 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Heap buffer overflow in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, related to WebGL. CVE-2017-5128 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5128.html CVE-2017-5128 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 A use after free in WebAudio in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2017-5129 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5129.html CVE-2017-5129 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. CVE-2017-5130 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5130.html CVE-2017-5130 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 https://bugzilla.suse.com/1078806 SUSE Bug 1078806 https://bugzilla.suse.com/1123129 SUSE Bug 1123129 https://bugzilla.suse.com/1123919 SUSE Bug 1123919 An integer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an out-of-bounds write. CVE-2017-5131 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5131.html CVE-2017-5131 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka incorrect WebAssembly stack manipulation. CVE-2017-5132 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5132.html CVE-2017-5132 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089 Off-by-one read/write on the heap in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to corrupt memory and possibly leak information and potentially execute code via a crafted PDF file. CVE-2017-5133 SUSE Package Hub 12 SP2:chromedriver-63.0.3239.84-40.1 SUSE Package Hub 12 SP2:chromium-63.0.3239.84-40.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2/#VA55NOXRJGNNMP5YTJMI3OWZ75GMEMB2 https://www.suse.com/security/cve/CVE-2017-5133.html CVE-2017-5133 https://bugzilla.suse.com/1064066 SUSE Bug 1064066 https://bugzilla.suse.com/1064089 SUSE Bug 1064089