Security Information / 2016 / Security Information -- DSA-3486-1 chromium-browser

Debian Security Advisory

DSA-3486-1 chromium-browser -- security update

Date Reported:

21 Feb 2016

Affected Packages:

chromium-browser

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-1622, CVE-2016-1623, CVE-2016-1624, CVE-2016-1625, CVE-2016-1626, CVE-2016-1627, CVE-2016-1628, CVE-2016-1629.

More information:

Several vulnerabilities have been discovered in the chromium web browser.

• CVE-2016-1622

  It was discovered that a maliciously crafted extension could bypass the Same Origin Policy.

• CVE-2016-1623

  Mariusz Mlynski discovered a way to bypass the Same Origin Policy.

• CVE-2016-1624

  lukezli discovered a buffer overflow issue in the Brotli library.

• CVE-2016-1625

  Jann Horn discovered a way to cause the Chrome Instant feature to navigate to unintended destinations.

• CVE-2016-1626

  An out-of-bounds read issue was discovered in the openjpeg library.

• CVE-2016-1627

  It was discovered that the Developer Tools did not validate URLs.

• CVE-2016-1628

  An out-of-bounds read issue was discovered in the pdfium library.

• CVE-2016-1629

  A way to bypass the Same Origin Policy was discovered in Blink/WebKit, along with a way to escape the chromium sandbox.

For the stable distribution (jessie), these problems have been fixed in version 48.0.2564.116-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in version 48.0.2564.116-1.

We recommend that you upgrade your chromium-browser packages.