Debian Security Advisory

DSA-3926-1 chromium-browser -- security update

Date Reported:
04 Aug 2017
Affected Packages:
chromium-browser
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2017-5087, CVE-2017-5088, CVE-2017-5089, CVE-2017-5091, CVE-2017-5092, CVE-2017-5093, CVE-2017-5094, CVE-2017-5095, CVE-2017-5097, CVE-2017-5098, CVE-2017-5099, CVE-2017-5100, CVE-2017-5101, CVE-2017-5102, CVE-2017-5103, CVE-2017-5104, CVE-2017-5105, CVE-2017-5106, CVE-2017-5107, CVE-2017-5108, CVE-2017-5109, CVE-2017-5110, CVE-2017-7000.
More information:

Several vulnerabilities have been discovered in the chromium web browser.

  • CVE-2017-5087

    Ned Williamson discovered a way to escape the sandbox.

  • CVE-2017-5088

    Xiling Gong discovered an out-of-bounds read issue in the v8 javascript library.

  • CVE-2017-5089

    Michal Bentkowski discovered a spoofing issue.

  • CVE-2017-5091

    Ned Williamson discovered a use-after-free issue in IndexedDB.

  • CVE-2017-5092

    Yu Zhou discovered a use-after-free issue in PPAPI.

  • CVE-2017-5093

    Luan Herrera discovered a user interface spoofing issue.

  • CVE-2017-5094

    A type confusion issue was discovered in extensions.

  • CVE-2017-5095

    An out-of-bounds write issue was discovered in the pdfium library.

  • CVE-2017-5097

    An out-of-bounds read issue was discovered in the skia library.

  • CVE-2017-5098

    Jihoon Kim discovered a use-after-free issue in the v8 javascript library.

  • CVE-2017-5099

    Yuan Deng discovered an out-of-bounds write issue in PPAPI.

  • CVE-2017-5100

    A use-after-free issue was discovered in Chrome Apps.

  • CVE-2017-5101

    Luan Herrera discovered a URL spoofing issue.

  • CVE-2017-5102

    An uninitialized variable was discovered in the skia library.

  • CVE-2017-5103

    Another uninitialized variable was discovered in the skia library.

  • CVE-2017-5104

    Khalil Zhani discovered a user interface spoofing issue.

  • CVE-2017-5105

    Rayyan Bijoora discovered a URL spoofing issue.

  • CVE-2017-5106

    Jack Zac discovered a URL spoofing issue.

  • CVE-2017-5107

    David Kohlbrenner discovered an information leak in SVG file handling.

  • CVE-2017-5108

    Guang Gong discovered a type confusion issue in the pdfium library.

  • CVE-2017-5109

    Jose Maria Acuna Morgado discovered a user interface spoofing issue.

  • CVE-2017-5110

    xisigr discovered a way to spoof the payments dialog.

  • CVE-2017-7000

    Chaitin Security Research Lab discovered an information disclosure issue in the sqlite library.

For the stable distribution (stretch), these problems have been fixed in version 60.0.3112.78-1~deb9u1.

For the unstable distribution (sid), these problems have been fixed in version 60.0.3112.78-1 or earlier versions.

We recommend that you upgrade your chromium-browser packages.