Arch Linux Security Advisory ASA-201612-18 ========================================== Severity: Critical Date : 2016-12-17 CVE-ID : CVE-2016-5133 CVE-2016-5147 CVE-2016-5153 CVE-2016-5155 CVE-2016-5161 CVE-2016-5166 CVE-2016-5170 CVE-2016-5171 CVE-2016-5172 CVE-2016-5181 CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5192 CVE-2016-5198 Package : qt5-webengine Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package qt5-webengine before version 5.7.1-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, cross-site scripting, information disclosure and same-origin policy bypass. Resolution ========== Upgrade to 5.7.1-1. # pacman -Syu "qt5-webengine>=5.7.1-1" The problems have been fixed upstream in version 5.7.1. Workaround ========== None. Description =========== - CVE-2016-5133 (content spoofing) Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream. - CVE-2016-5147 (cross-site scripting) Blink, as used in Google Chrome, mishandles deferred page loads, which allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)." - CVE-2016-5153 (arbitrary code execution) The Web Animations implementation in Blink improperly relies on list iteration, which allows remote attackers to cause a denial of service (use-after-destruction) or possibly have unspecified other impact via a crafted web site. - CVE-2016-5155 (content spoofing) Chromium does not properly validate access to the initial document, which allows remote attackers to spoof the address bar via a crafted web site. - CVE-2016-5161 (information disclosure) The EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp in Blink mishandles custom properties, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that leverages "type confusion" in the StylePropertySerializer class. - CVE-2016-5166 (information disclosure) The download implementation in Chromium does not properly restrict saving a file:// URL that is referenced by an http:// URL, which makes it easier for user-assisted remote attackers to discover NetNTLM hashes and conduct SMB relay attacks via a crafted web page that is accessed with the "Save page as" menu choice. - CVE-2016-5170 (arbitrary code execution) WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink does not properly consider getter side effects during array key conversion, which allows remote attackers to cause a denial of service (use-after- free) or possibly have unspecified other impact via crafted Indexed Database (aka IndexedDB) API calls. - CVE-2016-5171 (arbitrary code execution) WebKit/Source/bindings/templates/interface.cpp in Blink does not prevent certain constructor calls, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted JavaScript code. - CVE-2016-5172 (information disclosure) The parser in Google V8 mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. - CVE-2016-5181 (cross-site scripting) An universal XSS flaw was found in the Blink component of the Chromium browser. - CVE-2016-5185 (arbitrary code execution) An use after free flaw was found in the Blink component of the Chromium browser. - CVE-2016-5186 (information disclosure) An out of bounds read flaw was found in the DevTools component of the Chromium browser. - CVE-2016-5187 (content spoofing) An URL spoofing flaw was found in the Chromium browser. - CVE-2016-5188 (content spoofing) An UI spoofing flaw was found in the Chromium browser. - CVE-2016-5192 (same-origin policy bypass) A cross-origin bypass flaw was found in the Blink component of the Chromium browser. - CVE-2016-5198 (arbitrary code execution) An out of bounds memory access flaw was found in the V8 component of the Chromium browser. Impact ====== A remote attacker can access sensitive information, spoof content, bypass security measures or execute arbitrary code on the affected host. References ========== https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.7.1?h=5.7 https://bugs.chromium.org/p/chromium/issues/detail?id=613626 https://bugs.chromium.org/p/chromium/issues/detail?id=628942 https://bugs.chromium.org/p/chromium/issues/detail?id=631052 https://bugs.chromium.org/p/chromium/issues/detail?id=630662 https://bugzilla.redhat.com/show_bug.cgi?id=1372216 https://bugs.chromium.org/p/chromium/issues/detail?id=622420 https://bugs.chromium.org/p/chromium/issues/detail?id=616429 https://bugs.chromium.org/p/chromium/issues/detail?id=641101 https://bugs.chromium.org/p/chromium/issues/detail?id=643357 https://chromereleases.googleblog.com/2016/09/stable-channel-update-for-desktop_13.html https://bugs.chromium.org/p/chromium/issues/detail?id=616386 https://googlechromereleases.blogspot.fr/2016/10/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2016/11/stable-channel-update-for-desktop.html https://bugs.chromium.org/p/chromium/issues/detail?id=659475 https://access.redhat.com/security/cve/CVE-2016-5133 https://access.redhat.com/security/cve/CVE-2016-5147 https://access.redhat.com/security/cve/CVE-2016-5153 https://access.redhat.com/security/cve/CVE-2016-5155 https://access.redhat.com/security/cve/CVE-2016-5161 https://access.redhat.com/security/cve/CVE-2016-5166 https://access.redhat.com/security/cve/CVE-2016-5170 https://access.redhat.com/security/cve/CVE-2016-5171 https://access.redhat.com/security/cve/CVE-2016-5172 https://access.redhat.com/security/cve/CVE-2016-5181 https://access.redhat.com/security/cve/CVE-2016-5185 https://access.redhat.com/security/cve/CVE-2016-5186 https://access.redhat.com/security/cve/CVE-2016-5187 https://access.redhat.com/security/cve/CVE-2016-5188 https://access.redhat.com/security/cve/CVE-2016-5192 https://access.redhat.com/security/cve/CVE-2016-5198