SB2017051642 - Fedora EPEL 7 update for chromium 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017051642

SB2017051642 - Fedora EPEL 7 update for chromium

Published: May 16, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017051642
Severity
High
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 31% Medium 23% Low 46%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Race condition (CVE-ID: CVE-2017-5068)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a race condition in WebRTC when processing web pages. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


2) Type confusion (CVE-ID: CVE-2017-5057)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in PDFium. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


3) Use-after-free (CVE-ID: CVE-2017-5058)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error in Print Preview. A remote attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


4) Type confusion (CVE-ID: CVE-2017-5059)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in Blink within the processing of list item markers. A remote attacker can create a specially crafted web page, trigger a type confusion condition by manipulating a document's elements and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


5) URL spoofing (CVE-ID: CVE-2017-5060)

The vulnerability allows a remote attacker to spoof URLs.

The vulnerability exists due to an error in Omnibox. A remote attacker can spoof URLs.

6) URL spoofing (CVE-ID: CVE-2017-5061)

The vulnerability allows a remote attacker to spoof URLs.

The vulnerability exists due to an error in Omnibox. A remote attacker can spoof URLs.

7) Use-after-free (CVE-ID: CVE-2017-5062)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error in Chrome Apps. A remote attacker can trigger potentially exploitable browser crash.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


8) Heap-based buffer overflow (CVE-ID: CVE-2017-5063)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Skia. A remote attacker can trigger potentially exploitable browser crash via heap-based buffer overflow.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


9) Use-after-free (CVE-ID: CVE-2017-5064)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error in Blink. A remote attacker can trigger potentially exploitable browser crash.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


10) Security bypass (CVE-ID: CVE-2017-5065)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error related to incorrect UI in Blink.


11) Security bypass (CVE-ID: CVE-2017-5066)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error related to incorrect signature handing in Networking.


12) URL spoofing (CVE-ID: CVE-2017-5067)

The vulnerability allows a remote attacker to spoof URLs.

The vulnerability exists due to an error in Omnibox. A remote attacker can spoof URLs.

13) Cross-origin bypass (CVE-ID: CVE-2017-5069)

The vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Blink. A remote attacker can bypass same origin policy restrictions and access potentially sensitive information.


Remediation

Install update from vendor's website.

References