V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac included incorrect optimisation assumptions, which allowed a remote attacker to perform arbitrary read/write operations, leading to code execution, via a crafted HTML page.

This update updates QtWebEngine to a snapshot from the Qt 5.6 LTS (long-term support) branch. This is a snapshot of the QtWebEngine that will be included in the bugfix and security release Qt 5.6.3, but only the QtWebEngine component is included in this update.

The update fixes the following security issues in QtWebEngine 5.6.2:
CVE-2016-5133, CVE-2016-5147, CVE-2016-5153, CVE-2016-5155, CVE-2016-5161, CVE-2016-5166, CVE-2016-5170, CVE-2016-5171, CVE-2016-5172, CVE-2016-5181, CVE-2016-5185, CVE-2016-5186, CVE-2016-5187, CVE-2016-5188, CVE-2016-5192, CVE-2016-5198, CVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5214, CVE-2016-5215, CVE-2016-5221, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-9650, CVE-2016-9651, CVE-2016-9652, CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5012, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5019, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5033, CVE-2017-5037, CVE-2017-5044, CVE-2017-5046, CVE-2017-5047, CVE-2017-5048, CVE-2017-5049, CVE-2017-5050, CVE-2017-5051, CVE-2017-5059, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5067, CVE-2017-5069, CVE-2017-5070, CVE-2017-5071, CVE-2017-5075, CVE-2017-5076, CVE-2016-5078, CVE-2017-5083, and CVE-2017-5089.

Other important changes include :

  - Based on Chromium 49.0.2623.111 (the version used in     QtWebEngine 5.7.x) with security fixes from Chromium up     to version 59.0.3071.104. (5.6.2 was based on Chromium     45.0.2554.101 with security fixes from Chromium up to     version 52.0.2743.116.)

  - All other bug fixes from QtWebEngine 5.7.1 have been     backported.

See http://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.6.3?h=5.
6 for details. (Please note that at the time of this writing, not all security backports are listed in that file yet. The list above is accurate.)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2016-5181     A cross-site scripting issue was discovered.

  - CVE-2016-5182     Giwan Go discovered a heap overflow issue.

  - CVE-2016-5183     A use-after-free issue was discovered in the pdfium     library.

  - CVE-2016-5184     Another use-after-free issue was discovered in the     pdfium library.

  - CVE-2016-5185     cloudfuzzer discovered a use-after-free issue in     Blink/Webkit.

  - CVE-2016-5186     Abdulrahman Alqabandi discovered an out-of-bounds read     issue in the developer tools.

  - CVE-2016-5187     Luan Herrera discovered a URL spoofing issue.

  - CVE-2016-5188     Luan Herrera discovered that some drop down menus can be     used to hide parts of the user interface.

  - CVE-2016-5189     xisigr discovered a URL spoofing issue.

  - CVE-2016-5190     Atte Kettunen discovered a use-after-free issue.

  - CVE-2016-5191     Gareth Hughes discovered a cross-site scripting issue.

  - CVE-2016-5192     haojunhou@gmail.com discovered a same-origin bypass.

  - CVE-2016-5193     Yuyang Zhou discovered a way to pop open a new window.

  - CVE-2016-5194     The chrome development team found and fixed various     issues during internal auditing.

  - CVE-2016-5198     Tencent Keen Security Lab discovered an out-of-bounds     memory access issue in the v8 JavaScript library.

  - CVE-2016-5199     A heap corruption issue was discovered in the ffmpeg     library.

  - CVE-2016-5200     Choongwoo Han discovered an out-of-bounds memory access     issue in the v8 JavaScript library.

  - CVE-2016-5201     Rob Wu discovered an information leak.

  - CVE-2016-5202     The chrome development team found and fixed various     issues during internal auditing.

  - CVE-2016-5203     A use-after-free issue was discovered in the pdfium     library.

  - CVE-2016-5204     Mariusz Mlynski discovered a cross-site scripting issue     in SVG image handling.

  - CVE-2016-5205     A cross-site scripting issue was discovered.

  - CVE-2016-5206     Rob Wu discovered a same-origin bypass in the pdfium     library.

  - CVE-2016-5207     Mariusz Mlynski discovered a cross-site scripting issue.

  - CVE-2016-5208     Mariusz Mlynski discovered another cross-site scripting     issue.

  - CVE-2016-5209     Giwan Go discovered an out-of-bounds write issue in     Blink/Webkit.

  - CVE-2016-5210     Ke Liu discovered an out-of-bounds write in the pdfium     library.

  - CVE-2016-5211     A use-after-free issue was discovered in the pdfium     library.

  - CVE-2016-5212     Khalil Zhani discovered an information disclosure issue     in the developer tools.

  - CVE-2016-5213     Khalil Zhani discovered a use-after-free issue in the v8     JavaScript library.

  - CVE-2016-5214     Jonathan Birch discovered a file download protection     bypass.

  - CVE-2016-5215     Looben Yang discovered a use-after-free issue.

  - CVE-2016-5216     A use-after-free issue was discovered in the pdfium     library.

  - CVE-2016-5217     Rob Wu discovered a condition where data was not     validated by the pdfium library.

  - CVE-2016-5218     Abdulrahman Alqabandi discovered a URL spoofing issue.

  - CVE-2016-5219     Rob Wu discovered a use-after-free issue in the v8     JavaScript library.

  - CVE-2016-5220     Rob Wu discovered a way to access files on the local     system.

  - CVE-2016-5221     Tim Becker discovered an integer overflow issue in the     angle library.

  - CVE-2016-5222     xisigr discovered a URL spoofing issue.

  - CVE-2016-5223     Hwiwon Lee discovered an integer overflow issue in the     pdfium library.

  - CVE-2016-5224     Roeland Krak discovered a same-origin bypass in SVG     image handling.

  - CVE-2016-5225     Scott Helme discovered a Content Security Protection     bypass.

  - CVE-2016-5226     Jun Kokatsu discovered a cross-scripting issue.

  - CVE-2016-9650     Jakub Zoczek discovered a Content Security Protection     information disclosure.

  - CVE-2016-9651     Guang Gong discovered a way to access private data in     the v8 JavaScript library.

  - CVE-2016-9652     The chrome development team found and fixed various     issues during internal auditing.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3133-1 advisory.

    Multiple security vulnerabilities were discovered in Chromium. If a user were tricked in to opening a     specially crafted website, an attacker could potentially exploit these to obtain sensitive information,     cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5198, CVE-2016-5200,     CVE-2016-5202)

    A heap-corruption issue was discovered in FFmpeg. If a user were tricked in to opening a specially crafted     website, an attacker could potentially exploit this to cause a denial of service via application crash, or     execute arbitrary code. (CVE-2016-5199)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Security fix for CVE-2016-5181, CVE-2016-5182, CVE-2016-5183, CVE-2016-5184, CVE-2016-5185, CVE-2016-5187, CVE-2016-5188, CVE-2016-5192, CVE-2016-5189, CVE-2016-5186, CVE-2016-5191, CVE-2016-5190, CVE-2016-5193, CVE-2016-5194

Security fix for CVE-2016-5198

Update to new stable, 54.0.2840.90.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Google Chrome installed on the remote host is prior to 54.0.2840.87, and is affected by an out-of-bounds access flaw that is triggered when handling stable map assumption for globals. This may allow a context-dependent attacker to crash a process linked against the library or potentially execute arbitrary code.

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 54.0.2840.90.

Security Fix(es) :

* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2016-5198)

This update to Chromium 54.0.2840.90: fixes the following security issues :

  - CVE-2016-5198: out of bounds memory access in v8     (boo#1008274)

The version of Google Chrome installed on the remote macOS or Mac OS X host is prior to 54.0.2840.87. It is, therefore, affected by a remote code execution vulnerability in the V8 component due to an out-of-bounds access error that occurs when handling stable map assumptions for globals. An unauthenticated, remote attacker can exploit this, via a specially crafted website, to cause a denial of service condition or the execution of arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote Windows host is prior to 54.0.2840.87. It is, therefore, affected by a remote code execution vulnerability in the V8 component due to an out-of-bounds access error that occurs when handling stable map assumptions for globals. An unauthenticated, remote attacker can exploit this, via a specially crafted website, to cause a denial of service condition or the execution of arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Google Chrome Releases reports :

[659475] High CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab, working with Trend Micro's Zero Day Initiative.

ID	Name	Product	Family	Severity
101920	Fedora 24 : qt5-qtwebengine (2017-98bed96d12)	Nessus	Fedora Local Security Checks	critical
95667	Debian DSA-3731-1 : chromium-browser - security update	Nessus	Debian Local Security Checks	critical
95466	Ubuntu 14.04 LTS / 16.04 LTS : Oxide vulnerabilities (USN-3133-1)	Nessus	Ubuntu Local Security Checks	critical
94996	Fedora 25 : 1:chromium-native_client / chromium (2016-35049d9d97)	Nessus	Fedora Local Security Checks	critical
94987	Fedora 23 : chromium (2016-012de4c97e)	Nessus	Fedora Local Security Checks	critical
9789	Google Chrome < 54.0.2840.87 RCE	Nessus Network Monitor	Web Clients	medium
94661	Fedora 24 : 1:chromium-native_client / chromium (2016-c671aae490)	Nessus	Fedora Local Security Checks	critical
94625	RHEL 6 : chromium-browser (RHSA-2016:2672)	Nessus	Red Hat Local Security Checks	high
94599	openSUSE Security Update : chromium (openSUSE-2016-1266)	Nessus	SuSE Local Security Checks	high
94581	Google Chrome < 54.0.2840.87 V8 Globals Stable Map Assumption Handling RCE (macOS)	Nessus	MacOS X Local Security Checks	high
94580	Google Chrome < 54.0.2840.87 V8 Globals Stable Map Assumption Handling RCE	Nessus	Windows	high
94527	FreeBSD : chromium -- out-of-bounds memory access (ae9cb9b8-a203-11e6-a265-3065ec8fd3ec)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-5198

high

Tenable Plugins

critical

critical

critical

critical

critical

medium

critical

high

high

high

high

high