Security Advisory Important: chromium-browser security update

Advisory: RHSA-2017:1495-1
Type: Security Advisory
Severity: Important
Issued on: 2017-06-19
Last updated on: 2017-06-19
Affected Products: Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
CVEs (cve.mitre.org): CVE-2017-5087
CVE-2017-5088
CVE-2017-5089

Details

An update for chromium-browser is now available for Red Hat Enterprise Linux 6
Supplementary.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Chromium is an open-source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 59.0.3071.104.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Chromium to crash, execute
arbitrary code, or disclose sensitive information when visited by the victim.
(CVE-2017-5087, CVE-2017-5088, CVE-2017-5089)


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Chromium must be restarted for the changes to take
effect.

Updated packages

Red Hat Enterprise Linux Desktop Supplementary (v. 6)

IA-32:
chromium-browser-59.0.3071.104-1.el6_9.i686.rpm     MD5: 5f2cf1ab1a52fc5a9bc27bbcbe6fd8ac
SHA-256: afc76aaa44681b415fdef51af387e32c0895638bdf1b2d8c225b69a87872ad73
chromium-browser-debuginfo-59.0.3071.104-1.el6_9.i686.rpm     MD5: 7521427c2902f513182c32b0b43d5acf
SHA-256: 4a4495c72c17708457c3fad963f5ef59879c971da0e3ed26f713f5d26ed2f702
 
x86_64:
chromium-browser-59.0.3071.104-1.el6_9.x86_64.rpm     MD5: df2a56638ee62b34ec9a7528d8a64c9f
SHA-256: 9a635e8c1a499bdf261deb331cbb42f7ab4e59f1155ec8ae8c3ee73200f795d5
chromium-browser-debuginfo-59.0.3071.104-1.el6_9.x86_64.rpm     MD5: b35a9f6adbf9561efcad0196b0e2a896
SHA-256: 3844ee1c8bb3f3aa25885a06c9e3a0c79a418f9ae15fbbdafc72284788d9cb5b
 
Red Hat Enterprise Linux Server Supplementary (v. 6)

IA-32:
chromium-browser-59.0.3071.104-1.el6_9.i686.rpm     MD5: 5f2cf1ab1a52fc5a9bc27bbcbe6fd8ac
SHA-256: afc76aaa44681b415fdef51af387e32c0895638bdf1b2d8c225b69a87872ad73
chromium-browser-debuginfo-59.0.3071.104-1.el6_9.i686.rpm     MD5: 7521427c2902f513182c32b0b43d5acf
SHA-256: 4a4495c72c17708457c3fad963f5ef59879c971da0e3ed26f713f5d26ed2f702
 
x86_64:
chromium-browser-59.0.3071.104-1.el6_9.x86_64.rpm     MD5: df2a56638ee62b34ec9a7528d8a64c9f
SHA-256: 9a635e8c1a499bdf261deb331cbb42f7ab4e59f1155ec8ae8c3ee73200f795d5
chromium-browser-debuginfo-59.0.3071.104-1.el6_9.x86_64.rpm     MD5: b35a9f6adbf9561efcad0196b0e2a896
SHA-256: 3844ee1c8bb3f3aa25885a06c9e3a0c79a418f9ae15fbbdafc72284788d9cb5b
 
Red Hat Enterprise Linux Workstation Supplementary (v. 6)

IA-32:
chromium-browser-59.0.3071.104-1.el6_9.i686.rpm     MD5: 5f2cf1ab1a52fc5a9bc27bbcbe6fd8ac
SHA-256: afc76aaa44681b415fdef51af387e32c0895638bdf1b2d8c225b69a87872ad73
chromium-browser-debuginfo-59.0.3071.104-1.el6_9.i686.rpm     MD5: 7521427c2902f513182c32b0b43d5acf
SHA-256: 4a4495c72c17708457c3fad963f5ef59879c971da0e3ed26f713f5d26ed2f702
 
x86_64:
chromium-browser-59.0.3071.104-1.el6_9.x86_64.rpm     MD5: df2a56638ee62b34ec9a7528d8a64c9f
SHA-256: 9a635e8c1a499bdf261deb331cbb42f7ab4e59f1155ec8ae8c3ee73200f795d5
chromium-browser-debuginfo-59.0.3071.104-1.el6_9.x86_64.rpm     MD5: b35a9f6adbf9561efcad0196b0e2a896
SHA-256: 3844ee1c8bb3f3aa25885a06c9e3a0c79a418f9ae15fbbdafc72284788d9cb5b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1462148 - CVE-2017-5087 chromium-browser: sandbox escape in indexeddb
1462149 - CVE-2017-5088 chromium-browser: out of bounds read in v8
1462151 - CVE-2017-5089 chromium-browser: domain spoofing in omnibox


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/