Debian 10225 Published by

The following updates has been released for Debian:

[DSA 3644-1] fontconfig security update
[DSA 3645-1] chromium-browser security update



[DSA 3644-1] fontconfig security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3644-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 08, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : fontconfig
CVE ID : CVE-2016-5384
Debian Bug : 833570

Tobias Stoeckmann discovered that cache files are insufficiently
validated in fontconfig, a generic font configuration library. An
attacker can trigger arbitrary free() calls, which in turn allows double
free attacks and therefore arbitrary code execution. In combination with
setuid binaries using crafted cache files, this could allow privilege
escalation.

For the stable distribution (jessie), this problem has been fixed in
version 2.11.0-6.3+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.11.0-6.5.

We recommend that you upgrade your fontconfig packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3645-1] chromium-browser security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3645-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
August 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2016-5139 CVE-2016-5140 CVE-2016-5141 CVE-2016-5142
CVE-2016-5143 CVE-2016-5144

Several vulnerabilites have been discovered in the chromium web browser.

CVE-2016-5139

GiWan Go discovered a use-after-free issue in the pdfium library.

CVE-2016-5140

Ke Liu discovered a use-after-free issue in the pdfium library.

CVE-2016-5141

Sergey Glazunov discovered a URL spoofing issue.

CVE-2016-5142

Sergey Glazunov discovered a use-after-free issue.

CVE-2016-5143

Gregory Panakkal discovered an issue in the developer tools.

CVE-2016-5144

Gregory Panakkal discovered another issue in the developer tools.

CVE-2016-5146

The chrome development team found and fixed various issues during
internal auditing.

For the stable distribution (jessie), these problems have been fixed in
version 52.0.2743.116-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 52.0.2743.116-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/