Vulnerabilities > CVE-2015-1290 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-953.NASL description Qt 5 was updated to the 5.5.1 release to deliver upstream improvements and fixes to Qt functionality. The following Security fixes are contained in QtWebEngineCore : - ICU: CVE-2014-8146, CVE-2014-8147 - Blink: CVE-2015-1284, CVE-2015-1291, CVE-2015-1292 - Skia: CVE-2015-1294 - V8: CVE-2015-1290 The following packages were rebuilt because they use private headers : - calibre - fcitx-qt5 - frameworkintegration - kwayland - kwin5, - lxqt-powermanagement - lxqt-qtplugin last seen 2020-06-05 modified 2015-12-29 plugin id 87627 published 2015-12-29 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87627 title openSUSE Security Update : Qt 5 (openSUSE-2015-953) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9D73207832C711E5B26300262D5ED8EE.NASL description Google Chrome Releases reports : 43 security fixes in this release, including : - [446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. - [459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. - [461858] High CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to andrewm.bpi. - [462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte) of Baidu X-Team. - [472614] High CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne. - [483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon. - [486947] High CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer. - [487155] High CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa. - [487928] High CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva. - [492052] High CVE-2015-1283: Heap-buffer-overflow in expat. Credit to sidhpurwala.huzaifa. - [493243] High CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen of OUSPG. - [504011] High CVE-2015-1286: UXSS in blink. Credit to anonymous. - [505374] High CVE-2015-1290: Memory corruption in V8. Credit to Yongjun Liu of NSFOCUS Security Team. - [419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor. - [444573] Medium CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen of OUSPG. - [451456] Medium CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva. - [479743] Medium CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined. - [482380] Medium CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva. - [498982] Medium CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes. - [479162] Low CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to [email protected]. - [512110] CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives. last seen 2020-06-01 modified 2020-06-02 plugin id 84994 published 2015-07-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84994 title FreeBSD : chromium -- multiple vulnerabilities (9d732078-32c7-11e5-b263-00262d5ed8ee)
References
- http://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.5.1
- http://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.5.1
- http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_21.html
- http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_21.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00116.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00116.html
- http://www.nsfocus.net/index.php?act=advisory&do=view&adv_id=80
- http://www.nsfocus.net/index.php?act=advisory&do=view&adv_id=80
- https://bugs.chromium.org/p/chromium/issues/detail?id=505374
- https://bugs.chromium.org/p/chromium/issues/detail?id=505374
- https://codereview.chromium.org/1233453004
- https://codereview.chromium.org/1233453004