Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2015-6786

The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CSPSourceList.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts a blob:, data:, or filesystem: URL as a match for a * pattern, which allows remote attackers to bypass intended scheme restrictions in opportunistic circumstances by leveraging a policy that relies on this pattern.

Related bugs and status

CVE-2015-6786 (Candidate) is related to these bugs:

Bug #1522411: Chromium in Ubuntu still to version 45.0.2454.101 not update to version 46.0.2490.71 as Debian Chromium present version.

Summary				In	Importance	Status
	1522411	Chromium in Ubuntu still to version 45.0.2454.101 not update to version 46.0.2490.71 as Debian Chromium present version.		chromium-browser (Ubuntu)	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://googlechromerel...
CONFIRM: https://code.google.co...
CONFIRM: https://codereview.chr...
BID: 78416
GENTOO: GLSA-201603-09
DEBIAN: DSA-3415
SUSE: openSUSE-SU-2015:2290
SUSE: openSUSE-SU-2015:2291
UBUNTU: USN-2825-1
SECTRACK: 1034298