CVE-2015-1296 Information
Description
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK characters in the omnibox which makes it easier for remote attackers to spoof the SSL lock icon by placing one of these characters at the end of a URL as demonstrated by the omnibox in localizations for right-to-left languages.
Reference
http://googlechromereleases.blogspot.com/2015/09/stable-channel-update.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00029.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00013.html http://rhn.redhat.com/errata/RHSA-2015-1712.html http://www.debian.org/security/2015/dsa-3351 http://www.securitytracker.com/id/1033472 https://code.google.com/p/chromium/issues/detail?id=421332 https://codereview.chromium.org/1180393003/ https://codereview.chromium.org/1189553002/ https://security.gentoo.org/glsa/201603-09
Share on: