ESB-2018.1249 - [RedHat] chromium-browser: Multiple vulnerabilities 2018-04-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1249
                Critical: chromium-browser security update
                               24 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium-browser
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux WS/Desktop 6
                   Red Hat Enterprise Linux Server 6
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6117 CVE-2018-6116 CVE-2018-6114
                   CVE-2018-6113 CVE-2018-6112 CVE-2018-6111
                   CVE-2018-6110 CVE-2018-6109 CVE-2018-6108
                   CVE-2018-6107 CVE-2018-6106 CVE-2018-6105
                   CVE-2018-6104 CVE-2018-6103 CVE-2018-6102
                   CVE-2018-6101 CVE-2018-6100 CVE-2018-6099
                   CVE-2018-6098 CVE-2018-6097 CVE-2018-6096
                   CVE-2018-6095 CVE-2018-6094 CVE-2018-6093
                   CVE-2018-6092 CVE-2018-6091 CVE-2018-6090
                   CVE-2018-6089 CVE-2018-6088 CVE-2018-6087
                   CVE-2018-6086 CVE-2018-6085 

Reference:         ASB-2018.0097

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:1195

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: chromium-browser security update
Advisory ID:       RHSA-2018:1195-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1195
Issue date:        2018-04-23
CVE Names:         CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 
                   CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 
                   CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 
                   CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 
                   CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 
                   CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 
                   CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 
                   CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 
                   CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 
                   CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 
                   CVE-2018-6116 CVE-2018-6117 
=====================================================================

1. Summary:

An update for chromium-browser is now available for Red Hat Enterprise
Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

Chromium is an open-source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 66.0.3359.117.

Security Fix(es):

* chromium-browser: Use after free in Disk Cache (CVE-2018-6085)

* chromium-browser: Use after free in Disk Cache (CVE-2018-6086)

* chromium-browser: Use after free in WebAssembly (CVE-2018-6087)

* chromium-browser: Use after free in PDFium (CVE-2018-6088)

* chromium-browser: Same origin policy bypass in Service Worker
(CVE-2018-6089)

* chromium-browser: Heap buffer overflow in Skia (CVE-2018-6090)

* chromium-browser: Incorrect handling of plug-ins by Service Worker
(CVE-2018-6091)

* chromium-browser: Integer overflow in WebAssembly (CVE-2018-6092)

* chromium-browser: Same origin bypass in Service Worker (CVE-2018-6093)

* chromium-browser: Exploit hardening regression in Oilpan (CVE-2018-6094)

* chromium-browser: Lack of meaningful user interaction requirement before
file upload (CVE-2018-6095)

* chromium-browser: Fullscreen UI spoof (CVE-2018-6096)

* chromium-browser: Fullscreen UI spoof (CVE-2018-6097)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6098)

* chromium-browser: CORS bypass in ServiceWorker (CVE-2018-6099)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6100)

* chromium-browser: Insufficient protection of remote debugging prototol in
DevTools (CVE-2018-6101)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6102)

* chromium-browser: UI spoof in Permissions (CVE-2018-6103)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6104)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6105)

* chromium-browser: Incorrect handling of promises in V8 (CVE-2018-6106)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6107)

* chromium-browser: URL spoof in Omnibox (CVE-2018-6108)

* chromium-browser: Incorrect handling of files by FileAPI (CVE-2018-6109)

* chromium-browser: Incorrect handling of plaintext files via file://
(CVE-2018-6110)

* chromium-browser: Heap-use-after-free in DevTools (CVE-2018-6111)

* chromium-browser: Incorrect URL handling in DevTools (CVE-2018-6112)

* chromium-browser: URL spoof in Navigation (CVE-2018-6113)

* chromium-browser: CSP bypass (CVE-2018-6114)

* chromium-browser: Incorrect low memory handling in WebAssembly
(CVE-2018-6116)

* chromium-browser: Confusing autofill settings (CVE-2018-6117)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Chromium must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1568761 - CVE-2018-6085 chromium-browser: Use after free in Disk Cache
1568762 - CVE-2018-6086 chromium-browser: Use after free in Disk Cache
1568763 - CVE-2018-6087 chromium-browser: Use after free in WebAssembly
1568764 - CVE-2018-6088 chromium-browser: Use after free in PDFium
1568765 - CVE-2018-6089 chromium-browser: Same origin policy bypass in Service Worker
1568766 - CVE-2018-6090 chromium-browser: Heap buffer overflow in Skia
1568767 - CVE-2018-6091 chromium-browser: Incorrect handling of plug-ins by Service Worker
1568769 - CVE-2018-6092 chromium-browser: Integer overflow in WebAssembly
1568770 - CVE-2018-6093 chromium-browser: Same origin bypass in Service Worker
1568771 - CVE-2018-6094 chromium-browser: Exploit hardening regression in Oilpan
1568773 - CVE-2018-6095 chromium-browser: Lack of meaningful user interaction requirement before file upload
1568774 - CVE-2018-6096 chromium-browser: Fullscreen UI spoof
1568775 - CVE-2018-6097 chromium-browser: Fullscreen UI spoof
1568776 - CVE-2018-6098 chromium-browser: URL spoof in Omnibox
1568777 - CVE-2018-6099 chromium-browser: CORS bypass in ServiceWorker
1568778 - CVE-2018-6100 chromium-browser: URL spoof in Omnibox
1568779 - CVE-2018-6101 chromium-browser: Insufficient protection of remote debugging prototol in DevTools
1568780 - CVE-2018-6102 chromium-browser: URL spoof in Omnibox
1568781 - CVE-2018-6103 chromium-browser: UI spoof in Permissions
1568782 - CVE-2018-6104 chromium-browser: URL spoof in Omnibox
1568785 - CVE-2018-6105 chromium-browser: URL spoof in Omnibox
1568786 - CVE-2018-6106 chromium-browser: Incorrect handling of promises in V8
1568787 - CVE-2018-6107 chromium-browser: URL spoof in Omnibox
1568788 - CVE-2018-6108 chromium-browser: URL spoof in Omnibox
1568789 - CVE-2018-6109 chromium-browser: Incorrect handling of files by FileAPI
1568790 - CVE-2018-6110 chromium-browser: Incorrect handling of plaintext files via file://
1568791 - CVE-2018-6111 chromium-browser: Heap-use-after-free in DevTools
1568792 - CVE-2018-6112 chromium-browser: Incorrect URL handling in DevTools
1568793 - CVE-2018-6113 chromium-browser: URL spoof in Navigation
1568794 - CVE-2018-6114 chromium-browser: CSP bypass
1568796 - CVE-2018-6116 chromium-browser: Incorrect low memory handling in WebAssembly
1568797 - CVE-2018-6117 chromium-browser: Confusing autofill settings

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
chromium-browser-66.0.3359.117-1.el6_9.i686.rpm
chromium-browser-debuginfo-66.0.3359.117-1.el6_9.i686.rpm

x86_64:
chromium-browser-66.0.3359.117-1.el6_9.x86_64.rpm
chromium-browser-debuginfo-66.0.3359.117-1.el6_9.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
chromium-browser-66.0.3359.117-1.el6_9.i686.rpm
chromium-browser-debuginfo-66.0.3359.117-1.el6_9.i686.rpm

x86_64:
chromium-browser-66.0.3359.117-1.el6_9.x86_64.rpm
chromium-browser-debuginfo-66.0.3359.117-1.el6_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
chromium-browser-66.0.3359.117-1.el6_9.i686.rpm
chromium-browser-debuginfo-66.0.3359.117-1.el6_9.i686.rpm

x86_64:
chromium-browser-66.0.3359.117-1.el6_9.x86_64.rpm
chromium-browser-debuginfo-66.0.3359.117-1.el6_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-6085
https://access.redhat.com/security/cve/CVE-2018-6086
https://access.redhat.com/security/cve/CVE-2018-6087
https://access.redhat.com/security/cve/CVE-2018-6088
https://access.redhat.com/security/cve/CVE-2018-6089
https://access.redhat.com/security/cve/CVE-2018-6090
https://access.redhat.com/security/cve/CVE-2018-6091
https://access.redhat.com/security/cve/CVE-2018-6092
https://access.redhat.com/security/cve/CVE-2018-6093
https://access.redhat.com/security/cve/CVE-2018-6094
https://access.redhat.com/security/cve/CVE-2018-6095
https://access.redhat.com/security/cve/CVE-2018-6096
https://access.redhat.com/security/cve/CVE-2018-6097
https://access.redhat.com/security/cve/CVE-2018-6098
https://access.redhat.com/security/cve/CVE-2018-6099
https://access.redhat.com/security/cve/CVE-2018-6100
https://access.redhat.com/security/cve/CVE-2018-6101
https://access.redhat.com/security/cve/CVE-2018-6102
https://access.redhat.com/security/cve/CVE-2018-6103
https://access.redhat.com/security/cve/CVE-2018-6104
https://access.redhat.com/security/cve/CVE-2018-6105
https://access.redhat.com/security/cve/CVE-2018-6106
https://access.redhat.com/security/cve/CVE-2018-6107
https://access.redhat.com/security/cve/CVE-2018-6108
https://access.redhat.com/security/cve/CVE-2018-6109
https://access.redhat.com/security/cve/CVE-2018-6110
https://access.redhat.com/security/cve/CVE-2018-6111
https://access.redhat.com/security/cve/CVE-2018-6112
https://access.redhat.com/security/cve/CVE-2018-6113
https://access.redhat.com/security/cve/CVE-2018-6114
https://access.redhat.com/security/cve/CVE-2018-6116
https://access.redhat.com/security/cve/CVE-2018-6117
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFa3dN7XlSAg2UNWIIRAlCtAKCfQoSc5LEPayGynQcV5EwhCUe3LgCgkq8L
bMyQCU2yLyKV7tsUoXZMUJ8=
=YU01
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWt6zjox+lLeg9Ub1AQj5eQ/8DWnZ5pAQgkV0gxIAiuZNqX4bwP5MbkWh
11+HhWWzccoisjVqEORCxb0PngQJMN5vFZA9GwdR5dd7xHW3j77kcHJISQx2QKO+
iya1KhpRPjyUHGj84koYqQDs3tr1j/gTkvpfS8kF64t79ar0rdnDfITZYn56BDfh
5uiqE7ilSfAPTsN6SVXgck58Hs1Sb7DgpvIx+mJXst/A+/lhQ0wp+Bg6nid1zb0E
99Ok25DdcGWuii1RVJL6XAgylW9bUg0/k0g+/muFs6D9ig8Bclbbtbo75dMQKMqk
ClKzr5IZ+wCkvMYTujXxExpDGhhqXVR4BA23tfap8dNR5Zz26Qq4bnfxzLMSarbz
iSpxHm0TBF/vwvSYR0l0a6R7RBuTYgKIauCqqlDx4+1zLvFVGVu3+yPrGaCgZYRA
7AfFLK6GbqP3Y48skRYrpxmfyf7BaMPe9isy8Z1wP7OnwPdl9/FMe0/antFO9QM6
0kPdlux4GJyAkfaV5+iLTaK2VVfk4rDydpswF+9lf+8IubkZoX9dP8sv8C5kpteu
5bilG2tlQ5tg65pcimrLGoRY5i22cp86fbvyf0RtNeZgQMoMTnux20Wfk2luMPus
equpyyWnyxaku2Gf8xtrPyd6xQK4YYOTr2+axHIrw472epffFcZ9OIUu6TO1FcSj
qoErTYKKCRo=
=lWA4
-----END PGP SIGNATURE-----

« Back to bulletins