ESB-2019.1062 - [Debian] chromium: Multiple vulnerabilities 2019-04-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1062
                         chromium security update
                               1 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5803 CVE-2019-5802 CVE-2019-5800
                   CVE-2019-5799 CVE-2019-5798 CVE-2019-5797
                   CVE-2019-5796 CVE-2019-5795 CVE-2019-5794
                   CVE-2019-5793 CVE-2019-5792 CVE-2019-5791
                   CVE-2019-5790 CVE-2019-5789 CVE-2019-5788
                   CVE-2019-5787  

Reference:         ASB-2019.0079

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2019/msg00065.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4421-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 31, 2019                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790
                 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794
                 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798
                 CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-5787

    Zhe Jin discovered a use-after-free issue.

CVE-2019-5788

    Mark Brand discovered a use-after-free issue in the in the FileAPI
    implementation.

CVE-2019-5789

    Mark Brand discovered a use-after-free issue in the in the WebMIDI
    implementation.

CVE-2019-5790

    Dimitri Fourny discovered a buffer overflow issue in the v8 javascript
    library.

CVE-2019-5791

    Choongwoo Han discovered a type confusion issue in the v8 javascript
    library.

CVE-2019-5792

    pdknsk discovered an integer overflow issue in the pdfium library.

CVE-2019-5793

    Jun Kokatsu discovered a permissions issue in the Extensions
    implementation.

CVE-2019-5794

    Juno Im of Theori discovered a user interface spoofing issue.

CVE-2019-5795

    pdknsk discovered an integer overflow issue in the pdfium library.

CVE-2019-5796

    Mark Brand discovered a race condition in the Extensions implementation.

CVE-2019-5797

    Mark Brand discovered a race condition in the DOMStorage implementation.

CVE-2019-5798

    Tran Tien Hung disoceved an out-of-bounds read issue in the skia library.

CVE-2019-5799

    sohalt discovered a way to bypass the Content Security Policy.

CVE-2019-5800

    Jun Kokatsu discovered a way to bypass the Content Security Policy.

CVE-2019-5802

    Ronni Skansing discovered a user interface spoofing issue.

CVE-2019-5803

    Andrew Comminos discovered a way to bypass the Content Security Policy.

For the stable distribution (stretch), these problems have been fixed in
version 73.0.3683.75-1~deb9u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKFTGGaOgq3Tt24GAQjuYw//UiZVM2InS6KV1R7gH6M9ZsdBno2w0UMA
KjieeZbcL8nZV6MQHm4yvNrWeAH8XkIo2sL39Ul4ojX2uglh9wukx6ja9HiRjR/f
BpiRO5RFVD8YmDaDoYzT7feuHdaGq3gShOtia54QgA3od+e//L7Lhbt8PDiriLI3
oihsZH0otLMv2p3C4eL7dxwiwPks0X+NSI6ORXo4GIEtgPuy1G6JsVyhRK6L9rHB
LSh0OvcCFghPBjNwcUrj3XkKhaLCJxWtF1L9A+PnQDGVo4r/8kHgSElqqitW3aOO
JtCEIryhVsmvwueWkdevNxbf5xK8QkGpxps5bMj9AoKt39AtdXMxVagYEhFN65rQ
mae9ZPx04hYXtBIe/UFTPH0FCH/R5JF9nNdvx6Gnsu3txib7msxhuwsvj1CiXT02
1wLip3kvSrk8r9kJ/JwlrnocXITI8QnJEyh/eBAPY1WcdYhWWtrMyFvaHXoyET0k
5lFX65P94qaYFZeXmBHY6qhHH372tEw2x87dM/n0zM0epzw4w7S/POS46eOvufI2
HzivxSGDb7DeX/fA8RlrWcqQ4DIsab5ZEpfa9BlAEUf8OAyEihzjYPziacJkU0AH
J4Ze/NA8AuhgxDFtUOXRoufl56Z1AKuPdqWlLMi/6NcB0GCeG4thOvuB0+aGFkzn
+6+C78m6C3Y=
=WBM9
-----END PGP SIGNATURE-----

« Back to bulletins