-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0044
                     Stable Channel Update for Desktop
                              31 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-5782 CVE-2019-5781 CVE-2019-5780
                      CVE-2019-5779 CVE-2019-5778 CVE-2019-5777
                      CVE-2019-5776 CVE-2019-5775 CVE-2019-5774
                      CVE-2019-5773 CVE-2019-5772 CVE-2019-5771
                      CVE-2019-5770 CVE-2019-5769 CVE-2019-5768
                      CVE-2019-5767 CVE-2019-5766 CVE-2019-5765
                      CVE-2019-5764 CVE-2019-5763 CVE-2019-5762
                      CVE-2019-5761 CVE-2019-5760 CVE-2019-5759
                      CVE-2019-5758 CVE-2019-5757 CVE-2019-5756
                      CVE-2019-5755 CVE-2019-5754 
Member content until: Saturday, March  2 2019

OVERVIEW

        Mutliple vulnerabilities have been addressed in Google Chrome for
        Windows, Mac and Linux version 72.0.3626.81. [1]


IMPACT

        Google has provided the following summary:
        
        "[$7500][914497] Critical CVE-2019-5754: Inappropriate implementation
        in QUIC Networking. Reported by Klzgrad on 2018-12-12
        
        [$N/A][906043] High CVE-2019-5782:  Inappropriate implementation in
        V8.  Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on
        2018-11-16
        
        [$5000][913296] High CVE-2019-5755: Inappropriate implementation in
        V8.  Reported by Jay Bosamiya on 2018-12-10
        
        [$5000][895152] High CVE-2019-5756: Use after free in PDFium. Reported
        by Anonymous on 2018-10-14
        
        [$3000][915469] High CVE-2019-5757: Type Confusion in SVG. Reported by
        Alexandru Pitis, Microsoft Browser Vulnerability Research on
        2018-12-15
        
        [$3000][913970] High CVE-2019-5758: Use after free in Blink. Reported
        by Zhe Jin, Luyao Liu from Chengdu Security Response Center of
        Qihoo 360 Technology Co. Ltd on 2018-12-11
        
        [$3000][912211] High CVE-2019-5759: Use after free in HTML select
        elements.  Reported by Almog Benin on 2018-12-05
        
        [$3000][912074] High CVE-2019-5760: Use after free in WebRTC. Reported
        by Zhe Jin, Luyao Liu from Chengdu Security Response Center of
        Qihoo 360 Technology Co. Ltd on 2018-12-05
        
        [$3000][904714] High CVE-2019-5761: Use after free in SwiftShader.
        Reported by Zhe Jin,Luyao Liu from Chengdu Security Response
        Center of Qihoo 360 Technology Co. Ltd on 2018-11-13
        
        [$3000][900552] High CVE-2019-5762: Use after free in PDFium. Reported
        by Anonymous on 2018-10-31
        
        [$1000][914731] High CVE-2019-5763: Insufficient validation of
        untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360
        on 2018-12-13
        
        [$1000][913246] High CVE-2019-5764: Use after free in WebRTC. Reported
        by Eyal Itkin from Check Point Software Technologies on 2018-12-09
        
        [$N/A][922677] High: Use after free in FileAPI. Reported by Mark Brand
        of Google Project Zero on 2019-01-16
        
        [$TBD][922627] High CVE-2019-5765: Insufficient policy enforcement in
        the browser.  Reported by Sergey Toshin (@bagipro) on 2019-01-16
        
        [$N/A][916080] High: Use after free in Mojo interface. Reported by
        Mark Brand of Google Project Zero on 2018-12-18
        
        [$N/A][912947] High: Use after free in Payments. Reported by Mark
        Brand of Google Project Zero on 2018-12-07
        
        [$N/A][912520] High: Use after free in Mojo interface. Reported by
        Mark Brand of Google Project Zero on 2018-12-06
        
        [$N/A][899689] High: Stack buffer overflow in Skia. Reported by Ivan
        Fratric of Google Project Zero on 2018-10-29
        
        [$4000][907047] Medium CVE-2019-5766: Insufficient policy enforcement
        in Canvas. Reported by David Erceg on 2018-11-20
        
        [$2000][902427] Medium CVE-2019-5767: Incorrect security UI in
        WebAPKs.  Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing
        Liao from Indiana University Bloomington on 2018-11-06
        
        [$2000][805557] Medium CVE-2019-5768: Insufficient policy enforcement
        in DevTools. Reported by Rob Wu on 2018-01-24
        
        [$1000][913975] Medium CVE-2019-5769: Insufficient validation of
        untrusted input in Blink. Reported by Guy Eshel on 2018-12-11
        
        [$1000][908749] Medium CVE-2019-5770: Heap buffer overflow in WebGL.
        Reported by  hemidallt@ on 2018-11-27
        
        [$1000][904265] Medium CVE-2019-5771: Heap buffer overflow in
        SwiftShader.  Reported by Zhe Jin,Luyao Liu from Chengdu
        Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12
        
        [$500][908292] Medium CVE-2019-5772: Use after free in PDFium.
        Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26
        
        [$N/A][917668] Medium CVE-2019-5773: Insufficient data validation in
        IndexedDB.  Reported by Yongke Wang of Tencent's Xuanwu Lab
        (xlab.tencent.com) on 2018-12-24
        
        [$N/A][904182] Medium CVE-2019-5774: Insufficient validation of
        untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract)
        and Juno Im on 2018-11-11
        
        [$N/A][896722] Medium CVE-2019-5775: Insufficient policy enforcement
        in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
        
        [$N/A][863663] Medium CVE-2019-5776: Insufficient policy enforcement
        in Omnibox. Reported by Lnyas Zhang on 2018-07-14
        
        [$N/A][849421] Medium CVE-2019-5777: Insufficient policy enforcement
        in Omnibox. Reported by Khalil Zhani on 2018-06-04
        
        [$500][918470] Low CVE-2019-5778: Insufficient policy enforcement in
        Extensions. Reported by David Erceg on 2019-01-02
        
        [$500][904219] Low CVE-2019-5779: Insufficient policy enforcement in
        ServiceWorker. Reported by David Erceg on 2018-11-11
        
        [$500][891697] Low CVE-2019-5780: Insufficient policy enforcement.
        Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03
        
        [$N/A][896725] Low CVE-2019-5781: Insufficient policy enforcement in
        Omnibox. Reported by evi1m0 of Bilibili" [1]


MITIGATION

        The vendor advises updating to Chrome 72.0.3626.81 to address these
        issues. [1]


REFERENCES

        [1] Stable Channel Update for Desktop
            https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXFJp/maOgq3Tt24GAQhGXxAAo+OdFw1du9euQHkruINJ0fKsnL1G9pd0
jCTfAs95HxLV4cknEPXdHkFN0wcf3Cuh/ESxK3SIOuhF3+g5V57+iydyn30LZF9P
N82jSC55eauJEj8VaeAz0oktwPT95WylGj8sEDjKb1A4ypCTb6HmsgFUosOq3Hne
gZhmJOgqL28rNy9yV4Fnf4mn5irILENOTYOf5RvwsZJi6bJQ27rcNJEdFDxnvCfi
XI/65dZAutrTv24bpNJts5PBZaRiRO0kwWv727cOP0y0K4rm914I7BqgPuFvAQ45
0MtCJFSUVUL3EplzgBGX66/lkhb2gGQSqgQTs2OTdjNdYfFgXKO014BowbOf9TXw
D+xQNtHose5pD9ptWnu0W3WdDR6Z0oJT3lLCOVT3KY+beOfgmXH5m3cdZROYpIIw
oRTrhGsrh6K+QGYsguZxbHhyT2VDkoBfVrpNjYbAiFqP9bY973TXDkAWBuXu0ZxR
uQz3Z3FKc3EERpAHnqq363xzkKedutDjJeZ+aG2+vwpqywTLs4zOyXkqIeBXcXUL
DejfZPyvq4eRGPosFpc169AiYfNCpTKEtr5Ks/+xN3/qQsoKodIO8F9Sp6HHwgqg
s1Fq4GiUYzvhyjmiez8Eg0fiFy9S3r/B9UlXFujW7Rt34YJbViwFODrbuN1DEUbb
ORxnTmTjZ/Q=
=9xvv
-----END PGP SIGNATURE-----