Hash: SHA256

                         AUSCERT Security Bulletin

                    Google Chrome 73.0.3683.75 released
                               15 March 2019


        AusCERT Security Bulletin Summary

Product:              Google Chrome
Operating System:     Windows
                      Linux variants
                      Mac OS
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-5804 CVE-2019-5803 CVE-2019-5802
                      CVE-2019-5801 CVE-2019-5800 CVE-2019-5799
                      CVE-2019-5798 CVE-2019-5797 CVE-2019-5796
                      CVE-2019-5795 CVE-2019-5794 CVE-2019-5793
                      CVE-2019-5792 CVE-2019-5791 CVE-2019-5790
                      CVE-2019-5789 CVE-2019-5788 CVE-2019-5787
Member content until: Sunday, April 14 2019


        Multiple security vulnerabilities have been addressed in
        Google Chrome 73.0.3683.75. [1]


        The vendor has provided the following information:
        "This update includes 60 security fixes. Below, we highlight fixes that were
        contributed by external researchers. Please see the Chrome Security Page for
        more information.
        [$TBD][913964] High CVE-2019-5787: Use after free in Canvas. Reported by Zhe
        Jin, Luyao Liu from Chengdu Security Response Center of Qihoo
        360 Technology Co. Ltd on 2018-12-11
        [$N/A][925864] High CVE-2019-5788: Use after free in FileAPI. Reported by Mark
        Brand of Google Project Zero on 2019-01-28
        [$N/A][921581] High CVE-2019-5789: Use after free in WebMIDI. Reported by Mark
        Brand of Google Project Zero on 2019-01-14
        [$7500][914736] High CVE-2019-5790: Heap buffer overflow in V8. Reported by
        Dimitri Fourny (Blue Frost Security) on 2018-12-13
        [$1000][926651] High CVE-2019-5791: Type confusion in V8. Reported by Choongwoo
        Han of Naver Corporation on 2019-01-30
        [$500][914983] High CVE-2019-5792: Integer overflow in PDFium. Reported by
        pdknsk on 2018-12-13
        [$TBD][937487] Medium CVE-2019-5793: Excessive permissions for private API in
        Extensions. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research
        on 2019-03-01
        [$TBD][935175] Medium CVE-2019-5794: Security UI spoofing. Reported by Juno Im
        of Theori on 2019-02-24
        [$N/A][919643] Medium CVE-2019-5795: Integer overflow in PDFium. Reported by
        pdknsk on 2019-01-07
        [$N/A][918861] Medium CVE-2019-5796: Race condition in Extensions. Reported by
        Mark Brand of Google Project Zero on 2019-01-03
        [$N/A][916523] Medium CVE-2019-5797: Race condition in DOMStorage. Reported by
        Mark Brand of Google Project Zero on 2018-12-19
        [$N/A][883596] Medium CVE-2019-5798: Out of bounds read in Skia. Reported by
        Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-13
        [$1000][905301] Medium CVE-2019-5799: CSP bypass with blob URL. Reported by
        sohalt on 2018-11-14
        [$1000][894228] Medium CVE-2019-5800: CSP bypass with blob URL. Reported by Jun
        Kokatsu (@shhnjk) on 2018-10-10
        [$500][921390] Medium CVE-2019-5801: Incorrect Omnibox display on iOS. Reported
        by Khalil Zhani on 2019-01-13
        [$500][632514] Medium CVE-2019-5802: Security UI spoofing. Reported by Ronni
        Skansing on 2016-07-28
        [$1000][909865] Low CVE-2019-5803: CSP bypass with Javascript URLs'. Reported
        by Andrew Comminos of Facebook on 2018-11-28
        [$500][933004] Low CVE-2019-5804: Command line command injection on Windows.
        Reported by Joshua Graham of TSS on 2019-02-17" [1]


        Google advises updating to Google Chrome 73.0.3683.75 or later
        to address these vulnerabilities. [1]


        [1] Stable Channel Update for Desktop 73.0.3683.75

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967