Hash: SHA256

                         AUSCERT Security Bulletin

             Google Chrome: Stable Channel Update for Desktop
                               31 July 2019


        AusCERT Security Bulletin Summary

Product:              Google Chrome
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-5865 CVE-2019-5864 CVE-2019-5863
                      CVE-2019-5862 CVE-2019-5861 CVE-2019-5860
                      CVE-2019-5859 CVE-2019-5858 CVE-2019-5857
                      CVE-2019-5856 CVE-2019-5855 CVE-2019-5854
                      CVE-2019-5853 CVE-2019-5852 CVE-2019-5851
Member content until: Friday, August 30 2019


        Multiple security vulnerabilities have been addressed in Google 
        Chrome version 76.0.3809.87 [1]


        The vendor has provided the following information:
        "This update includes 43 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
        [$10000][977462] High CVE-2019-5850: Use-after-free in offline page
        fetcher. Reported by Brendon Tiszka on 2019-06-21
        [$6000][956947] High CVE-2019-5860: Use-after-free in PDFium. Reported by
        Anonymous on 2019-04-26
        [$3000][976627] High CVE-2019-5853: Memory corruption in regexp
        length check. Reported by yngwei(@yngweijw) of IIE Varas and
        sakura(@eternalsakura13) of Tecent Xuanwu Lab on 2019-06-19
        [$3000][977107] High CVE-2019-5851: Use-after-poison in offline audio
        context. Reported by Zhe Jin,Luyao Liu from Chengdu Security Response
        Center of Qihoo 360 Technology Co. Ltd on 2019-06-20
        [$TBD][959438] High CVE-2019-5859: res: URIs can load alternative
        browsers. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2019-05-03
        [$5000][964245] Medium CVE-2019-5856: Insufficient checks on filesystem:
        URI permissions. Reported by Yongke Wang of Tencent's Xuanwu Lab
        (xlab.tencent.com) on 2019-05-17
        [$N/A][943494] Medium CVE-2019-5863: Use-after-free in WebUSB on
        Windows. Reported by Yuxiang Li (@Xbalien29) of Tencent Security Platform
        Department on 2019-03-19
        [$N/A][964872] Medium CVE-2019-5855: Integer overflow in PDFium. Reported
        by Zhen Zhou of NSFOCUS Security Team on 2019-05-20
        [$TBD][973103] Medium CVE-2019-5865: Site isolation bypass from compromised
        renderer. Reported by Ivan Fratric of Google Project Zero on 2019-06-11
        [$500][960209] Low CVE-2019-5858: Insufficient filtering of Open URL service
        parameters. Reported by evi1m0 of Bilibili Security Team on 2019-05-07
        [$500][936900] Low CVE-2019-5864: Insufficient port filtering in CORS for
        extensions. Reported by Devin Grindle on 2019-02-28
        [$TBD][946260] Low CVE-2019-5862: AppCache not robust to compromised
        renderers. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research
        on 2019-03-26
        [$TBD][951525] Low CVE-2019-5861: Click location incorrectly
        checked. Reported by Robin Linus ( robinlinus.com ) on 2019-04-10
        [$N/A][961237] Low CVE-2019-5857: Comparison of -0 and null yields
        crash. Reported by cloudfuzzer on 2019-05-09
        [$N/A][966263] Low CVE-2019-5854: Integer overflow in PDFium text
        rendering. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-23
        [$TBD][976713] Low CVE-2019-5852: Object leak of utility functions. Reported
        by David Erceg on 2019-06-19 " [1]


        It is recommended that users update to version 76.0.3809.87 as soon as possible.


        [1] Chrome Releases: Stable Channel Update for Desktop

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967